Upload
adnet-technologies
View
55
Download
1
Embed Size (px)
Citation preview
Cyber and the Cloud- What are the risks?
WorkSmart Morning KeynoteHeather Bearfield, Principal, MARCUM LLP
May 12, 2016
Agenda Overview of Cloud Computing Potential Cloud Security Vulnerabilities Importance of Third Party Risk Management Summary and Conclusion Q&A
What is Cloud Computing Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing resources.
Networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
“What Confuses You About the Cloud?”
Cloud Breakdown
Types of Cloud Deployment Models
Opportunities Cost savings
o Customers pay for only the computing resources used. There are no physical space requirements or utility costs. All dollars are expensed (that is, receive a U.S. tax benefit).
Speed of deploymento The time to fulfill requests for computing power and applications can
change from months to weeks, weeks to days, and days to hours. Scalability and better alignment of technology resources
o Companies can scale up or down their capacity without capital expenditures.
Decreased effort in managing technologyo Cloud computing provides the organization more time to focus on core
purpose and goals; more consistent technology upgrades; and expedited fulfillment of IT resource requests.
Environmental benefitso Significant adoption of cloud computing should yield less overall power
consumption, carbon emissions, and physical land use.
Risks Some of the typical risks associated with cloud computing are:
o Disruptive forceo Residing in the same risk ecosystem as the cloud service
provider (CSP) and other tenants of the cloudo Lack of transparencyo Reliability and performance issueso Vendor lock-in and lack of application portability and
interoperabilityo Security and compliance concernso Creation of high-value cyber-attack targetso Risk of data leakageo IT organizational changeso Viability of the CSP
Service Delivery Methods
Security Breakdown
Risk Levels
Cloud Governance
“Cloud governance” refers to the controls and processes in place for cloud planning and strategy, vendor selection, contract negotiation, implementation, operation, monitoring and possible termination and transition of cloud services.
Top 5 Concerns
Data Access from Mobile Device Access Control and Identity Management Ongoing Compliance Concerns Co-Mingling of Customer Data Security Standards and Certifications
Top 9 Security Threats
Data Breaches Data Loss Account or Service Traffic Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology
Social Media Landscape
Investing in Third Party Risk- Management Data Breach
“On average, third party errors increased the cost of data breach by as much as $43 per record in the US”
41%
33%
26%
Cause of Data Breaches
Malicious or criminal attack Human errorSystem error
Third-Party Risk Management Concerns
Evaluating quality of products
Monitoring financial viability
Collecting financial performance or other information
Obtaining internal audit coverage of key risk areas
Identifying or aggregating risks
Monitoring third party risk management practices
Gaining assurance on compliance with laws and regulations
Determining protection of intellectual property
Evaluating technology controls to protect data
-20.0% 0.0% 20.0% 40.0% 60.0% 80.0% 100.0% 120.0%
None
Minimal
Some
High
Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
Third Party Risk Management Activities
Vendor management activities performed should be based on risk associated with the vendor
In order to ensure the risks with outsourcing cloud services are properly addressed organizations should consider performing the following activities: Review cloud provider’s policies and procedures Request cloud provider respond to internal control questionnaires Perform an onsite review of cloud provider operations Review a Service Organization Control (SOC) Report
Organizations can use SOC reports to obtain a level of comfort over a cloud provider’s controls related to security, availability, processing integrity, confidentiality and privacy controls.
What are the Trust Issues?
Will my cloud provider be transparent about governance and operational issues?
Will I be considered compliant?
Do I know where my data is?
Will a lack of standards drive unexpected obsolescence?
Is my provider really better at security than me?
Are the hackers waiting for me in the cloud?
Will I get fired?
Cloud Forcing Key Issues Critical mass of separation between data owners and
data processors Anonymity of geography of data centers & devices Anonymity of provider Transient provider relationships Physical controls must be replaced by virtual controls Identity management has a key role to play Cloud WILL drive change in the security status quo Reset button for security ecosystem
Key Problems of Tomorrow
Keeping pace with cloud changes
Globally incompatible legislation and policy
Non-standard Private & Public clouds
Lack of continuous Risk Management & Compliance monitoring
Incomplete Identity Management implementations
Haphazard response to security incidents
QUESTIONS?
Our PartnersADNET proudly partners with leading technology and business solution providers to help our clients find the best possible fit for their needs. We encourage you to visit our partners' websites to learn more about their services.
@ADNETTech
@ADNETTechnologiesLLC
@ADNETTechnologiesLLC
www.thinkADNET.com
@MarcumLLP
@Marcum-LLP
@MarcumLLP
www.marcumllp.com