The document discusses security in virtualized environments. It recommends applying lessons learned from physical security to virtual systems, including logical and physical separation of boundaries. While virtualization provides advantages like scalability and cost savings, organizations must still establish security measures of effectiveness linked to business key performance indicators. Outsourcing requires thorough due diligence of suppliers and not relying solely on certifications. Industry standards like the Cloud Security Alliance's Cloud Controls Matrix can provide guidance on controls for virtual environments. The strategic goal of security should be delivering increased value to the business through collective, non-siloed security activities.
2. We are a Systems Integrator & Outsource Provider
Data Privacy, Risk & Compliance
Other Clients include:
BP, EADS, E.On, TUI ….
3. Why physical security just isn’t enough -
sending the `heavies’ into virtualised environments
….. whilst not neglecting the security basics.
And accepting that there is always risk!
Discussion & interaction welcome!
NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh
6. What is Security’s value to your business?
The strategic intent should be to deliver increased value to your
business & that of your Clients through the intelligent application
Co-shaping
of collective Security activities . NB Not silo’ed!
Individual
expectations
Stages in Managing Expectations
Shaping
Anticipatory
Responsive
Reactive
Internally Hassle-free User- Engaging Co-Shaping
oriented friendly & exciting individual
experiences
7. NB The strategic intent should be to deliver increased value to your business & that of your
Clients through the intelligent application of collective Security activities . No silos allowed!
• Apply lessons and (security aspects of) design from physical to virtual environments
• Consider both logical and physical separation for boundaries
• Beware of cross-domain boundary dataflows
• Give more thought to protecting the data as opposed to the infrastructure
• Consider enhancing Software Development Lifecycle (SDLC) efforts
• “It’s the Application Layer that matters, damn it!”
• Test, test and test again!
• Don’t neglect dynamic reuse, decommissioning & disposal
• What are your Measures of Effectiveness?
• Have you linked your Security KPIs to those of your business?
• NB Assumes you have KPIs …..!
• What about Key Risk Indicators (KRIs)?
• Look forwards as much as backwards
• Benchmark with other forecasts, e.g.
• Information Security Forum : Download the ISF's Threat Horizon 2013 Executive Summary
9. • Let’s not pretend that the Old World was perfect!
• The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has
advantages too:
• Scalability
• Resilience
• Cost-effectiveness
• Support model is arguably less complex
• Depends upon technological mix!
• Fewer staff, more automation, leads to improved Quality-of-Service
• Dynamic asset, license and configuration management should incur lower
maintenance effort - and therefore cost - as a result of higher automation
• Consider knowledge management as opposed to data/information management
• What is business value of data? Meta-data adds context …..
• Is it static, time-dependent and/or actionable?
• What is asset value of information to business? Value-at-risk on balance sheet?
11. • Virtualisation (on premise or in Cloud) and outsourcing - caveat emptor!
• Consider value to business of data and associated processes
• What does the cost-benefit case mean to your business?
• Conduct business impact assessments to inform criticality discussions
• Due diligence is essential (reciprocal)
• Don’t rely solely on generic questionnaire
• Adopt a security framework,
• Eg Common Assessment Assurance Model
•http://common-assurance.com/resources/Common-Assurance-Maturity-Model-vision.pdf
• ‘Kick the tyres’, i.e. exercise contractual right to conduct audits
• Don’t neglect your Supply Chain
• Take note of certifications but don’t rely on them
• So, your Supplier has ISO27001 certificate …..
• What is the scope of applicability?
• How much business does 3rd party auditor have with the supplier?
• Regulatory compliance = security (a topic in its own right!)
12. Security controls in the virtualised world
• Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v1.2 (August 2011)
• Specifically designed to provide fundamental security principles to guide cloud
vendors and to assist prospective cloud customers in assessing the overall security risk of a
cloud provider.
• CSA CCM provides a controls framework that gives detailed understanding of security
concepts and principles that are aligned to the CSA guidance in 13 domains.
• It has a customized relationship to other industry-accepted security
standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA
COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control
direction for SAS 70 attestations provided by cloud providers.
• CSA CCM provides organizations with necessary structure, detail and clarity relating to
information security tailored to the cloud industry.
• Strengthens existing information security control environments by emphasizing
business information security control requirements, reduces and identifies consistent
security threats and vulnerabilities in the cloud, provides standardize security and
operational risk management, and seeks to normalize security expectations, cloud
taxonomy and terminology, and security measures implemented in the cloud.
14. Summary
• Remember the Security Basics
• Physical, People, Process & Technology in harmony
• The New World – virtualised, in-house or in the Cloud (public/private/hybrid) – has
advantages too:
• Scalability
• Resilience
• Cost-effectiveness
• Apply lessons and (security aspects of) design from physical to virtual environments
• Establish your Measures of Effectiveness & associated KPIs and KRIs
• Consider knowledge management as opposed to data/information management
• What is business value of data?
• Value-at-risk on balance sheet?
• Align with an industry standard such as CAMM or CSA CCM
• Regulatory compliance = security (a topic for the next CIO Event!)
NB The strategic intent should be to deliver increased value to your business & that of your
Clients through the intelligent application of collective Security activities . No silos allowed!
NB Views expressed are not necessarily representative of either DTAG or T-Systems International Gmbh