Add to collection(s) Add to saved
  1. No category

Can I do that in the cloud?

advertisement 
CAN I DO THAT IN
THE CLOUD?
Jason Testart
watitis.uwaterloo.ca
@watitisconf
#watitis2015
CAN YOU DO THAT
IN THE CLOUD?
#watitis2015
Yes.
#watitis2015
This is really about RISK
#watitis2015
WHAT IS RISK?
“Risk” means the chance of occurrence of an event
or trend that will have a negative impact on
operations or fulfillment of objectives at the
institutional, academic unit and/or academic support
unit levels.
#watitis2015
RISK (VERB)
ACCORDING TO GOOGLE
expose (someone or something valued) to
danger, harm, or loss.
#watitis2015
RISKS TO INFORMATION
• Confidentiality
Unintentional disclosure
• Integrity
Unintentional modification
• Availability
Unintentional loss of access
• Let’s not forget Compliance
Don’t forget it’s about HARM.
#watitis2015
RISK FACTORS
RISK
LIKELIHOOD
#watitis2015
IMPACT
RISK FACTORS
RISK
LIKELIHOOD
IMPACT
Threat
Technical
Factors
#watitis2015
Scope
Vulnerability
Value
Exposure
Cost of Recovery
Business
Factors
IMPACT FACTORS
( W H AT ’ S T H E D E G R E E O F H A R M ? )
• Scope
Number of records
Numbers of areas of the University
• Value
E-mail addresses?
Grades?
Health information?
• Cost of Recovery
People time?
Restore from backups?
Costs from outage?
#watitis2015
LIKELIHOOD FACTORS
( T E C H N I C A L C O N S I D E R AT I O N S )
• Threats
• Vulnerabilities
• (Exposures)
Let’s consider some contexts…
#watitis2015
LIKELIHOOD FACTORS
( PA P E R R E C O R D S )
• Threats
Mostly physical
Mother Nature
• Vulnerabilities
Flammable
Process issues
• Exposures
Handling issues
#watitis2015
LIKELIHOOD FACTORS
( D E S K TO P C O M P U T E R )
• Threats
Bad “actors”
Time
Mother Nature
• Vulnerabilities
Low quality hardware
Software
• Exposures
On-line
Low physical security measures, generally
#watitis2015
WHO ARE BAD “ACTORS”?
• Hactivists
Anonymous
• Cybercriminals
West African fraudsters
Eastern European organized crime
• Foreign States
#watitis2015
LIKELIHOOD FACTORS
( E N T E R P R I S E D ATA )
• Threats
Bad “actors”
Human error (many hands)
Inappropriate use (vs intent of collection)
Mother Nature
• Vulnerabilities
Change management process (lack of?)
Software
Hardware
• Exposures
On-line
#watitis2015
HOW DOES CLOUD CHANGE
THINGS?
• Threats
Generally the same
People who aren’t on your payroll
• Vulnerabilities
UNKNOWN
• Exposures
UNKNOWN
#watitis2015
KNOWN UNKNOWNS, AND
UNKNOWN UNKNOWNS!
#watitis2015
FIRST, WHAT IS “THE CLOUD”?
• Service offerings
IaaS
PaaS
SaaS
• SaaS is what we see most often
Many SaaS offerings depend on IaaS or PaaS
offerings
#watitis2015
FOCUS ON THE DATA,
NOT THE TECHNOLOGY
• Lifecycle
Collection
Use (including integration)
Destruction
• Quality
• Authoritative Data?
• Don’t forget about C – I – A
#watitis2015
HOW DO WE MANAGE CLOUD
RISK?
• Due diligence before contract is signed.
Consider R = L x I
Think about C – I – A
Impact considerations
• How important is the data/service to you, your clients, and
the institution?
Likelihood considerations
• Ask questions
• What questions to ask?
#watitis2015
YOU ARE NOT ALONE
• PSIA is a first attempt as a tool to manage
risk
Privacy Officer helps with privacy elements
(mostly impact factors)
Information Security Services helps with security
elements (mostly likelihood factors)
• Even with lack of PSIA, can still do due
diligence
#watitis2015
#watitis2015
EXPERIENCES SO FAR
• You can have data in the USA
• Size and maturity of provider
• Contractual relationships
SaaS stacked on IaaS
PCI DSS and E-Commerce
• NDAs for information
• SAML support: A good move!
#watitis2015
METHODOLOGY
•
•
•
•
Calculate Impact
Calculate Likelihood
Determine Risk!
Simple Methodology
Binary Risk Analysis (see example)
OWASP Risk Rating Methodology
#watitis2015
EXAMPLE RISK TABLE
Overall Risk Severity
Likelihood
#watitis2015
Low
Medium
High
Low
Low
Low
Medium
Impact
Medium
Medium
Medium
High
High
High
High
Critical
EVOLVING OUR RISK
MANAGEMENT APPROACH
• Other risks
Information management risks
•
•
•
•
Appropriate use?
Can we get our data if we terminate agreement?
Change management?
BCP/DR?
• Policy 8 shortcomings
Classifications are for Confidentiality
• What about Integrity? Availability?
Need a link to risk management
• Need a formal definition of who makes risk
management decisions (consistent with Policy
11)
#watitis2015
THANK YOU!
watitis.uwaterloo.ca
@watitisconf
#watitis2015
Related documents
Critical assumptions and risk assessment
Critical assumptions and risk assessment
REGISTER OF SIGNIFICANT RISKS
REGISTER OF SIGNIFICANT RISKS
Benefits Identification Workshop – Slides
Benefits Identification Workshop – Slides
Plan Review Questions MS Word
Plan Review Questions MS Word
Great Debates in IR theory
Great Debates in IR theory
BS2 Further Statistical Inference, HT 2009 Problem Sheet 2 1
BS2 Further Statistical Inference, HT 2009 Problem Sheet 2 1
Case Study The management at Covington, Inc recognizes that a
Case Study The management at Covington, Inc recognizes that a
MAXIMUM LIKELIHOOD ESTIMATES ARE ASYMPTOTICALLY
MAXIMUM LIKELIHOOD ESTIMATES ARE ASYMPTOTICALLY
A Heteroscedastic Measurement Error Model for Method
A Heteroscedastic Measurement Error Model for Method
Download
advertisement