INFORMATION TECHNOLOGY TRACK Russell Brown Chapter 13 Standing - - PowerPoint PPT Presentation

STAFF SYMPOSIUM - IT TRACK

NACTT STAFF SYMPOSIUM SERIES INFORMATION TECHNOLOGY TRACK

SESSION 4 - CLOUD SERVICES 1

Russell Brown Chapter 13 Standing Trustee - Phoenix, AZ Allan Reininger System Manager - San Antonio, TX Chapter 13 Standing Trustee - Mary Viegelahn Carl Brooks System Manager - Detroit, MI Chapter 13 Standing Trustee - Tammy Terry Tom O’Hern Program Manager, ICF International, Baltimore, MD STACS - Standing Trustee Alliance for Computer Security

4/29/2015

STAFF SYMPOSIUM IT TRACK

IT Track Outline

Day 1



Session 1 (9:00 - 10:30) - HOW TO KEEP YOUR TRUSTEE HAPPY FROM AN IT PERSPECTIVE



Session 2 (10:45 - 12:15) - A RIVERWALK THROUGH YOUR NETWORK Lunch (12:15-1:30)



Session 3 (1:30 – 3:00) - DESKTOP & SERVER MANAGEMENT



Session 4 (3:15 – 4:45) - THE CLOUD – WHO REALLY UNDERSTANDS IT? DAY 2



Session 5 (8:30 - 10:00) - DISASTER RECOVERY – YOUR WORST FEAR COMES TRUE



Session 6 (10:15 - 11:45) - BUERRITO BOWL - MIXED HOT TOPICS List of Reference Material

SESSION 4 - CLOUD SERVICES 2

4/29/2015

STAFF SYMPOSIUM - IT TRACK

 What is the Cloud?  IaaS, PaaS, SaaS, DRaaS  Security Risks, Requirements and Standards  Cloud Services and Security Options  Shadow IT  Managed Service Providers  Cloud services in the 13 community  NDC (30-45 min) –David Shapiro and Dave Sapp

Sess ssion Focal Po Points ts

SESSION 4 - CLOUD SERVICES 3

4/29/2015

STAFF SYMPOSIUM IT TRACK

 Software as a Service

(SaaS)

• Email
• Online backup
• Remote access / VPN
• Printing
• Data Exchanges
• Website Hosting
• News Groups/List Services

 Infrastructure as a

Service (IaaS)

• Back office services

 Examples:

• Google mail
• Iron Mountain LiveVault
• GoToMyPC
• Adobe.com online print
• & collaboration
• MySpace
• Google Groups
• Exchange, SQL, IIS

mail, database, web

Hosted (Cloud) Services

4/29/2015

SESSION 4 - CLOUD SERVICES 4

STAFF SYMPOSIUM IT TRACK

Hosted (Cloud) Services

 Issues

• Free services agreements undermine data ownership & privacy
• Hosting staff access to sensitive data
• Misleading or no information about security
• Breach notification
• Risk to Trustee for data breach

 Security Strategy

• Do diligence to confirm the security basics
• Review contract for assurances and limitations
• Bond and Insure for additional risk

4/29/2015

SESSION 4 - CLOUD SERVICES 5

STAFF SYMPOSIUM IT TRACK

What is the Cloud?

In lay terms, a Cloud is using someone else’s network, servers, software, storage, power, facility, and support staff to deliver a computing service over the Internet to you or to others on your behalf. A distinguishing feature is the sharing of these resources to service more than one instance of the service concurrently to maximize utilization.

4/29/2015

6

SESSION 4 - CLOUD SERVICES

STAFF SYMPOSIUM - IT TRACK

4/29/2015

7

SESSION 4 - CLOUD SERVICES

STAFF SYMPOSIUM IT TRACK

Cloud Security Concerns

 What type of data am I putting in the Cloud?

• Public, financial, PII, Health records

 Who are the players?

• Cloud provider, 3rd party servicers, local resellers

 Who has access and how is it secured over the net?

• Users and administrators login authentication
• Data exchanged with outside systems or users

4/29/2 015 8

SESSION 4 - CLOUD SERVICES

STAFF SYMPOSIUM IT TRACK

Cloud Security Concerns

 How secure is the software application itself?

• Attack from the internet and other cloud users
• Functionally protects data in use

 How secure is critical data in the system?

• Database fields, files, backups

 What country is the data center in?

4/29/2 015 9

SESSION 4 - CLOUD SERVICES

STAFF SYMPOSIUM IT TRACK

Cloud Security Assessing The Risk

 More sensitive data requires more security

• Consider certified federal cloud services

 Request a security statement of controls, practices

and assurances from the servicer

• Needs to be a technical document, not PR material

 No service is 100% secure.

• The value of the service must be greater then the potential

loss

• Insure for the risk you are accepting

4/29/2 015 10

SESSION 4 - CLOUD SERVICES

STAFF SYMPOSIUM - IT TRACK

4/29/2015

SESSION 4 - CLOUD SERVICES 11

LAN

SPAM PROXY HOSTED EMAIL HOSTED MULTI-FACTOR HOSTED VOIP PHONE HOSTED BACKUP CO-LOCATION HOSTED VM VM HOSTED WEBSITE DOMAIN REGISTRY DOMAIN NAME SERVICE SSL CERTIFICATE AUTHORITY BANK SERVICES FILE TRANSFER SERVICES NDC CASE MGMT VENDOR ECF/PACER

Internet Service Provider

VPN

WIRELESS ACCESS POINT

DMZ

COURT/341 REMOTE USERS Site To Site VPN SUPPORT PROVIDER

MANAGED SERVICE REMOTE DESKTOP

SHADOW IT CLOUD STORAGE ANALOG PHONE

WIRELESS ACCESS POINT Patch Panel POTS/PBX

VOIP GATEWAY

VOIP VLAN VOIP PHONES ON LAN VOIP SWITCH VOIP PHONES PBX VOICE MAIL CALL MGMT VOIP PHONES W/ HOSTED GATEWAY

STAFF SYMPOSIUM - IT TRACK

4/29/2015

SESSION 4 - CLOUD SERVICES 12

SPAM PROXY HOSTED EMAIL HOSTED MULTI-FACTOR HOSTED VOIP PHONE HOSTED BACKUP CO-LOCATION HOSTED VM VM HOSTED WEBSITE SUPPORT PROVIDER

MANAGED SERVICE

SHADOW IT CLOUD STORAGE

STAFF SYMPOSIUM - IT TRACK

4/29/2015

SESSION 4 - CLOUD SERVICES 13

BANK SERVICES FILE TRANSFER SERVICES NDC CASE MGMT VENDOR ECF/PACER

STAFF SYMPOSIUM - IT TRACK

4/29/2015

14

SESSION 4 - CLOUD SERVICES

STAFF SYMPOSIUM IT TRACK

Cyber Liability Insurance

 Different than E&O and Fidelity  Bonding and Insurance products maturing  USTP Guidance on Cyber Liability Insurance is found

in the supplemental materials on their website

4/29/2015

15

SESSION 4 - CLOUD SERVICES

STAFF SYMPOSIUM IT TRACK

Cyber Liability Insurance

 What is covered? What is not covered?

• Ask both questions
• Real answers determined when a claim is actually made

 Ask your insurer “What if” scenarios specific to your

situation

• What if my IT vendor …
• What if the cloud service …
• Am I liable for my 3rd party providers actions?

 Breach of protected data  Financial thefts from any party using the service

 What coverage should I expect from my IT service?

4/29/2 015

SESSION 4 - CLOUD SERVICES

16