Cloud Service Procurement

A key enabler of cloud contracting and use -- all the way from comparison shipping and RfPs, through SLAs and monitoring, to auditing and regulatory enforcement -- is the availability of common vocabularies and operations for different service components. Open standards are required to make services comparable, portable and interoperable across vendors and architectures. As more organizations consider the shift toward cloud services, industry is working hard to offer new approaches to meet these challenges. During this session, experts will provide progress reports on some of the work underway that is addressing these needs.

• SMI defines service attributes in seven major functional categories (accountability, agility, assurance, financial, performance, security and privacy, and usability) that provide key performance indicators that can be collected and tailored by consumers to evaluate competing services based on business and technology requirements. The speaker for this portion will provide an overview of the SMI and its relationship to cloud auditing, and discuss how cloud marketplaces can leverage the SMI to enable greater cloud choice through evidence-based decisions.
• Many SDOs have been collecting real world cloud use cases addressing many of the concerns felt by industry. These use cases are being peered reviewed, with the hopes that these committees will identify gaps in standards and pave a way to move forward with future standardization efforts. An expert technical speaker will be on-hand to discuss the progress of SDO work in this area.
• And finally, this session will cover ongoing work within the EU cloud strategy, ENISA’s cloud SLA work, and the dependencies of critical services on cloud. This speaker will also focus on auditing schemes and ongoing work in CAMM (an assurance framework for cloud providers) and the minimum security measures for EU Telco’s, which entails another audit scheme.

Auditing in the cloud environment, particularly for identity management systems, touches on a range of interconnected, international issues: data governance, competing legal and regulatory environments, standards and interoperability, and a host of specific policy issues that are increasingly problematic, such as data privacy. The October 2011 International Cloud Symposium organized by OASIS in London, identified many of these issues, and in this panel expert speakers examine them from a global perspective and offer international perspectives on challenges and solutions.

Selling IT projects to the business is complex – even in situations with significant regulatory pressure. One of the reasons is that IT still tends to be too technical. This panel will talk about how to use risk identification and evaluation to translate what IT wants to do into business terms. It is about speaking the language of the business and thinking in risks. It is as well about setting the focus right by understanding the priority of actions to take. Based on that, IT can provide business with the recommendations business really needs.

For introducing Access Governance and the underlying core IAM processes, business involvement is mandatory. This process requires guidelines, policies, role models, and especially the definition of ownerships and responsibilities in business. On the other hand, business is somewhat reluctant given that it has to do its business anyway, despite the need for requesting and recertifying access. Different stakeholders in the organization need to be involved to set up these policies: Auditors, Business process owners, managers, application owners, information owners, administrators, and others. In this Panel, industry experts discuss about their experience on how to successfully get the buy-in of business and ensure the participation. A key element is keeping things lean and preparing them well to minimize the impact while achieving maximum output.

The myriad number of security incidents reported by the media keeps on reminding us, that the risk from being hit by such an attack is increasing and that the damage can be very high. At the same time, IT departments are faced with the need to develop their infrastructure away from purely defensive reactions on threats to a proactively open attitude, aligned with business needs and allowing user driven initiatives like BYOD (Bring Your Own Device) to take place. In this session, you will learn about the key qualities an Identity Management Infrastructure must have to enable this new and open approach to information security.

In order to meet access-related compliance requirements and reduce the risk of security breaches, enterprises around the world have made significant investments in access governance automation software solutions. Many of these companies have experienced fast time to value by implementing solutions that can be easily implemented enabling IT and the business to quickly realize the benefits of automating access governance processes.

In this presentation you will hear from Julia Bernal, Group Business Security & Data Protection Manager of Friends Life in the United Kingdom. Friends Life is the 5th largest UK-based Life and Insurance company with over £111billion in managed funds and 6,000 users. Julia will discuss Friends Life's recent access governance automation implementation and how they and were able to deploy an access governance solution in 17 days from initial implementation until first live access review.

Classical IT-Security is centered around the assets governed by the IT organization, and therefore in reality information security and IT security are used to describe that same thing. Protecting the assets of the IT organization is good, but at the end the real value of security is to protect the assets that are important for the overall organization. This becomes obvious when IT services more and more move into the Cloud, and users more and more bring their own devices to work with. Who will stay in the security game thus needs to switch from protecting IT assets to protecting Information Assets which are critical to the organization.

This presentation will give an overview on how to move from IT and System Security to Information Security.

Today’s cloud architecture increases the risk of access to a company’s critical data, such as intellectual property, personal privacy information, cardholder data, health information, financial data, etc. As a result, companies are asking themselves how do they ensure that their organization's most critical information is in the hands of the right individuals and that they're doing the right things with it?

During this panel session, we’ll outline what organizations need to do to identify, quantify, and manage the risk of information access in the cloud environment. We’ll discuss how companies need to determine what information presents the greatest risk and what access issues are the source of this risk. Next, learn how to present this information to your business colleagues in terms they understand, so that they know how this impacts the business. They must be able to translate this risk into underlying security issues and deconstruct the elements to identify the source of the risk and determine how to manage it. Simply identifying and quantifying the risk is not enough if you can't explain how to remediate and manage the risk. We’ll also explore the access assurance steps and automation needed to increase access controls to prevent future occurrences.

After this session, attendees will be able to:

• define the practical steps needed to identify, quantify, and manage the risk associated with access in the cloud;
• identify cloud access policies, the detective controls to continuously monitor risk and its source, the ability to remediate problems, and the preventative controls to better control risk moving forward;
• analyze the elements of access risk and summarize why this should be among the top areas of concern for security professionals;
• discuss how to effectively communicate access risk to business without slowing the business drivers of cloud migration; and
• describe how to partner with business, audit, security, and cloud providers to create an effective cloud access assurance strategy.

Cloud computing provides an opportunity for organizations to optimize the procurement of IT services from both internal and external suppliers However - many organizations are sleepwalking into the Cloud. Moving to the cloud may outsource the provision of the IT service, but it does not outsource responsibility. This session will look at the issues that may be forgotten or ignored when adopting the cloud computing.

These include:

• Ensuring legal and regulatory compliance
• Assuring data security
• Ensuring business continuity
• Avoiding lock in

You will learn about a set of new capabilities under development for cloud identity platform. Aimed at governments and enterprises, this work, from Microsoft and the University of Kent, brings together advanced privacy features based on either the UProve or existing technologies, support for Trust Frameworks that simplify agreements between identity partners, support for delegation of authority to delegates whose identities are private, and a dramatically simplified programming environment for application developers and relying parties.

In this Session a proof of concept for a IAM service from the cloud (IAMaaS) will be outlined. The proof of concept takes place in the field of eGovernment. The IAM service delivers trusted information about a user to a service provider. These informations are highly secure stored in the cloud. The service provider will be able to grant access to the user according this information.
How can data security be ensured? How do users keep data sovereignty? How do service providers know who to interpret the information to grant correct access to users? These and more questions will be discussed by describing the concept, use cases and layout of the IAM service as well as first results of the proof of concept.

Learn how the Dutch ICT company KPN developed a cloud service broker solution that reforms enterprise cloud integrations. The KPN cloud service broker aggregates services to multiple cloud providers and simplifies consumption of identity federation, authentication and data integration services for the enterprise. As a result, enterprises with high requirements can now efficiently integrate cloud services in complex scenarios.