To Cloud or Not To Cloud ?

The Presentation inside:

Slide 0

To Cloud or Not To Cloud ? Michael Yung Immediate Past President - ISACA HK / CSA HKM

Slide 1

Slide 2

Slide 3

Myth # 1 - Cloud is Too New

Slide 4

Not Quite Coined by Compaq Executive George Favaloro back in 1996

Slide 5

Myth # 2 - Cloud is Just a Fad

Slide 6

Not Quite We are talking about US$ 100B Public Cloud spending in 2015 (Forrester Research)

Slide 7

Myth # 3 - Cloud is Costly

Slide 8

Cloud Services Characteristics On-demand self-services Resource Pooling Rapid elasticity Measured services Source : AWS

Slide 9

Capacity – Traditional Ways Source : AWS

Slide 10

Capacity – Wastages and Dissatisfactions Source : AWS

Slide 11

Elastic Capacity – The Cloud Ways Source : AWS

Slide 12

Myth # 4 - Cloud is Not Secure

Slide 13

Insecure ? Truth is that data and systems residing in public or private clouds are as secure as you make them Typically, cloud-based systems can be more secure than existing internal systems if you do the upfront work required

Slide 14

Barriers Perceived Loss of control Lack of clarity around responsibilities, liabilities and accountability Lack of transparency / clarity in SLA / interoperability / awareness and expertise

Slide 15

Cloud … is not New is not a Fad is more Cost Effective is Secure *

Slide 16

To Jump or Not to Jump ?

Slide 17

Next Step ? Proper Risk Assessment

Slide 18

Risks and Security Concerns Vendor Lock In Poor SLA 3rd Party access to Data Poor DR Plan Few tools, procedures or standard formats available for data and service portability Service level affects confidentiality and availability The needs to protect the intellectual property, trade secrets, personal data; complied to regulations / laws in different geographical regions Business continuity and disaster recovery plans must be well documented and tested Service and contractual risks

Slide 19

Risks and Security Concerns Integration / Bandwidth Encryption and Identity Mgnt Testing and Monitoring Resource Allocation How to integrate the in-house systems to the Cloud ? High speed bandwidth ready ? Speedy encryption / decryption – in transit, at rest, destruction; Identity management Provider may not allow you to do thorough PEN test, audit; Are there good monitoring tools available ? Overbooking, underbooking; Handling of DOS attack; Payment cap Technology risks

Slide 20

Questions To Ask … When and where to use the cloud – the business case SLO (and then SLA) Availability, reliability, accessibility, performance and security Along with what best practices People, processes, change management etc. Along with what technologies, services, vendors Servers, storage, network, software etc.

Slide 21

Bear In Mind … Even though you are outsourcing some of your infrastructure to the cloud You are not outsourcing to vendor, the … Risk, Accountability and Compliance obligations Find the right Cloud Services Provider – qualified, Security Standards compliance

Slide 22

ISO 27001, 27002, 27017, 27018, 29100 SSAE 16, HIPAA, FedRAMP, FISMA. PCI-DSS Are Security Standards the answer ?

Slide 23

Standards Development / Setting Organizations (SDO / SSO) DMTF = Distributed Management Task Force ENISA = European Network and Information Security Agency ETSI = European Telecommunications Standards Institute IEC = International Electrotechnical Commission IEEE = Institute of Electrical and Electronics Engineers INCITS = International Committee for Information Technology Standards ISO = International Organization for Standardization ITU-T = International Telecommunication Union – Telecom NIST = National Institute for Standards and Technology OASIS = Organization for the Advancement of Structured Information Standards SNIA = Storage Networking Industry Association TCG = Trusted Computing Group Alphabet Soup

Slide 24

SDO / SSO Relationships Alphabet and Spaghetti Soup

Slide 25

Any Pointers ?

Slide 26

Do Our Homework … Self Assessment

Slide 27

Get Help from Professionals Companies and individuals with certifications An objective measurement of a professional’s knowledge and skills in Security, Governance and Cloud technology Committing the effort and resources to obtain certification indicates seriousness of prospective companies and individuals

Slide 28

Take Away Messages Credit : Ching Yiu

Slide 29

Take Away Messages Cloud is real and here to stay Take ownership and responsibility Review your current set up and the Cloud Services Provider with guidelines Focus in the SLO and SLA Ask for expert help from services providers, and professional organizations

Slide 30

To Cloud or Not To Cloud ? [email protected]

Slide 31

Thank You !!