Cyber and the Cloud- What are the risks?

WorkSmart Morning KeynoteHeather Bearfield, Principal, MARCUM LLP

May 12, 2016

Agenda Overview of Cloud Computing Potential Cloud Security Vulnerabilities Importance of Third Party Risk Management Summary and Conclusion Q&A

What is Cloud Computing Cloud computing is a model for enabling convenient, on-demand

network access to a shared pool of configurable computing resources.

Networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

“What Confuses You About the Cloud?”

Cloud Breakdown

Types of Cloud Deployment Models

Opportunities Cost savings

o Customers pay for only the computing resources used. There are no physical space requirements or utility costs. All dollars are expensed (that is, receive a U.S. tax benefit).

Speed of deploymento The time to fulfill requests for computing power and applications can

change from months to weeks, weeks to days, and days to hours. Scalability and better alignment of technology resources

o Companies can scale up or down their capacity without capital expenditures.

Decreased effort in managing technologyo Cloud computing provides the organization more time to focus on core

purpose and goals; more consistent technology upgrades; and expedited fulfillment of IT resource requests.

Environmental benefitso Significant adoption of cloud computing should yield less overall power

consumption, carbon emissions, and physical land use.

Risks Some of the typical risks associated with cloud computing are:

o Disruptive forceo Residing in the same risk ecosystem as the cloud service

provider (CSP) and other tenants of the cloudo Lack of transparencyo Reliability and performance issueso Vendor lock-in and lack of application portability and

interoperabilityo Security and compliance concernso Creation of high-value cyber-attack targetso Risk of data leakageo IT organizational changeso Viability of the CSP

Service Delivery Methods

Security Breakdown

Risk Levels

Cloud Governance

“Cloud governance” refers to the controls and processes in place for cloud planning and strategy, vendor selection, contract negotiation, implementation, operation, monitoring and possible termination and transition of cloud services.

Top 5 Concerns

Data Access from Mobile Device Access Control and Identity Management Ongoing Compliance Concerns Co-Mingling of Customer Data Security Standards and Certifications

Top 9 Security Threats

Data Breaches Data Loss Account or Service Traffic Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology

Social Media Landscape

Investing in Third Party Risk- Management Data Breach

“On average, third party errors increased the cost of data breach by as much as $43 per record in the US”

41%

33%

26%

Cause of Data Breaches

Malicious or criminal attack Human errorSystem error

Third-Party Risk Management Concerns

Evaluating quality of products

Monitoring financial viability

Collecting financial performance or other information

Obtaining internal audit coverage of key risk areas

Identifying or aggregating risks

Monitoring third party risk management practices

Gaining assurance on compliance with laws and regulations

Determining protection of intellectual property

Evaluating technology controls to protect data

-20.0% 0.0% 20.0% 40.0% 60.0% 80.0% 100.0% 120.0%

None

Minimal

Some

High

Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP

Third Party Risk Management Activities

Vendor management activities performed should be based on risk associated with the vendor

In order to ensure the risks with outsourcing cloud services are properly addressed organizations should consider performing the following activities: Review cloud provider’s policies and procedures Request cloud provider respond to internal control questionnaires Perform an onsite review of cloud provider operations Review a Service Organization Control (SOC) Report

Organizations can use SOC reports to obtain a level of comfort over a cloud provider’s controls related to security, availability, processing integrity, confidentiality and privacy controls.

What are the Trust Issues?

Will my cloud provider be transparent about governance and operational issues?

Will I be considered compliant?

Do I know where my data is?

Will a lack of standards drive unexpected obsolescence?

Is my provider really better at security than me?

Are the hackers waiting for me in the cloud?

Will I get fired?

Cloud Forcing Key Issues Critical mass of separation between data owners and

data processors Anonymity of geography of data centers & devices Anonymity of provider Transient provider relationships Physical controls must be replaced by virtual controls Identity management has a key role to play Cloud WILL drive change in the security status quo Reset button for security ecosystem

Key Problems of Tomorrow

Keeping pace with cloud changes

Globally incompatible legislation and policy

Non-standard Private & Public clouds

Lack of continuous Risk Management & Compliance monitoring

Incomplete Identity Management implementations

Haphazard response to security incidents

QUESTIONS?

Our PartnersADNET proudly partners with leading technology and business solution providers to help our clients find the best possible fit for their needs. We encourage you to visit our partners' websites to learn more about their services.

@ADNETTech

@ADNETTechnologiesLLC

@ADNETTechnologiesLLC

www.thinkADNET.com

@MarcumLLP

@Marcum-LLP

@MarcumLLP

www.marcumllp.com