Boston Cloud Security 2011

CISO Executive Network Cloud Security Breakfast Roundtable

Wednesday, June 22, 2011

8:00 am - 12:00 noon

Bingham McCutchen

Speakers

Sarah Gagan  Bingham McCutchen

Patrick Harding  Ping Identity

Chris Sullivan  Courion

Mike Mettenheimer  Oracle

Member Discussion Leader

Rob Cryan  MAPFRE USA

Boston Member Rob Cryan Discusses Cloud Security

MAPFRE USA uses the cloud for IT service requests through Service Now and to off-load PCI transactions. “Credit card data is neither stored on nor passes through our systems,” explains Rob Cryan, senior manager of information security.

When asked what he considers his company’s biggest cloud security threat, Rob says, “The cloud vendor’s internal threat is now your external threat. We have seen this with some pretty big cloud names recently.”

To mitigate security risks in the cloud, Rob says his team has analyzed the criticality and composition of the data, opting to avoid upper right quadrant data sets (i.e. high criticality, sensitive).

“We find, in most instances, there is little you can do beyond requesting encryption, proper internal access controls, and the like via contractual language,” Rob says. “In the end, the security practitioner must illuminate the risks and make a recommendation to business/IT leadership.  We have found that this collaborative risk-advisory relationship lessens the fervor for the cloud.”

Rob says the cloud vendors he uses are responsible for security. “We have in the contract (standard with all our partners) the ability to review at our expense at least once per year. Recently, we began including specific references to Massachusett’s 201 C.M.R.  17.00. ” he explains. “We chose contractual ability to review over direct management as we have not found a vendor that would allow us anything more for the type of cloud services we use or have investigated.  Additionally, unlike internal software and equipment, we cannot monitor their systems, change control, acceptable risk levels, etc.”

So his best advice to other CISO Executive Network members?

“While the security practitioner lives in the world of risk, mitigation and dollars the business/IT leadership worry about operational efficiencies and service levels,” Rob says. “The promise of the cloud is a powerful message if unfiltered.  We have to manage business/IT leadership expectations.”

Also, he added, there is a misconception that the perceived lower costs of the cloud in and of itself is a business case. “Using services external to your company requires careful analysis including new costs to use the cloud.”

Rob Cryan is Senior Manager Information Security with MAPFRE U.S.A. Corp. He his currently responsible for the information security in eight MAPFRE companies.  He has spent 16 years in security starting as an engineer, moving on to architect and professional services manager in the US and Europe.