The Old Ways Are New Again”...CLOUD COMPUTING “The Old Ways Are New Again” ... •Cloud today...
Transcript of The Old Ways Are New Again”...CLOUD COMPUTING “The Old Ways Are New Again” ... •Cloud today...
Public Information
Jeff Rowland, Vice President, USAA IT/Security Audit Services
CLOUD COMPUTING “The Old Ways Are New Again”
Public Information 2
Our Mission
The mission of the association is to
facilitate the financial security of its
members, associates, and their families
through provision of a full range of
highly competitive financial products
and services; in so doing, USAA
seeks to be the provider of choice
for the military community.
Our Core Values
Service Loyalty Honesty Integrity Passionate
Member Advocacy
Financial Strength
& Wisdom
Shared Military Values
Our Brand Pillars
GOING ABOVE Our Brand Promise
FOR THOSE WHO HAVE GONE BEYOND
Who We Are
As of Oct. 2014
Public Information 3
• The contents of this presentation do not necessarily reflect any approach used by USAA.
• The contents of this presentation reflect my opinions only, and not necessarily those of my employer.
• Following the steps outlined herein does not guarantee any particular outcome, express or implied.
Disclaimers
Public Information 4
• Background – Understand how companies used Technology Service Providers (TSPs) before the internet, and the risks we had to mitigate.
• Cloud today – Understand how the use of TSPs have changed, and how that impacts the current risk environment.
• Parallels – Understand how the risks of today parallel those we used to face.
• Strategies – Strategies others have utilized that can be applied to help mitigate today’s risks.
Learning Objectives
Public Information 5
“Those who don’t know history are destined to repeat it.”
Why is it important to understand the background?
by Edmund Burke (1729 -1797)
Learning Objective: Background
Public Information 6
Companies in the News?
IT Opportunities and Risks
Learning Objective: Background
Public Information 7
“Good” old days – Business processes were generally supported by IT
• 1970s - “Dumb” terminals
IT - primarily used for data storage and managing large volumes of information
Frequent manual interfaces between IT and business areas
Mainframe based technology
Early “cloud” concepts (i.e. VM o/s, RJE)
• 1980s – “Personal Computers”
3270 “emulators”
DOS, Lotus 123, WordPerfect
• 1990s – Internet
Dialup
Primary risks we had to manage?
• IT Change Management (Dev, Test, Prod)
• Access Controls
• Disaster Recovery
The rise of the Machines
Source: Wikipedia, “History
of IBM Magnetic Disk Drives”
Key Point!
Learning Objective: Background
Public Information 8
• IBM – International Business Machines
• DEC – Digital Equipment Corporation
• EDS – Electronic Data Systems (Acquired by HP)
• Perot Systems (Acquired by Dell)
• ACS – Affiliated Computer Services
Some early Technology Service Providers (TSPs)
Learning Objective: Background
Public Information 9
• Speed of change (Faster / Better/ Cheaper)
• Social Media
• Work anywhere, anytime (i.e. BYOD)
• Active / Active
• Cloud Computing – Decisions Decisions…
Public -vs.- Private?
Software as a Service (SaaS) ?
Infrastructure as a Service (IaaS) ?
Platform as a Services (PaaS) ?
“Every two days, we create more information than we did from the dawn of civilization up until 2003.” *
Current Industry Trends
* Source: Eric Schmidt (Google CEO from 2001 – 2011)
Primary risks we have to manage?
• IT Change Management (Dev, Test, Prod)
• Access Controls
• Disaster Recovery
So why is this hard?
Learning Objective: Cloud Today
Public Information 10
Availability • Who would have thought a dropped anchor would cut a telecom cable? (Middle East 2008, Africa 2012)
“Big Data”
BYOD – “Bring Your Own Device”
Cloud computing
• “If you run with dogs, you’ll get fleas”
Model Risk
Social Media
Regulatory Oversight
Third party Reliance • Coding • Data
Emerging Risks
Information Technology
Learning Objective: Cloud Today
Public Information 11
Emerging Risks
Black Hat Attendee Survey From Black Hat USA 2015
What concerns would have been so pre-Internet?
Learning Objective: Parallels
Public Information 12
Cloud Controls Matrix (CCM)
Application & Interface Security
Audit Assurance & Compliance
Business Continuity
Management & Operational Resilience
Change Control & Configuration Management
Data Security & Information
Lifecycle Management
Datacenter Security Encryption & Key
Management Governance and
Risk Management
Human Resources Identity & Access
Management
Infrastructure & Virtualization
Security
Interoperability & Portability
Mobile Security
Security Incident Management, E-
Discovery & Cloud Forensics
Supply Chain Management,
Transparency and Accountability
Threat and Vulnerability Management
16 Control Domains
• Based on established standards
(e.g. ISO, NIST, COBIT, ISA, FFIEC, FedRAMP)
Source: Cloud Security Alliance
New
Learning Objective: Parallels
Public Information 13
Companies in the News?
IT Opportunities and Risks
Learning Objective: Strategies
Public Information 14
Co
ntr
ac
t
Lif
ec
yc
le
Op
era
tio
nal
Fac
tors
Bu
sin
es
s
Ob
jec
tive
s
Cloud Risk Management
Contract Financial Compliance &
Legal Information
Security Business Continuity
Data/
Transaction Integrity
Reputation Geopolitical & Regulatory
Strategic
Growth Ease of Use / Convenience
Security
Exit Strategy Manage & Monitor
(Ongoing) Contract Initiation
Plan, Evaluate,
Select
Cloud Drivers & Risks
Sta
ke
ho
lders
Board of Directors
Management / Process Owners
Investors Regulators Cloud Providers Customers
Cost Containment /
Competitive Edge
Learning Objective: Strategies
Control Strategies
Public Information 15
Control Reqmt
Key Considerations (Not all inclusive)
Data Classification
Data at
Rest
Data in Flight
Encryption & Key Mgmt
Software Dev
4th Party + Mgmt
Logs / DLP
Breach Notification
Access Mgmt ? ? ? ? ? ? ?
Change Mgmt ? ? ? ? ? ? ?
BC / DR ? ? ? ? ? ? ?
Company/Stakeholder Risk Tolerance
Learning Objective: Strategies
Supplier Due-Diligence
Public Information 16
Know yourself
Know your partner(s)
• Trust, but Verify
• Know the risks
• Have an Exit Strategy
5 Essential elements of your Cloud strategy
Learning Objective: Strategies
Public Information 17
Questions
?
Public Information