Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Cloud security assessments : You're doing it wrong!

Moving to the cloud was supposed to increase the speed of business, but progress grinds to a halt once the risk management team gets involved in vetting cloud service providers. Behind the scenes, customers flood cloud providers with lengthy, bespoke questionnaires trying to quantify business risk—which doesn’t scale. Hear best practices to vet CSPs from three leading cloud providers.
(Source : RSA Conference USA 2017)

  • Identifiez-vous pour voir les commentaires

Cloud security assessments : You're doing it wrong!

  1. 1. SESSION ID: MODERATOR: PANELISTS: SESSION ID: #RSAC CSV-W11 Cory Scott Chief Information Security Officer LinkedIn Bill Burns Chief Trust Officer and VP, Business Transformation; Informatica Cloud Security Assessments: You're Doing It Wrong! Trey Ford Head of Trust Heroku, a SalesForce company Jim Trovato Sr. Director, IT Governance Risk and Compliance; Informatica
  2. 2. #RSAC 2
  3. 3. #RSAC Today 3 Digital Transformations are creating high-velocity businesses Managing vendor risk isn’t keeping up Service Provider perspective – manual process, no standards Customer perspective – hard to compare, assess vendors Discussion: What can our industry do to address risk at scale and serve our businesses better? But first, some examples of what customers send …
  4. 4. #RSAC 4 Example: “Dashboard of requirements”
  5. 5. #RSAC 5 Example: “Tabs, tabs, tabs!”
  6. 6. #RSAC 6 Example: “Complex, multiple choice”
  7. 7. #RSAC 7 Example: “Document Requests à Remediation Plans”
  8. 8. #RSAC 8 Example: “Essay Questions”
  9. 9. #RSAC 9 Example: “Maturity Model Assessments + Essays”
  10. 10. #RSAC Discussion – How can we serve our businesses better?
  11. 11. #RSAC 11
  12. 12. #RSAC How to apply what we shared … (1 of 2) 12 Link to the video recording of this RSA session: https://www.rsaconference.com/videos/cloud-security-assessments-youre-doing-it-wrong Providers Just getting started: Build a corpus of Q & A to help you respond faster to majority of questions Review standardized third-party reports to determine overlap with yours Adopt and reply with a standardized report format to address ~80% of customers’ questions. (CSA CAIQ, BITS SIG, etc) Customers Pick a standard assessment format, trim down to the essentials/critical items for your needs — Send cloud-specific security questionnaires for cloud-relevant vendors Accept standardized reports like CAIQ, SIG for common controls to streamline processing — Submit smaller customer questionnaires for controls unique to your risk model If you request SOC2 reports, make sure to read the entire report — Are the controls you care included and covered? — Do all control gaps have an associated Management Action Plan?
  13. 13. #RSAC How to apply what we shared … (2 of 2) 13 Customers (continued) Talk to your Legal team, what liability would YOU incur by directly auditing providers? Consider focusing your questionnaire on risk, security, compliance. Avoid kitchen-sink coverage. Getting confidence in a provider’s risk level. Look for: — A good semantic classification and understanding of the data and functionality that you are entrusting to them. ¡ You can get that in a good whitepaper or a talk with their security team — How thoughtful they’ve implemented the following key controls: Authentication / Authorization, Access Control, Auditing / Logging — Signs of a strong application security program: ¡ An assessment by a reputable firm with a thought out methodology ¡ A responsible disclosure page, bug bounty programs ¡ Open source community participation ¡ Good people work there
  14. 14. #RSAC Resources - assessments 14 First-party assessments Lengthy, bespoke “kitchen sink” questionnaires (please don’t!) BITS Shared Assessments’ SIG and SIG-lite questionnaires (circa 2006) HIPAA/HITECH self-assessment CSA STAR Level 1 (circa 2013), Common Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire Third-party assessments PCI-DSS Report On Compliance (“ROC”) ISO27000 BITS Shared Assessments AUP HITRUST audit, HIPAA/HITECH attestation CSA STAR (Levels 2, 3) AICPA SSAE 16 / SOC 1, SOC 2, SOC 3 — SOC2+ (SOC 2 plus HIPAA, HITRUST, PCI, ISO27k, COBIT 5, NIST 800-53R4, CSA-CCM)