Securing the cloud: Developing a newapproach to managing third party risksRaj SamaniEMEA Strategy Advisor Cloud Security Alliance
We Need a Fundamental Change in OurApproach to Fully Maximise the Benefitsof Cloud Computing• Cloud Service Providers (CSPs) need an efficient and scalable approach to assure customers• End user organisations need an efficient approach to address the risks such services represent• Data subjects must feel confident that their data controllers are securing their dataITS NOT ABOUT SECURITY
Estimate the Assurance Costs Against TOTAL 10001000 Third PartiesWho?• Cloud Service Providers ESTIMATE• Physical Access• VPN access 5 DAYS• Extranet partners• Traditional OutsourcersHow? $1000+• Review of ISMS (Information Security Management System)• Technical AssessmentAnnual Cost for Assurance $1MWhat About the Other 11 Months? 25 YEARS*Based on Subjective Responses from Industry
The Challenge in Addressing Risks WhenWorking With Third Parties• Third party access on the up• Acronym soup• Contractual challenges• Leverage existing investments• Resource constraints• Best endeavours
The Common Assurance Maturity Model (CAMM) is a global, collaborative effort made up of security professionals working across industry in an effort to meet the security challenges of the 21st century.
CAMM is built on existing standards, so no need for massive re-investment Provides a genuine Unique SellingProposition to organisations that have higher levels of information risk maturity BUSINESS Risk management maturity is open for stakeholders to view, using ASSURANCE appropriate language and detail Measures maturity against definedcontrols areas, with particular focus on key controls A business benefit that creates consumer trust that is both meaningful and understandable CAMM—NEW BUSINESS ASSURANCE BAROMETER
• Simple to understand—customers do not need professional certifications to understand the difference between a level 2 and level 3.• Analogous to other rating systems—Already used in tourism, banking, and other sectors.• Develops (a level of) trust with one small icon—Cloud providers can develop trust with simple scorecardCompany A Company A Company A Company A Company A Company AService A Service B Service C Service D Service E Service F
1. Simpler comparison—Allows the CIO to perform a simpler comparison between internal vs external provision, not only relying on cost comparisons.2. Cost comparison—Once risk appetite is defined, allows the CIO to compare the cost of different residual risk scenarios.3. Apples for Apples—Judges services on a set of applicable criteria through use of applicable modules. Internally Company A Company B Internally Provisioned Service A Service C Provisioned DECISION DECISION Cost Cost Cost Cost Cost Cost £x £y £z £x £y £z
3 Evidence of compliance may be uploaded to central repository that can be used by numerous customers Third Party Assurance Centre Third Party Maturity Requesting Access Risk Appetite Maturity Cloud Provider Internal Maturity Hosting Provider1 2 4 Business sets level of risk they are Level of risk management maturity Leverage existing expenditure willing to tolerate (number of is communicated to business and remove need for duplicate levels depending on the data). partners (and possible partners) verification (note: May remove Maturity will include CAMM plus audit requirement altogether) possible bespoke modules.