SlideShare une entreprise Scribd logo

Cloud-Security-Keeping-Data-Safe-Protiviti - white paper

D
Dave Theriault
1  sur  8
Télécharger pour lire hors ligne
Cloud Security – Keeping Data Safe in the “Boundaryless” World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for many organizations not to at least consider moving certain functions to the cloud. Cost-reduction opportunities, scalability, flexibility and elasticity are just some of the potential benefits of such a move. However, companies looking to shift their information technology (IT) assets to a cloud model (public, private or hybrid) often are not fully informed, or simply are unaware, of the range of risks and limitations of cloud computing. Most organizations do have security concerns about the cloud. Leadership, especially from IT, may worry that data will be less safe if hosted by a third party, instead of internally or in a “steel cage” by a local co-location provider. The fear of losing control of and visibility into IT systems is a key reason why many organizations decide to delay or cancel cloud conversions, particularly large commitments to the cloud. Companies looking to derive benefits from embracing cloud services – including Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) – must thoroughly consider what will, and will not be, hosted by a cloud provider. Security risks and exposures do increase in the cloud environment. Additionally, there is an established precedent that cloud providers will not assume responsibility for protecting your organization’s data. Cloud Benefits, Risks and Exposures Cost reduction is often the top driver in an organization’s decision to move to the cloud. But there are other benefits, including a single centralized view into your IT infrastructure, speed of deployment, deep yet inexpensive infrastructure redundancy (hardware, application and network connectivity), and fluid elasticity. There are also fundamental risks and exposures within cloud solutions, no matter which deployment method a company selects – public, private or hybrid. Most organizations fear a security breach that can result in brand damage and loss of customers’ trust, and requires significant time and effort to remediate. Other concerns include potential defects in the underlying cloud solution, performance issues with accessing the solution (latency, application delay and availability), and potential complexities around recovering from a disaster situation (hosting and availability of backups).
Protiviti | 2 Solutions to Migrate Risks The explosion in the number of cloud providers and offerings – and the marketing hype around cloud computing – has led many organizations to a state of buyer confusion. In an effort to provide these organizations with some clarity for decision-making about the cloud, Protiviti has identified several fundamental security capabilities that should exist within any mature IT environment (whether self-managed or cloud-provided). Before cloud solutions and supporting capabilities can be designed, however, there must be awareness of potential threats. Figure 1 represents a summary of threats according to cloud deployment methodology. These threats require different levels of security diligence based upon the risks and exposures of the cloud deployment method. An organization’s tolerance to risk is the foundation for building a compressive set of security capabilities. Figure 1. Threats and Risk Levels by Cloud Deployment Type
Protiviti | 3 Figure 2 represents an example of a comprehensive security model built to mitigate controls based upon the organization’s security capabilities. This model allows an organization to focus security operating capabilities on areas with the most amount of exposure and apply the same focus on any planned cloud implementation. Figure 2. Example of Comprehensive Security Model
Protiviti | 4 The Public Cloud – A Commerce Facilitator Market intelligence provider IDC projects that by 2017, worldwide spending on public IT cloud services will exceed US$107 billion, and that these services will experience a compound annual growth rate of 23.5 percent from 2013 to 2017 – five times that of the IT industry as a whole.1 Risks in the public cloud space are extremely high – with a broad attack surface and exposure to a wide range of threats. Significant diligence and a holistic set of controls must be applied to public cloud environments. In general, the public cloud space is best suited for commodity IT solutions that generate revenue and/or build business awareness. For example, web commerce, mailers/surveys, low-risk client information, and low-sensitivity shared applications. Protiviti highly recommends that a company understand the risks associated with putting sensitive data into the public cloud and then apply the right set level of controls to mitigate these risks to acceptable levels. Additionally, a holistic security framework should be used when moving to the public cloud. Protiviti recommends applying a well-established security management and controls framework (e.g., ISO 27001/2, COSO, COBIT, NIST, HITRUST) to ensure that cloud solutions achieve the organization’s confidentiality, integrity and availability needs (see Figure 3). Figure 3. Security Management Framework (ISO 27001:2013) 1 IDC Forecasts Worldwide Public IT Cloud Services Spending to Reach Nearly $108 Billion by 2017 as Focus Shifts from Savings to Innovation, IDC media release, Sept. 3, 2013: www.idc.com/getdoc.jsp?containerId=prUS24298013.
Protiviti | 5 In the public cloud, everything is open to attack via the Internet, so it is critical that every organization apply a comprehensive layered security approach and a core set of virtualized security tools. There are two primary areas to focus on to ensure tools are applied consistently within the public cloud environment – the application/host and network infrastructure layers, illustrated in Figure 4. Figure 4. Public Cloud Capabilities The Private Cloud – A Business Operations Delivery Solution Private cloud solutions provide an effective mechanism to drive other cost efficiencies around infrastructure and/or business processes. Generally, corporations moving to the private cloud model have made the determination that infrastructure is a commodity, and there are significant cost savings to be achieved in alternative sourcing of their infrastructure – but they prefer being the sole “resident” or user of that infrastructure. Private clouds are easier to transition to because they don’t have the perceived exposure that public or hybrid cloud environments have and so companies tend to move large quantities of sensitive data/information to these environments. However, just because the private cloud is
Protiviti | 6 considered “closed” to the Internet, doesn’t mean organizations are safe from internal threats, disaster recovery without use of offsite physical media, or potential information leakage. The private cloud deployment method should employ all the typical controls and tools of an on- premise IT environment. There should be additional diligence around data-centric security controls, tools and capabilities, as well (see Figure 5). These data-centric functions should include data access control, data encryption/tokenization and data governance. This data- centric approach allows controls to be applied to the most basic form of IT: the data. Wherever the data originates (application sourcing), flows through (data in motion), or rests (data at rest), the controls can be applied at each data level and to all forms of data. Figure 5. Private Cloud Capabilities The Hybrid Cloud – A Potential Segmentation Concern Hybrid cloud solutions combine the benefits – and the risks – from both private and public deployment methods. The issue is that while the benefits are added together, the risks are multiplied. Customers continue to express concerns about this cloud deployment model, namely around where data is kept and the high potential for data loss through the public cloud. Protiviti sees this deployment method as fairly restricted to a subset of organizations with low- risk business functions and/or an existing higher level of security maturity (where data is effectively segmented and secured based upon an established data classification policy).
Protiviti | 7 We highly recommend that organizations considering the hybrid cloud model apply the following sets of capabilities holistically to their IT environment (see Figure 6). Figure 6. Hybrid Cloud Capabilities Summary The future of cloud computing appears bright – and fairly limitless. However, organizations should not make rash or uninformed decisions to move to the cloud. They also should be diligent in ensuring their data is more than adequately protected once they do shift to the cloud. Every company should know and understand their regulatory landscape, use certified computer images, apply a “defense in depth” strategy, design data-centric controls, and vigorously monitor for inappropriate activity.
© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. About Our IT Security and Privacy Solutions As technology becomes increasingly integral to business, it is critical to view information security and privacy as a part of the business, not just IT. Critical intellectual property and regulated personal information need to be protected from the security threats, vulnerabilities and privacy exposures that challenge every organization today. Risks must be understood and managed. Often organizations do not know the information risks in their environment or how to reduce these risks. Equally important, good security and privacy practices can permit companies to take advantage of new technologies to provide revenue growth and cost containment opportunities. Protiviti provides a wide variety of security and privacy assessment, architecture, transformation and management services to help organizations identify and address security and privacy risks and potential exposures (e.g., loss of customer data, loss of revenue, or reputation impairment to a customer) so they can be reduced before they become problems. We have a demonstrated track record of helping companies prevent and respond to security incidents, establish security programs, implement identity and access management, and reduce industry-specific risks through enhanced data security and privacy. Protiviti can also help organizations comply with regulations and standards including ISO/IEC 27001/2, PCI, privacy and disclosure laws, HIPAA, GLBA and more. We invite you to explore the various IT security and privacy services we offer: • Security Strategy & Program Management Services (frameworks including ISO/IEC 27001-2, NIST, COBIT) • Program and Compliance Assessments (including ISO/IEC 27001/2, PCI, HIPAA, Safe Harbor, Incident & Breach Response, FFIEC, SOX, etc.) • Identity & Access Management Services • Data Security & Privacy Management Services • Vulnerability Assessment & Penetration Testing • Security Operations & Implementation Services • Incident Response & Forensic Services Contact Cal Slemp +1.203.905.2926 cal.slemp@protiviti.com David Stanton +1.469.374.2488 david.stanton@protiviti.com

Recommandé

Bank Account Management - Creation of new bank account request
Bank Account Management - Creation of new bank account requestBank Account Management - Creation of new bank account request
Bank Account Management - Creation of new bank account requestDinesh Kumar
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101Amit Ranjan
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 

Recommandé

Bank Account Management - Creation of new bank account request
Bank Account Management - Creation of new bank account requestBank Account Management - Creation of new bank account request
Bank Account Management - Creation of new bank account requestDinesh Kumar
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101Amit Ranjan
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slidesAlireza Esmikhani
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesProject for Public Spaces & National Center for Biking and Walking
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 

Contenu connexe

En vedette

PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 

En vedette (20)

PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 

Cloud-Security-Keeping-Data-Safe-Protiviti - white paper

  • 1. Cloud Security – Keeping Data Safe in the “Boundaryless” World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for many organizations not to at least consider moving certain functions to the cloud. Cost-reduction opportunities, scalability, flexibility and elasticity are just some of the potential benefits of such a move. However, companies looking to shift their information technology (IT) assets to a cloud model (public, private or hybrid) often are not fully informed, or simply are unaware, of the range of risks and limitations of cloud computing. Most organizations do have security concerns about the cloud. Leadership, especially from IT, may worry that data will be less safe if hosted by a third party, instead of internally or in a “steel cage” by a local co-location provider. The fear of losing control of and visibility into IT systems is a key reason why many organizations decide to delay or cancel cloud conversions, particularly large commitments to the cloud. Companies looking to derive benefits from embracing cloud services – including Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) – must thoroughly consider what will, and will not be, hosted by a cloud provider. Security risks and exposures do increase in the cloud environment. Additionally, there is an established precedent that cloud providers will not assume responsibility for protecting your organization’s data. Cloud Benefits, Risks and Exposures Cost reduction is often the top driver in an organization’s decision to move to the cloud. But there are other benefits, including a single centralized view into your IT infrastructure, speed of deployment, deep yet inexpensive infrastructure redundancy (hardware, application and network connectivity), and fluid elasticity. There are also fundamental risks and exposures within cloud solutions, no matter which deployment method a company selects – public, private or hybrid. Most organizations fear a security breach that can result in brand damage and loss of customers’ trust, and requires significant time and effort to remediate. Other concerns include potential defects in the underlying cloud solution, performance issues with accessing the solution (latency, application delay and availability), and potential complexities around recovering from a disaster situation (hosting and availability of backups).
  • 2. Protiviti | 2 Solutions to Migrate Risks The explosion in the number of cloud providers and offerings – and the marketing hype around cloud computing – has led many organizations to a state of buyer confusion. In an effort to provide these organizations with some clarity for decision-making about the cloud, Protiviti has identified several fundamental security capabilities that should exist within any mature IT environment (whether self-managed or cloud-provided). Before cloud solutions and supporting capabilities can be designed, however, there must be awareness of potential threats. Figure 1 represents a summary of threats according to cloud deployment methodology. These threats require different levels of security diligence based upon the risks and exposures of the cloud deployment method. An organization’s tolerance to risk is the foundation for building a compressive set of security capabilities. Figure 1. Threats and Risk Levels by Cloud Deployment Type
  • 3. Protiviti | 3 Figure 2 represents an example of a comprehensive security model built to mitigate controls based upon the organization’s security capabilities. This model allows an organization to focus security operating capabilities on areas with the most amount of exposure and apply the same focus on any planned cloud implementation. Figure 2. Example of Comprehensive Security Model
  • 4. Protiviti | 4 The Public Cloud – A Commerce Facilitator Market intelligence provider IDC projects that by 2017, worldwide spending on public IT cloud services will exceed US$107 billion, and that these services will experience a compound annual growth rate of 23.5 percent from 2013 to 2017 – five times that of the IT industry as a whole.1 Risks in the public cloud space are extremely high – with a broad attack surface and exposure to a wide range of threats. Significant diligence and a holistic set of controls must be applied to public cloud environments. In general, the public cloud space is best suited for commodity IT solutions that generate revenue and/or build business awareness. For example, web commerce, mailers/surveys, low-risk client information, and low-sensitivity shared applications. Protiviti highly recommends that a company understand the risks associated with putting sensitive data into the public cloud and then apply the right set level of controls to mitigate these risks to acceptable levels. Additionally, a holistic security framework should be used when moving to the public cloud. Protiviti recommends applying a well-established security management and controls framework (e.g., ISO 27001/2, COSO, COBIT, NIST, HITRUST) to ensure that cloud solutions achieve the organization’s confidentiality, integrity and availability needs (see Figure 3). Figure 3. Security Management Framework (ISO 27001:2013) 1 IDC Forecasts Worldwide Public IT Cloud Services Spending to Reach Nearly $108 Billion by 2017 as Focus Shifts from Savings to Innovation, IDC media release, Sept. 3, 2013: www.idc.com/getdoc.jsp?containerId=prUS24298013.
  • 5. Protiviti | 5 In the public cloud, everything is open to attack via the Internet, so it is critical that every organization apply a comprehensive layered security approach and a core set of virtualized security tools. There are two primary areas to focus on to ensure tools are applied consistently within the public cloud environment – the application/host and network infrastructure layers, illustrated in Figure 4. Figure 4. Public Cloud Capabilities The Private Cloud – A Business Operations Delivery Solution Private cloud solutions provide an effective mechanism to drive other cost efficiencies around infrastructure and/or business processes. Generally, corporations moving to the private cloud model have made the determination that infrastructure is a commodity, and there are significant cost savings to be achieved in alternative sourcing of their infrastructure – but they prefer being the sole “resident” or user of that infrastructure. Private clouds are easier to transition to because they don’t have the perceived exposure that public or hybrid cloud environments have and so companies tend to move large quantities of sensitive data/information to these environments. However, just because the private cloud is
  • 6. Protiviti | 6 considered “closed” to the Internet, doesn’t mean organizations are safe from internal threats, disaster recovery without use of offsite physical media, or potential information leakage. The private cloud deployment method should employ all the typical controls and tools of an on- premise IT environment. There should be additional diligence around data-centric security controls, tools and capabilities, as well (see Figure 5). These data-centric functions should include data access control, data encryption/tokenization and data governance. This data- centric approach allows controls to be applied to the most basic form of IT: the data. Wherever the data originates (application sourcing), flows through (data in motion), or rests (data at rest), the controls can be applied at each data level and to all forms of data. Figure 5. Private Cloud Capabilities The Hybrid Cloud – A Potential Segmentation Concern Hybrid cloud solutions combine the benefits – and the risks – from both private and public deployment methods. The issue is that while the benefits are added together, the risks are multiplied. Customers continue to express concerns about this cloud deployment model, namely around where data is kept and the high potential for data loss through the public cloud. Protiviti sees this deployment method as fairly restricted to a subset of organizations with low- risk business functions and/or an existing higher level of security maturity (where data is effectively segmented and secured based upon an established data classification policy).
  • 7. Protiviti | 7 We highly recommend that organizations considering the hybrid cloud model apply the following sets of capabilities holistically to their IT environment (see Figure 6). Figure 6. Hybrid Cloud Capabilities Summary The future of cloud computing appears bright – and fairly limitless. However, organizations should not make rash or uninformed decisions to move to the cloud. They also should be diligent in ensuring their data is more than adequately protected once they do shift to the cloud. Every company should know and understand their regulatory landscape, use certified computer images, apply a “defense in depth” strategy, design data-centric controls, and vigorously monitor for inappropriate activity.
  • 8. © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. About Our IT Security and Privacy Solutions As technology becomes increasingly integral to business, it is critical to view information security and privacy as a part of the business, not just IT. Critical intellectual property and regulated personal information need to be protected from the security threats, vulnerabilities and privacy exposures that challenge every organization today. Risks must be understood and managed. Often organizations do not know the information risks in their environment or how to reduce these risks. Equally important, good security and privacy practices can permit companies to take advantage of new technologies to provide revenue growth and cost containment opportunities. Protiviti provides a wide variety of security and privacy assessment, architecture, transformation and management services to help organizations identify and address security and privacy risks and potential exposures (e.g., loss of customer data, loss of revenue, or reputation impairment to a customer) so they can be reduced before they become problems. We have a demonstrated track record of helping companies prevent and respond to security incidents, establish security programs, implement identity and access management, and reduce industry-specific risks through enhanced data security and privacy. Protiviti can also help organizations comply with regulations and standards including ISO/IEC 27001/2, PCI, privacy and disclosure laws, HIPAA, GLBA and more. We invite you to explore the various IT security and privacy services we offer: • Security Strategy & Program Management Services (frameworks including ISO/IEC 27001-2, NIST, COBIT) • Program and Compliance Assessments (including ISO/IEC 27001/2, PCI, HIPAA, Safe Harbor, Incident & Breach Response, FFIEC, SOX, etc.) • Identity & Access Management Services • Data Security & Privacy Management Services • Vulnerability Assessment & Penetration Testing • Security Operations & Implementation Services • Incident Response & Forensic Services Contact Cal Slemp +1.203.905.2926 cal.slemp@protiviti.com David Stanton +1.469.374.2488 david.stanton@protiviti.com