To Cloud or Not To Cloud ?

Понравилась презентация – покажи это...

Слайд 0

To Cloud or Not To Cloud ? Michael Yung Immediate Past President - ISACA HK / CSA HKM

Слайд 1

Слайд 2

Слайд 3

Myth # 1 - Cloud is Too New

Слайд 4

Not Quite Coined by Compaq Executive George Favaloro back in 1996

Слайд 5

Myth # 2 - Cloud is Just a Fad

Слайд 6

Not Quite We are talking about US$ 100B Public Cloud spending in 2015 (Forrester Research)

Слайд 7

Myth # 3 - Cloud is Costly

Слайд 8

Cloud Services Characteristics On-demand self-services Resource Pooling Rapid elasticity Measured services Source : AWS

Слайд 9

Capacity – Traditional Ways Source : AWS

Слайд 10

Capacity – Wastages and Dissatisfactions Source : AWS

Слайд 11

Elastic Capacity – The Cloud Ways Source : AWS

Слайд 12

Myth # 4 - Cloud is Not Secure

Слайд 13

Insecure ? Truth is that data and systems residing in public or private clouds are as secure as you make them Typically, cloud-based systems can be more secure than existing internal systems if you do the upfront work required

Слайд 14

Barriers Perceived Loss of control Lack of clarity around responsibilities, liabilities and accountability Lack of transparency / clarity in SLA / interoperability / awareness and expertise

Слайд 15

Cloud … is not New is not a Fad is more Cost Effective is Secure *

Слайд 16

To Jump or Not to Jump ?

Слайд 17

Next Step ? Proper Risk Assessment

Слайд 18

Risks and Security Concerns Vendor Lock In Poor SLA 3rd Party access to Data Poor DR Plan Few tools, procedures or standard formats available for data and service portability Service level affects confidentiality and availability The needs to protect the intellectual property, trade secrets, personal data; complied to regulations / laws in different geographical regions Business continuity and disaster recovery plans must be well documented and tested Service and contractual risks

Слайд 19

Risks and Security Concerns Integration / Bandwidth Encryption and Identity Mgnt Testing and Monitoring Resource Allocation How to integrate the in-house systems to the Cloud ? High speed bandwidth ready ? Speedy encryption / decryption – in transit, at rest, destruction; Identity management Provider may not allow you to do thorough PEN test, audit; Are there good monitoring tools available ? Overbooking, underbooking; Handling of DOS attack; Payment cap Technology risks

Слайд 20

Questions To Ask … When and where to use the cloud – the business case SLO (and then SLA) Availability, reliability, accessibility, performance and security Along with what best practices People, processes, change management etc. Along with what technologies, services, vendors Servers, storage, network, software etc.

Слайд 21

Bear In Mind … Even though you are outsourcing some of your infrastructure to the cloud You are not outsourcing to vendor, the … Risk, Accountability and Compliance obligations Find the right Cloud Services Provider – qualified, Security Standards compliance

Слайд 22

ISO 27001, 27002, 27017, 27018, 29100 SSAE 16, HIPAA, FedRAMP, FISMA. PCI-DSS Are Security Standards the answer ?

Слайд 23

Standards Development / Setting Organizations (SDO / SSO) DMTF = Distributed Management Task Force ENISA = European Network and Information Security Agency ETSI = European Telecommunications Standards Institute IEC = International Electrotechnical Commission IEEE = Institute of Electrical and Electronics Engineers INCITS = International Committee for Information Technology Standards ISO = International Organization for Standardization ITU-T = International Telecommunication Union – Telecom NIST = National Institute for Standards and Technology OASIS = Organization for the Advancement of Structured Information Standards SNIA = Storage Networking Industry Association TCG = Trusted Computing Group Alphabet Soup

Слайд 24

SDO / SSO Relationships Alphabet and Spaghetti Soup

Слайд 25

Any Pointers ?

Слайд 26

Do Our Homework … Self Assessment

Слайд 27

Get Help from Professionals Companies and individuals with certifications An objective measurement of a professional’s knowledge and skills in Security, Governance and Cloud technology Committing the effort and resources to obtain certification indicates seriousness of prospective companies and individuals

Слайд 28

Take Away Messages Credit : Ching Yiu

Слайд 29

Take Away Messages Cloud is real and here to stay Take ownership and responsibility Review your current set up and the Cloud Services Provider with guidelines Focus in the SLO and SLA Ask for expert help from services providers, and professional organizations

Слайд 30

To Cloud or Not To Cloud ? mail@michaelyung.com

Слайд 31

Thank You !!