All our workshops take place co-located to the European Identity & Cloud Conference 2013 in Munich/Germany. With its world class list of speakers, a unique mix of best practices presentations, panel discussions, thought leadership statements and analyst views, EIC has become an absolute must-attend event for enterprise IT leaders from all over Europe.

To be able to attend Cloud Provider Assurance Workshop you have to register for the European Identity & Cloud Conference 2013 workshop day.

Cloud Provider Assurance Workshop

17.05.2013 09:00-16:00

Cloud services are outside the direct control of the customer organization and their use places control of the IT service and infrastructure in the hands of the CSP (Cloud Service Provider). A structured approach is essential to ensure organizational readiness for the cloud, to select the right service to meet business needs and other non-functional requirements like security and compliance and to enable that service to be assured. This approach applies good governance to the cloud through a combination of internal processes, standards and independent assessments.

This workshop is intended for the people in an organization that are concerned with procuring and assuring cloud services including:

• IT Governance/Compliance/Audit managers
• IT service managers
• IT risk/security managers
• Procurement and Legal managers
• Line of business managers considering cloud services

This workshop uses real life scenarios to lead the participants through the steps necessary to assure that cloud services meet their organization’s business requirements. It is based on relevant industry standards and best practice including:

• COBIT 5 and Cloud Computing
• ISO 27001/2
• CSA Star Certification
• Government advice from ENISA, BSI and NIST
• AICPA standards for Service Organization Control Reports.

The workshop will use a cloud project from the participants’ organization as a working example. You will need to bring details of this project with you to the workshop.

The process of Cloud provider assurance starts in the procurement process.  When moving to the cloud it is important that the business requirements for the move are understood and that the cloud service is selected meets these needs.  The cost of buying cloud services is within departmental budgets and sign-off limits.  This makes it easy for a group within a large organization to buy a cloud service without considering the risks in terms of legal issues such as data privacy as well as the needs for assuring the service. There should be a clear process for requesting IT services which includes cloud based services and this process should be sufficiently quick and user friendly to ensure that it is not bypassed by lines of business.

The workshop will take the participants through KuppingerCole’s five essential phases involved in a structured approach to selecting a cloud service.  This approach is based on good governance and best practice, and the workshop covers the detailed requirements for each of the phases.  The approach identifies the business requirements for the service.  The non-functional requirements such as information security together with the technical, compliance and legal requirements also need to be taken into account.  These business needs, technical requirements and risks form the basis for selecting and assuring the cloud service. 

This governance based approach closes the assurance loop by setting measurable controls, which are relevant to the risks and requirements, against which performance of the service can be monitored and independently audited.   It enables IT service performance to be related back to the strategic business requirements and provides verification that the on-going service provided is meeting the business needs.

The responsibility for assurance lies with both the cloud customer and the CSP.   The workshop will illustrate how the responsibilities between the customer and the CSP can be divided. The customer must understand the sensitivity of the applications and data being moved to the cloud so that security and compliance can be taken account of.  The customer together with the CSP should set and monitor controls to assure the service provided.  The CSP should use best practice to manage the service and provide access to monitoring of performance.

There is no shortage of advice on cloud computing; there are a least 35 different standards initiatives as well as frameworks, certifications and auditing standards.  This proliferation of standards and advice is causing confusion and uncertainty.  The workshop will help the participants to understand which of these are relevant to their business, and the CSP.  This workshop will explain the key standards and sources of advice:

• COBIT 5/ISACA IT Control Objectives for Cloud Computing
• ISO 27001/2
• ENISA
• Cloud Security Alliance
• German BSI
• NIST

Independent assessment of CSPs is another important component of assurance. While it is reasonable for the provider to make monitoring information available; it is not be practical for the provider to allow every customer to perform their own audit. Periodic certification of providers by a trusted third party is a way to satisfy this need.  Certification can provide an independent confirmation of claims about services provided. However it is important to understand what these certifications and reports cover.  Specifically covered will be:

• Cloud Security Alliance STAR Certification
• SSAE  no. 16 (Statement on Standards for Attestation Engagements)
• SOC (Service Organization Control Reports) Type 1, 2 and 3.
• AICPA/CICA Trust Services Principles and Criteria

This workshop will use the example cloud service that you provide to lead the participants through the process necessary to assure that cloud services meet the needs of their organization.

Speakers

Guy Balzam Principal Product Manager, Security CA Technologies Guy Balzam has over 12 years of experience in IT and Information Security. In his past roles Guy specialized in enterprise security, managed the ELAL airlines IT security unit and led their PCI certification process. With his vast knowledge of identity and access management Guy is now a Principal Product Manager of leading security products for CA Technologies. Full bio

Mike Small Information Security Management Advisor, Fellow Analyst KuppingerCole Mike Small is the retired director of security management strategy of CA, where he was responsible for the technical strategy for CA's security management software product line within Europe, Middle East and Africa. Mike did work for CA between 1994 and 2009, where he developed CA’s identity and access management strategy for distributed systems. This strategy led to the developments and acquisitions that contributed to CA’s current IAM product line. He is a frequent speaker... Full bio

Continuing Education Credits

After attending this workshop you will be able to:

1. Identify the key assurance challenges of the different kinds of Cloud Computing.
2. Select a cloud service that is appropriate for your business needs,
3. Implement a structured process for selecting cloud services,
4. Use the KuppingerCole five phase process for selecting a cloud service,,
5. Select the cloud assurance approach that is right for your organization based on the existing standards, frameworks, advice and certifications.
6. Evaluate the assurance needs for cloud services that are already being used in your organization.

This event qualifies for 4 CPE

Prerequisites: None
Advance Preparation: None
Learning Level: Intermediate
Field: Computer Science

Who should attend: CIOs, CISOs, IT Managers, and the project managers and IT professionals with 3 or more years’ experience.

KuppingerCole is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing education on the National Registry of CPE Sponsors. State Boards of accountancy have final authority on the acceptance of individual courses for CPE credits. Complaints regarding registered sponsors may be submitted to the National Registry through its website: www.learningmarket.org For more information regarding administrative policies such as complaint and refund, please contact Mr. Levent Kara at our office's telephone +49 211 23707710, email: [email protected]