'

To Cloud or Not To Cloud ?

Понравилась презентация – покажи это...





Слайд 0

To Cloud or Not To Cloud ? Michael Yung Immediate Past President - ISACA HK / CSA HKM


Слайд 1


Слайд 2


Слайд 3

Myth # 1 - Cloud is Too New


Слайд 4

Not Quite Coined by Compaq Executive George Favaloro back in 1996


Слайд 5

Myth # 2 - Cloud is Just a Fad


Слайд 6

Not Quite We are talking about US$ 100B Public Cloud spending in 2015 (Forrester Research)


Слайд 7

Myth # 3 - Cloud is Costly


Слайд 8

Cloud Services Characteristics On-demand self-services Resource Pooling Rapid elasticity Measured services Source : AWS


Слайд 9

Capacity – Traditional Ways Source : AWS


Слайд 10

Capacity – Wastages and Dissatisfactions Source : AWS


Слайд 11

Elastic Capacity – The Cloud Ways Source : AWS


Слайд 12

Myth # 4 - Cloud is Not Secure


Слайд 13

Insecure ? Truth is that data and systems residing in public or private clouds are as secure as you make them Typically, cloud-based systems can be more secure than existing internal systems if you do the upfront work required


Слайд 14

Barriers Perceived Loss of control Lack of clarity around responsibilities, liabilities and accountability Lack of transparency / clarity in SLA / interoperability / awareness and expertise


Слайд 15

Cloud … is not New is not a Fad is more Cost Effective is Secure *


Слайд 16

To Jump or Not to Jump ?


Слайд 17

Next Step ? Proper Risk Assessment


Слайд 18

Risks and Security Concerns Vendor Lock In Poor SLA 3rd Party access to Data Poor DR Plan Few tools, procedures or standard formats available for data and service portability Service level affects confidentiality and availability The needs to protect the intellectual property, trade secrets, personal data; complied to regulations / laws in different geographical regions Business continuity and disaster recovery plans must be well documented and tested Service and contractual risks


Слайд 19

Risks and Security Concerns Integration / Bandwidth Encryption and Identity Mgnt Testing and Monitoring Resource Allocation How to integrate the in-house systems to the Cloud ? High speed bandwidth ready ? Speedy encryption / decryption – in transit, at rest, destruction; Identity management Provider may not allow you to do thorough PEN test, audit; Are there good monitoring tools available ? Overbooking, underbooking; Handling of DOS attack; Payment cap Technology risks


Слайд 20

Questions To Ask … When and where to use the cloud – the business case SLO (and then SLA) Availability, reliability, accessibility, performance and security Along with what best practices People, processes, change management etc. Along with what technologies, services, vendors Servers, storage, network, software etc.


Слайд 21

Bear In Mind … Even though you are outsourcing some of your infrastructure to the cloud You are not outsourcing to vendor, the … Risk, Accountability and Compliance obligations Find the right Cloud Services Provider – qualified, Security Standards compliance


Слайд 22

ISO 27001, 27002, 27017, 27018, 29100 SSAE 16, HIPAA, FedRAMP, FISMA. PCI-DSS Are Security Standards the answer ?


Слайд 23

Standards Development / Setting Organizations (SDO / SSO) DMTF = Distributed Management Task Force ENISA = European Network and Information Security Agency ETSI = European Telecommunications Standards Institute IEC = International Electrotechnical Commission IEEE = Institute of Electrical and Electronics Engineers INCITS = International Committee for Information Technology Standards ISO = International Organization for Standardization ITU-T = International Telecommunication Union – Telecom NIST = National Institute for Standards and Technology OASIS = Organization for the Advancement of Structured Information Standards SNIA = Storage Networking Industry Association TCG = Trusted Computing Group Alphabet Soup


Слайд 24

SDO / SSO Relationships Alphabet and Spaghetti Soup


Слайд 25

Any Pointers ?


Слайд 26

Do Our Homework … Self Assessment


Слайд 27

Get Help from Professionals Companies and individuals with certifications An objective measurement of a professional’s knowledge and skills in Security, Governance and Cloud technology Committing the effort and resources to obtain certification indicates seriousness of prospective companies and individuals


Слайд 28

Take Away Messages Credit : Ching Yiu


Слайд 29

Take Away Messages Cloud is real and here to stay Take ownership and responsibility Review your current set up and the Cloud Services Provider with guidelines Focus in the SLO and SLA Ask for expert help from services providers, and professional organizations


Слайд 30

To Cloud or Not To Cloud ? mail@michaelyung.com


Слайд 31

Thank You !!


×

HTML:





Ссылка: