Incidenten in de Cloud. De visie van een Cloud-Provider

Maat: px

Weergave met pagina beginnen:

Download "Incidenten in de Cloud. De visie van een Cloud-Provider"

Joke Desmet
7 jaren geleden
Aantal bezoeken:

1 Incidenten in de Cloud De visie van een Cloud-Provider

2 Overzicht Cloud Controls Controls in de praktijk

3 Over CloudVPS Cloudhosting avant la lettre Continu in ontwikkeling

4 CloudVPS en de Cloud Wat is Cloud? Wat is onze Cloud? Globale opzet

5 Cloud hosting: risico s Achtergronden bij Cloud Hosting Minder controle Beperktere informatievoorziening

6 Cloud Controls Waarom Cloud Controls? ISO27001 is niet toereikend Wat doet Cloud Controls? to provide a temporary set of controls until an accepted standard has matured De bestaande standaarden bieden geen echt alternatief Niet ter vervanging van, maar in aanvulling op ISO27001

to provide a temporary set of controls until an accepted standard has

7 Reikwijdte Cloud Controls richten zich op IaaS Buiten scope vallen de verbindingen en de omgeving Buiten scope vallen ook security en availability

8 Risk analysis Risico-analyse op de risico s die met Cloud-gebaseerde hosting samenhangen: - Multi-tenancy: Risico s gerelateerd aan gedeelde infrastructuur - Outsourcing: Risico s gerelateerd aan het outsourcen van (delen van) de infrastructuur

Risico s gerelateerd aan gedeelde infrastructuur -

9 Risk analysis Risk Type No of Risks Example Risk Multi Tenancy 6 How is the isolation risk in the virtualization and storage layers managed? Management Information and Control Legal Process 7 Privacy and Access to Data 3 Infrastructure Design 6 Security Process 7 Operational Process 7 16 How long are the contracts and cancellation periods? How is the ownership of the customer with respect to its data guaranteed? What is the policy with respect to the removal of data and how is this policy enforced? Does the cloud provider provide relevant information to the customer with respect to the resiliency management program? Is it possible for the customer to perform a vulnerability assessment? What could the scope of such an assessment be? What procedures are in place to provide information in case of maintenance and outages? Connecting to the service 9 How is sensitive customer information protected? Total 61

How is the ownership of the customer with respect to its data guaranteed? What is the policy with respect to the removal of data and how is this policy enforced?

10 Building Controls Control Type Control Count Example Short Risk Example Control Multi tenancy 5 Isolation Failure Management Information and Control 11 Portability of services Legal Process 7 Guaranteed data ownership Isolation failure risk in virtualization technology and storage is frequently reviewed and is managed to a minimum. Portability of services Short term contracts are possible, customer data is exportable and transportable in an industryaccepted format. Migrations to other cloud providers will not be obstructed. Customer data always remains owned by the customer. Cloud provider should communicate intellectual property rights that it claims. Privacy and Access to Data 3 Data retention policy A policy relating to the removal of data from cancelled products and dormant virtual machines and snapshots is developed and implemented. Infrastructure Design 3 Information on resiliency management Disaster recovery plans and availability enhancing measures should be shared with customers when relevant. Security Process 5 Customer vulnerability assessment Cloud provider should provide the possibility for vulnerability assessment by customers and provide information on the policy regarding vulnerability assessment.

Portability of services Short term contracts are possible, customer data is exportable and transportable in an industryaccepted format. Migrations to other cloud providers will not be obstructed.

11 De volgende stappen De controls publiceren: De controls onder de aandacht brengen ISO /2 Naast IaaS ook PaaS en SaaS in de controls onderbrengen

org De controls onder de aandacht brengen

12 Controls in de praktijk Incidenten die we tegenkomen: - Security - Privacy - Availability

13 Incidenten Communicatie staat voorop Communicatie is zelfs een van de controls Partners lossen problemen sneller op dan leveranciers en afnemers

14 Fraude en hacking Economische Denial of Service - Runaway script bestelt 5000 servers - Slachtoffer van (D)DoS-aanval Hacking-preventie - IaaS: Wie is waarvoor verantwoordelijk? Fraude-detectie

15 Ondersteuning Wat mag je verwachten van je provider? - Ondersteuning bij incidenten - Goede informatievoorziening - Proactieve houding Cloud Controls!

16 Beperkingen Welke beperkingen gelden - IaaS gaat tot aan de virtuele servers - Wij zien enkel metadata

17 Tips en truuks Onderzoek welke risico s gelden in jouw situatie Werk samen met je leverancier Kies een opzet die past bij de opzet van de leverancier

18 Vragen? De Cloud Controls

Vergelijkbare documenten

GDPR voor KVK 6/03/2018

GDPR voor KVK 6/03/2018 CEO Vragen rond GDPR Wat is GDPR? Waarom is GDPR zo belangrijk geworden? Is mijn leverancier Portima GDPR compliant? Wat mag een klant mij vragen en hoe moet ik antwoorden? Wat