8/6/2019 nControl Grid Cloud Drexel
1/18
PRIVACY & SECURITY IN THE TIME
OF GRID/CLOUD COMPUTING
Steve Markey, PMP, CISSP, CIPP, CISM, CISA
Founder/Principal, nControl
8/6/2019 nControl Grid Cloud Drexel
2/18
8/6/2019 nControl Grid Cloud Drexel
3/18
8/6/2019 nControl Grid Cloud Drexel
4/18
GRI / I G: EPLOYMENT
Cloud D loym t odaliti s
ublic
mazon 3 & EC2
al sforc
Googl s & Docs
Zoho
Private
Cloud Im lementations Hosted Internally
ha
red
e
rvice
s/C
ha
rge
-ba
code
l
anaged
my P, icrosoftCR /Project/ harePoint
Hybrid
Dedicated ervers Over Private Lines
8/6/2019 nControl Grid Cloud Drexel
5/18
GRI / LOUD OMPUTING: OOLSOF
THOUGHT
DataCenter
Reduce Need for Rac ace, Hardware & erver oftware
Client oftware
Reduce Need for Client oftware
Derivativeof Terminal/ ainframe Era
8/6/2019 nControl Grid Cloud Drexel
6/18
GRID/ LOUD OMPUTING: ISSUES
Security
Privacy
O erations
8/6/2019 nControl Grid Cloud Drexel
7/18
GRID/ LOUD OMPUTING: ISSUES ONT.
Security
Controls
Logical
Physical
Standards/Certification
Public/PrivateSector
Industry
Heterogeneous Platforms
Windows/Linux/UNIX/ ndroid/ acOS X
Palm/Blac Berry/OS X
8/6/2019 nControl Grid Cloud Drexel
8/18
GRID/ LOUD OMPUTING: ISSUES ONT.
Privacy
Data
Ownershi
lows
Incident Res onse
Data Breach Notification
8/6/2019 nControl Grid Cloud Drexel
9/18
GRID/ LOUD OMPUTING: ISSUES ONT.
O erations
Single-Point-of- ailure
Stevethe Internet is downI am going home
Peri herals
How do I rint?
Vendor Over-Commitment
Bandwidth
StorageScalability
Data Recovery
Vendor Portability/Interoperability
OpenStandards
8/6/2019 nControl Grid Cloud Drexel
10/18
GRID/ LOUD OMPUTING:DRIVING BODIES
Groups/ ssociations
CloudSecurity lliance (CSA)
CSAGuide
Domains: CloudArchitecture, Governance & ER , Legal, Electronic
Discovery,Compliance &
Audit, Information Lifecycle anagement,Portability & Interoperability, Physical Security & BC/DR, DataCenter
Operations, Incident Response & Notification, ApplicationSecurity,
Encryption & Key anagement, Identity & Access anagement,
Storage, Virtualization.
ISACA
OWASP
8/6/2019 nControl Grid Cloud Drexel
11/18
GRID/ LOUD OMPUTING:SUGGESTIONS
Adoption
Standardization
8/6/2019 nControl Grid Cloud Drexel
12/18
GRID/ LOUD OMPUTING: DOPTION
Let Requirements DictateAdoption
RemoteAccess
Sales & ar eting
Non-Proprietary, Public Data
EmbraceGrid/CloudComputing Iteratively Non-essential to Essential
Non-Proprietary toProprietary
Public toConfidential
DataCenter thenClientSoftware
For Once; Let Vendors Dictate
WorldwideAdoption is Inevitable
EHR/PHR
Collaboration/Email/Portals
Document anagement Process/Project anagement
8/6/2019 nControl Grid Cloud Drexel
13/18
GRID/ LOUD OMPUTING: DOPTION ONT.
For Proprietary Applications/Systems
Deploy Internally-BuiltApps Before Embracing IaaS/PaaS
Wal Before You Run
EmbracePrivateor HybridClouds BeforePublic Clouds
Especially for Confidential Data
Peripherals
Use Virtual PrintServer
Ex. ThinPrint
8/6/2019 nControl Grid Cloud Drexel
14/18
GRID/ LOUD OMPUTING:
STANDARDIZATION
Security
Bestof BreedStandards
FISMA/NIST
ISO
HHS/CCHIT/HITRUST
Privacy
Parse Logical Instances
GroupSystems BasedonPrivacy/Security Reqs
Industry
Function
Geographic Area
8/6/2019 nControl Grid Cloud Drexel
15/18
GRID/ LOUD OMPUTING:
STANDARDIZATION
Operations
Single-Point-of-Failure
CachedFile Drives
Egnyte Local Cloud
Most Organizations Have Redundant DataCom How about your serviceproviders/vendors?
Bestof BreedStandards
FISMA/NIST
ISO
HHS/CCHIT/HITRUST
SAS-70 Type II
8/6/2019 nControl Grid Cloud Drexel
16/18
GRID/ LOUD OMPUTING: SA
SUGGESTIONS
IaaS
Deploy applications in run-time ina way that is abstracted
from the machine image.
PaaS
Use careful applicationdevelopmenttechniques to minimizepotential loc -in with the vendor.
SaaS
Perform dataextractionprocesses and bac updata
independent
o
fthe
vendo
r.
CSA: http://www.cloudsecurityalliance.org/ http://www.cloudsecurityalliance.org/guidance/csaguide.pdf
8/6/2019 nControl Grid Cloud Drexel
17/18
GRID/ LOUD OMPUTING:REAL WORLD
Uses Google Docs, andanemployeeusinga weakpassword
ledtoa Data Breach oftheir onlinedata.
Lessons
PasswordStandards
Segregationof Duties
City of L.A.
Announcedplans to moveall e-mail and records retention
processes for city-based services ontothe grid (Google).
Lessons
Privacy/Compliance
ProjectManagement/ChangeManagement/VendorManagement
8/6/2019 nControl Grid Cloud Drexel
18/18
GRID/ LOUD OMPUTING: QUESTIONS
?