SECURITY ASSURANCE

Matt Lowth (NAB)Ian Lamont (BMW)

RISK IN THE CLOUD

2ODCA Provider Assurance 2013 |

BACKGROUND – USAGE MODELS

3ODCA Provider Assurance 2013 |

Provider Assurance; Data Security Framework; Security Monitoring; Identity Mgmt Interoperability; Identity Mgmt and Governance; IaaS Privileged User Access; Single Sign On Authentication

IO Control;VM Interoperability in a Hybrid Cloud;Long Distance Workload Migration

Software Entitlement Mgmt;Regulatory Framework

PaaS Interoperability; SaaS Interoperability;Interoperability across Clouds; Carbon Footprint;Service Catalogue

Secure Federation

Automation

Common Management

and Policy

Transparency

AGENDA

4ODCA Provider Assurance 2013 |

Lessons that willsupport security in my business

Topic

Discuss

Learning

Cloud Provider Assurance

Why / What / How

UM CORE – MODEL & USAGE SCENARIOS

5ODCA Provider Assurance 2013 |

PROVIDER ASSURANCE FRAMEWORK

6ODCA Provider Assurance 2013 |

Assurance LevelBronze Silver Gold Platinum

Description

Represents the lower-end corporate security requirement and may

equate to a higher level for a small to medium business

customer

Represents a standard level of corporate

security likely to be evident in many

enterprises

Represents an improved level of

security that would normally be

associated with the processing of

sensitive corporate data.

Represents the highest level of contemplated

corporate requirements

Example Development environment

Test environment; “out of the-box” production

environment

Finance sector production

environment

Special purpose, high-end security

requirement

BRONZE

• Virus scanning• Physical Access control• Secure protocols used• ITIL Process Usage• Default Passwords removed

• Source Code analysis• IT Security Policy• Provider staff management• Data Security training

7ODCA Provider Assurance 2013 |

• Vulnerability Mgmt• Firewall isolation• Identity Management• Data retention and deletion• Security Incident and Event

Monitoring

SILVER

• Network Intrusion Prevention• Event Logging for

administrators• Technical Continuity Plan• Fully documented network

• Safe Harbor for EU subscribers

• Provider risk assessments• Provider config and asset

mgmt• DoS protection• Guaranteed data deletion 8ODCA Provider Assurance 2013 |

• Vulnerability Mgmt• Firewall isolation• Identity Management• Data retention and deletion• Security Incident and Event

Monitoring

• Encryption key mgmt

GOLD

• Option to perform pen testing• Physical segmentation of hw• Multi factor authentication• Ability to define geographic

hosting limits• No default admin access

• Strong data encryption• Accredited provider processes

9ODCA Provider Assurance 2013 |

• Vulnerability Mgmt• Firewall isolation• Identity Management• Data retention and deletion• Security Incident and Event

Monitoring

GENERAL QUESTIONS (TO THE AUDIENCE)

As providers, are your products secured to one or more of the levels described?

As subscribers, would you buy from a provider if he advertised one of these levels

10ODCA Provider Assurance 2013 |

INFORMATION AND ASSETS

11ODCA Provider Assurance 2013 |

Available to Members at: www.opendatacenteralliance.orgURL for Public content: www.opendatacenteralliance.org

StandardizedResponse Checklists

Accelerate TTM

Shared Practices Drive Scale

Streamlined Requirements

Accelerate Adoption

QUESTIONS

12ODCA Provider Assurance 2013 |

www.opendatacenteralliance.org

Security Provider AssuranceEnsuring that the Cloud is secure

© 2013 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.