Friday, December 9, 2011

Cloud Security and GRC: Internal Controls

Environmentally Friendly.

Here's the flow of a security presentation I sometimes use to stimulate thought and focus around controls and how they can be orchestrated, coordinated, to deliver contextually rich information security and cloud auditing relevant views of the environment.

Environmentally Relevant. 

The enormous data set produced by monitoring and management tools delivers useless information if the data isn't comprehensive of the its environment. Several years ago I worked for a Network Access Control (NAC) company. During Proof of Concept demonstrations we often found more devices on the network than the organization thought was possible. It wasn't uncommon to discover 15-20% more than a company thought they had on the network. One particular example found - not kidding - 20,000+ devices more than their estimated 40,000 devices the company thought they had worldwide. Yes, this is extreme. But it's also those experiences that drive my belief you have to know what you have before you can secure it. 

Here is how I summarize action items during discussions around this topic.