#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
The Perfect Storm
1. The Perfect Storm:
Threats and Risks in the Cloud
Ramsés Gallego
CISM, CGEIT, CISSP SCPM, CCSK, ITIL, COBIT, Six Sigma Black Belt
,
Chief Strategy Officer - Entel Security & Risk Management
rgallego@entel.es
2.
3.
4. Confidence
Resilience Data Segregation
Compliance
Right to Audit User Access
Identity Dispute Recovery
resolution
Virtualization Isolation Forensics
Data Location Trust Maturity Models
Privacy Web 2.0 Surety
Architectures Emerging
Traceability Evidence Web Services
Metrics gathering
Competitive Advantage
Workflow
Incident handling
5.
6. What is Cloud?
The biggest evolution in technology that can have an impact
similar to the birth of the Internet
Number 1 on the list of ‘10 strategic technologies’ of all the
analysts
‘Unless you’ve been under a rock recently, you’ve probably heard
Cloud Computing as the next revolution in IT’ - CFO Magazine
7. What is Cloud?
A pay-as-you-go model for using applications,
development platforms and/or IT infrastructure
7
9. Corporate mandates
Manage risk Manage cost Improve service Align IT
investments
• Compliance • IT Portfolio Management
• Optimize resources • Service Availability
• Asset protection • Value Management
• Automate processes • Service Management
• Continuity Management • Process Management
Optimal value providing
Manage operational and Better CAPEX and effective and efficient Align investments with
business risk OPEX management services corporate objectives
9
14. Cloud domains
Cloud Architecture
Governing the Cloud
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Business Continuity and Disaster Recovery
Operating in the Cloud
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
15. Key Cloud Security problems
From CSA Top Threats Research
Trust: Lack of Provider transparency. Impacts Governance, Risk
& Compliance
Data: Leakage, Loss or Storage in unfriendly geography
Insecure Cloud software
Malicious use of Cloud services
Account/Service Hijacking
Malicious Insiders
Cloud-specific attacks
18. 10 questions to ask to the Cloud
1. How is identity and access managed in the Cloud?
2. Where will my data be geographically located?
3. How securely is my data handled?
4. How is access by privileged users controlled?
5. How is data protected against privileged user abuse?
6. What levels of isolation are supported?
7. How is my data protected in virtual environments?
8. How are the systems protected against Internet threats?
9. How are activities monitored and logged?
10. What kind of information security certification do you have?
19. THANK YOU
Ramsés Gallego
CISM, CGEIT, CISSP SCPM, CCSK, ITIL, COBIT, Six Sigma Black Belt
,
Chief Strategy Officer - Entel Security & Risk Management
rgallego@entel.es