Orchestrating the Cloud: Security & Privacy Security & Privacy Areas of importance and key questions Finance & Governance Tax BusinessC loud services ecosystem challenges• re there any third party vendors involved which could A in the cloud potentially impact the level of security?• hat level of assurance do third parties offer the primary cloud W service provider concerning security and privacy?• hat security measures are taken between various cloud W Third party (cloud) Vendors Operations Data centre platforms?• hat degree of transparency is offered? W vendor• hat is the reputation/track-record of the cloud service W providers within the ecosystem concerning security and Assurance privacy?• ow is the entire cloud ecosystem governed by the customer? HOutsourced control External data processing and storage• ow does the provider isolate and segregate the customer’s H • ow does the provider isolate and segregate customer’s data? H IT services? • hat measures are taken to secure the data in rest and in W• What (real-time) monitoring and logging functionalities are in place? transit?• ow is security embedded in the provider’s organisation H (secure development, security testing, security monitoring)? Cloud service • hat type of encryption is supported and who manages the W encryption keys?• hat are the provider’s security incident response mechanisms? W provider • hat measures are taken to ensure the availability of data? W• o what standards has the service been certified T • hat jurisdiction applies to the provider and the customer’s W (e.g. ISO27001)? data; does this conflict with local laws and directives?• ow does the provider support forensic analysis by H • hat data deletion/destruction policies are followed? W independent researchers? • ow are the cloud services been secured physically? H• re cloud services by-passing internal security controls? A Proliferation of mobile devicesIdentity Access Management • hat mobile devices are used to access and process business W• hat identity stores (directories/repositories) are in use; W data? what parties are managing these identity stores? • hat is the degree of control of these devices (BYOD to W• ow does the customer organisation maintain single sign-on? H enterprise owned devices)?• s strong (multifactor) authentication provided in the cloud; I • hat security mechanisms are in place in case of theft/loss? W which protocols are supported? Network • hat security mechanisms are applied to the (mobile) W• ow can the internal IAM be integrated with multiple cloud H network(s)? services; can user accounts and permissions be (de) • re business users adequately educated/informed on the A provisioned properly? secure use of mobile devices including the use of mobile apps?• ho has access to the customer’s data; what mitigations are W in place to prevent misuse by system administrators? Online identities Mobile use • ow is the access to business applications from uncontrolled H end-points secured? Threats Regulatory pressure • Organised cybercrime • Data privacy directive • Online espionage • Basel Customer • Internal computer fraud • Solvency organisation • Hactivism • SOx • State-backed cyber attacks • PCI DSS Readiness for the cloud Cyber arms race Licence to operate • hat is the criticality of the business data (intellectual W • hat is the current threat landscape; how is this being W • hich (local, international) laws, rules and directives W property, privacy sensitive data)? monitored? apply to the customer organisation? • hat controls are defined and how are these controls W • hat types of threats are applicable; what are the attack W • hich IT services are in scope of regulatory compliance; W Key contacts implemented? trends? what is the role of information security? • What are the organisation’s policies regarding outsourcing • hich data/services are prone to attacks? W • hat data is subject to privacy laws and rules? W in general and public cloud computing in particular? • hat are the current/near-future vulnerabilities? W John Hermans | Partner • hat level of (public) disclosure of incidents is required W • hat services are/will be moved to the cloud? W • hat are the weaknesses within the supply chain? W T: +31 6 5136 6389 by law? • s the IT department in control of purchasing cloud I • as the relevant use-cases been identified including identity H • hat is the current level of compliance? W E: email@example.com services by the business? theft and social engineering? • hat is the impact of outsourcing to external providers W • oes the cost of security and privacy justify a move to D • oes the existing measures take relevant threats into account? D in particular with regard to public cloud computing? Mike Chung | Senior Manager the cloud? • What in-depth expertise is required with regard to the cloud? T: +31 6 1455 9916 E: firstname.lastname@example.org
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.