Cloud Services Measurement, Audit – and Standards Martin Kuppinger Founder and Principal Analyst, KuppingerCole

Slides:



Advertisements
Similar presentations
Options appraisal, the business case & procurement
Advertisements

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Course: e-Governance Project Lifecycle Day 1
Cloud Computing - clearing the fog Rob Gear 8 th December 2009.
SOC 2 Reports – A Third Party Risk Management Tool for Cloud Providers
Michael Cooper, West Virginia University. West Virginia University Public, land-grant institution, founded in Located in Morgantown, West Virginia.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
By Collin Smith COBIT Introduction By Collin Smith
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
TEMPUS ME-TEMPUS-JPHES
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
The ISO/IEC family Lynda Cooper Co-author ISO20000 Project editor ISO20000 part 1 Principal UK Expert to ISO group ITIL Expert.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Managing Procurement and Sourcing Getting What You Need.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.
SECURITY Is cloud computing secure? Are Microsoft Online Services secure? Is cloud computing secure? Are Microsoft Online Services secure? PRIVACY What.
Service Management Processes
Roles and Responsibilities
Outsourcing Opportunity: “Strategic and Operational Level” H. Srikrishnan Executive Director January 31, 2006.
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
Introduction to the ISO series ISO – principles and vocabulary (in development) ISO – ISMS requirements (BS7799 – Part 2) ISO –
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
The Seven Deadly Sins Envy Lust Sloth Wrath Pride Gluttony Greed.
ISO GENERAL REQUIREMENTS. ISO Environmental Management Systems 2 Lesson Learning Goals At the end of this lesson you should be able to: 
Cloud Computing and the Public Sector Risks and Rewards John O’Connor, Partner - Head of Technology & Commercial Contracts.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
a guidance to conversion
© Cloud Security Alliance, 2015 Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems.
Roundtable: Best Practice for Cloud Sourcing Daniel Shap, Managing Counsel CIBC Dr Sam De Silva, Partner, Penningtons Manches LLP.
Eversheds Digital Banking Seminar Obtaining the right technology 30 September 2015 Eve England Principal Associate.
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
ISO CONCEPTS Is a management standard, it is not performance or product standard. The underlying purpose of ISO 1400 is that companies will improve.
Daniel Field, Atos Spain Towards the European Open Science Cloud, Heidelberg, 20/01/2016.
© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM.
HNSciCloud Project MSc in Project Engineering delivered by Professor Gilles Vallet Oxford Academics for Computing Science Department, University of Chester.
A solid privacy and security approach Alf Moens, Corporate Security Officer SURF Evelijn Jeunink, Legal adviser, Corporate Privacy Officer SURF.
Improving performance, reducing risk Dr Apostolos Noulis, Lead Assessor, Business Development Mgr Thessaloniki, 02 June 2014 ISO Energy Management.
© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Cyber Security and how to safeguard data in the ‘Cloud’ Claire Jacques 21 April 2016.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
Cloud Computing for the Enterprise November 18th, This work is licensed under a Creative Commons.
Vendor Management by Banks: How Law Firms Are Affected Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of.
Law Firm Data Security: What In-house Counsel Need to Know
COBIT 5 Executive Summary
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Integrated Management System and Certification
Cloud Service Procurement: Engaging the CISO for a Risk Assessment
Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.
INTRODUCTION TO ISO 9001:2015 FOR IMPLEMENTATION Varinder Kumar CISA, ISO27001 LA, ISO 9001 LA, ITIL, CEH, MEPGP IT, Certificate course in PII & Privacy.
Microsoft SAM Managed Service Program
CCM Practitioner Curriculum
WACS Audit ISO Certificate’s
Lockheed Martin Canada’s SMB Mentoring Program
QUALITY MATTERS - OVERVIEW OF ISO QUALITY MANAGEMENT SYSTEM
Microsoft SAM Managed Service Program
Cloud Services - A Framework for Adoption in the Regulated Life Sciences Industry Status November 2018.
DSC Contract Management Committee Meeting
Data Governance & Management Skills and Experience
CORE Discussion Forum: How to Keep Your Outsourcing Contract Current
DSC Contract Management Committee Meeting
Presentation transcript:

Cloud Services Measurement, Audit – and Standards Martin Kuppinger Founder and Principal Analyst, KuppingerCole

Abstract Cloud computing provides an opportunity for organizations to optimize the procurement of IT services from both internal and external suppliers However - many organizations are sleepwalking into the Cloud. Moving to the cloud may outsource the provision of the IT service, but it does not outsource responsibility. This session will look at the issues that may be forgotten or ignored when adopting the cloud computing. These include: – Ensuring legal and regulatory compliance – Assuring data security – Ensuring business continuity – Avoiding lock in 2

Agenda The Seven Deadly sins The Ten Cloud commandments Summary 3

SEVEN DEADLY SINS

Seven Capital Vices Used by the Christian church to teach the origin of sin. – Wrath – Greed – Sloth – Pride – Lust – Envy – Gluttony 5

Cloud Computing Seven Deadly Sins Sloth – Not knowing you are using the Cloud – Not assuring legal and regulatory compliance – Not knowing what data is in the cloud – Not managing identity and access to the cloud – Not managing business continuity and the cloud – Becoming Locked-in to one provider. – Not managing your Cloud provider. 6

TEN COMMANDMENTS OF CLOUD COMPUTING 7

Summary To Avoid the Seven Deadly Sins of Cloud follow the ten commandments: 1.Know that you are using the Cloud 2.Use Good Governance for the Cloud and other IT Services 3.Choose the right kind of Cloud 4.Assure Compliance 5.Assure Information Security 6.Manage Identity and Access 7.Assure privilege management 8.Include the Cloud in your Business Continuity Plan 9.Avoid Lock-in 10.Manage the Cloud Service Provider 8

#2 Use Good Governance for the Cloud as well as other IT Services

Cloud Governance 10 Assure Delivery of Cloud Service Assess Risk Probability and Impact and Risk Response Specify Service to meet business needs Identify Business Requirements

#10 Manage the Cloud Service Provider

Legal Risk - Contract In General - Outsourcing Contracts are negotiated SLAs Cloud Provider Contracts are – Largely “take it or leave it” – May have less onerous obligations on provider – Almost total exclusion of liability 12 ProbabilityVery High ImpactHigh Legal Considerations Cloud computing contracts, Kristof de Vulder, DLA Piper LLP computing/GroupDocuments/DLA_Cloudcomputing%20legal%20considerations.pdf

Cloud Service Delivery Management Check the implementation of agreements, monitor compliance and manage changes to ensure that the services delivered meet all requirements agreed with the third party. 13 ISO Control 10.2 Customer Responsibility Ensure service levels and security controls in the Cloud service agreement are implemented, operated, and maintained Provider Responsibility Provide data on service levels and controls and certification through external audits.

What’s out there? Cloud Security Alliance „Cloud Controls Matrix“ – Approach to enhance Internal Controls Frameworks to Cloud Services ISO – Independent of deployment model, works for Cloud Services as well Data Protection Requirement Analysis („Schutzbedarfsanalyse“ – BSI approach) – Focus on information assets which have to be protected – Can be enhanced for cloud Carnegie Mellon SMI – Cloud Service Measurement Initiative Consortium – Set of KPIs for measuring cloud services NIST – Just published a definition of „Cloud“ Who else? – … 14

Cloud Security Alliance: CCM 15

ISO

What you need Selection – Quick, prepared, comprehensive, focused, risk-aware – Short list of questions Internal Controls – Less time-sensitive, probes, prepared, limited, risk-aware – Comprehensive control frameworks 17

Vorgehensmodell und Voraussetzungen 18 Evaluate Information Protection RequirementsMap to service featuresDevelop a questionnaireDecideDefine and apply controls

Service Governance Process Governance Information Governance Traditional (System Governance) Advanced (Information Governance) Cloud basics (Information and Service Governance) Cloud ready (Full Governance) Systems Services

QUESTIONS?

21

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.