2. Intothe(Cloud) Futurewith hp SERVICES ECOSYSTEM agility SYSTEMS INTEGRATION TECHNOLOGY ISLAND advanced cloud Traditional configured services enterprise cloud services Managed hosting UTILITY SERVICES Automated hosting sourcing models
3. ABC of Cloud Security, Legal and Regulatory Acceptance of standard security policies and procedures Better be prepared to compromise yet aware of potential legal issues Contracts ... review at an early stage to provide an understanding of what the gaps might be.
4.
5. Acceptance and Compromise Single security policy & procedures Shared set of Internal Controls Shared independent assurance No physical rights of access Little or no flexibility on RTO/RPO Access to log files Limited security reporting
7. Better be prepared BSI BIP 0008 is a code of practice that provides guidance to ensure, as far as possible, that electronic documents and scanned images will be accepted as evidence by the courts. http://www.thecabinetoffice.co.uk/page28.html
8. C - Contracts Advice from E-Discovery processes standards: 3.9. Cloud Computing or Third-Party Systems It has become increasingly popular to store data in locations away from the primary business for security, cost-efficiency or disaster recovery purposes. These sources should be identified if they house data potentially relevant to the dispute. Examples of this include cloud computing, SaaS, off-site company storage facilities, co-location data centres, third party data warehousing, or third party tape storage (i.e., Iron Mountain, Recall, etc.). If a cloud solution is being utilized to store potentially relevant information you will likely need to put a 3rd party hold in place. Additionally you should interview the 3rd party provider to identify where and how the data is stored. 3rd party providers are likely to have back-ups of the data so it is important to ask about retention and rotation of back-ups. You should also ask what their policy is for swapping out servers. You may find out that there is an old server sitting around that contains relevant data. Another area to consider is whether the potentially relevant information is comingled with any other data. Finally, ask where the servers are located. This information will identify if there are any challenges in collecting data from another country. The Electronic Discovery Reference Model
9. C - Contracts Ask for examples of independent assurance reports Speak to independent auditors Seek client references Copy of BCP and IT DR Plans & Plan Tests are these also in scope for assurance audits Copies of ISO 27001 certificate Details of SAS 70 internal controls Copy of BS25999 certificate Copy of ISO 20000 certificate Copy of ISO 14000 certificate Check the scope!
10. So what are the cloud security hot buttons? Identity and access management need to get this working anyway! Business continuity and IT DR acceptance of standard RTO and RPO. Encryption (key management) will be a client responsibility this issue is related to IdM! Flexibility in contracts and please kill off the “old school” purchasing and contracts departments!
12. Conclusions Flexibility required Ensure you are prepared Examine Contracts Cloud is immature and experiences are limited Legal and regulatory issues (e-Discovery Jury is still out!) Watch this space ....
13. Finally David.spinks@hp.com http://www.cloudsecurityalliance.org/ http://www.hp.com/hpinfo/newsroom/press/2009/090331xa.html Q and A