Security: Enabling the Journey to the Cloud

882 views

Published on

Andy Powell VP UK Cybersecurity - Capgemini
Doug Davidson UK CTO for Cybersecurity - Capgemini

Organisations are moving to the Cloud in order to rationalise their legacy application estates and improve the quality of their application services, business performance, and business agility, whilst at the same time reducing their IT cost base. However, the road to Cloud services adoption is fraught with many risks and issues that can trip up the unwary. In this presentation Andy and Doug will outline some of the areas of security risk and threats that customers adopting Cloud services routinely come across. They will also talk through some of the security controls and approaches that you can use to avoid or mitigate business impacts to your cloud services, and will describe how organisations can follow a methodology to securely transition to the Cloud.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
882
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security: Enabling the Journey to the Cloud

  1. 1. 1Copyright © 2016 Capgemini and Sogeti – Internal use only. All Rights Reserved. Security: Enabling the Journey to the Cloud Andy Powell VP UK Cybersecurity - Capgemini Doug Davidson UK CTO for Cybersecurity- Capgemini
  2. 2. 2Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Agenda  Cloud Security Overview  Cloud Security Challenges  Cloud Security Transformation  Lessons and takeaways  Q&A
  3. 3. 3Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Countering the Threat – ‘a truly Medieval Approach’ …with Cloud Services, where’s the perimeter now? Once we knew where the Enterprise boundary was...
  4. 4. 4Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Adopting cloud requires an organization to rethink security to effectively safeguard assets and data  Leasing computing power in the cloud, sharing the security responsibility with CSPs  Utilising an ecosystem of cloud security solution providers  No customization of solutions, shift to informed selection upfront  Control moved to the business users (end-point devices) and partners (servers)  Identity and Access Management in the Cloud (IDaaS) as key control and business enabler for organisations  Focus on Shared Responsibility and holistic risk management to prioritise mitigation actions  Cloud aligned policies and procedures aligned with the shared responsibility model Traditional Enterprise IT Cloud  Building and maintaining IT and Security capabilities in-house  Working with a selective group IT and Security suppliers  In house developed systems or far reaching customisation of commercial packages  IT having direct control on all assets, data and devices  Identity and Access Management as one of the control elements in the Security Managers toolkit  Focus on vulnerability and patch management from a product perspective  Policies and procedures tailored to an in-house IT landscape Hybridised Enterprise/Cloud services will be here for some time to come..
  5. 5. 5Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 CloudSupplierManages CustomerManages Applications Data Virtualization Runtime Middleware O/S Servers Storage Networking Applications Data Virtualization Runtime Middleware O/S Servers Storage Networking Applications Data Virtualization Runtime Middleware O/S Servers Storage Networking Applications Data Virtualization Runtime Middleware O/S Servers Storage Networking On-Premises Infrastructure (as a Service) Platform (as a Service) Software (as a Service) Information and Data Protection Identity & Access Management Governance Risk & Compliance Information and Data Protection Identity & Access Management Governance Risk & Compliance Information and Data Protection Identity & Access Management Governance Risk & Compliance Information and Data Protection Identity & Access Management Governance Risk & Compliance CloudSupplierManages CloudSupplierManages CustomerManages CustomerManages CustomerManages Shared Responsibility – The New Paradigm Governance, Risk and Compliance, Identity & Access Management and Information & Data Protection will always be the responsibility of the data owner
  6. 6. 6Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 With Cloud Services, Identity is literally the Key… Identity Management is always the responsibility of the data owner. This is never shared or outsourced An IDAM Strategy must be in place to reduce potential Cloud Identity security issues Enterprise Identity management reviews and remediation should be undertaken prior to adopting Cloud Services Federation or replication of existing Enterprise Identity’s into the Cloud can introduce a significant risk Many organisations already have extensive issues within their existing Enterprise Identity Management systems
  7. 7. 7Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Data and Information Protection Data assets and Information Protection are always the responsibility of the data owner. This is never shared or outsourced Robust automated Security tools and controls must be used to control, monitor and alert over data access, usage, release and destruction Staff Education and Awareness and ongoing guidance is critical to support new ways of secure working The organisations data types, use cases and security risk management approaches must be published in an agreed Data Handling Model (DHM). Organisations must create a Cloud Security Strategy and align their existing IT Security Strategy to this Data Sensitivity Create Store Use ShareArchive Destroy Assure information assets throughout the data Lifecycle
  8. 8. 8Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Currently this is a Layered Cake approach... • Still an emergent area in Cloud Services • Demonstrating Cloud Service Provider compliance is still a challenge for regulated industries • SOC, SIEM, GRC Integration is challenging • Poor Platform integration (generic API’s etc) • Cloud Service Provider Logs and reports • Generally individually tailored Governance, Risk & Compliance Governance Risk and Compliance is always the responsibility of the data owner. This is never shared or outsourced. Additional security controls and services may be required to demonstrate assurance over and above that supplied by the Cloud Service Provider
  9. 9. 9Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Enforcing Security across the Enterprise and Cloud Design security in from the outset: • AD remediation prior to Migration/Federation • Network design and connectivity • Secure Apps design and Testing • Managed Platform and Tennant Configurations • Virtual Firewalls, Micro-Segmentation, IRM, DLP, etc • No Loss Encryption, HSM’s, Tokenisation, etc • Cloud Access Security Brokers (CASB) • API monitoring, regulation and control • Shadow IT & Cloud Discovery Enterprises have Gateway security Services … Cloud based services don’t.. Automated Security tools and controls must be used to protect, control and alert on data usage Business Use Cases - design supportive security around current and projected business needs Cloud Access Security Broker Cloud Apps Protected Cloud traffic Cloud traffic logs Cloud Discovery App connectors Your organization from any location Firewalls Proxies API
  10. 10. 10Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Cloud Security Transformation
  11. 11. 11Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Cloud Security Transformation Lifecycle ProcurePrepare Operate & Monitor Transform & Recycle Implement & Orchestrate CCSRMCSRM • Oversight and Management • Service Management • Supplier Management • High Level Architecture • Low Level Architecture • Technical Implementation • Testing & Integration • Contract Review • Technology Gap Analysis • SLA negotiation • Scaling Plan • Cloud Security Reference Model • Security Strategy • Risk Assessment • Control Framework • Technology Roadmap •Whitespot Analysis •Framing & Vendor Selection •Value Prototype Cloud Security Transformation to the Cloud is the same for every company but with different starting points and ambition levels
  12. 12. 12Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 The Cloud Security Reference Model (CSRM) Our CSRM identifies 14 key information security control domains that are Essential to ensuring that cloud services are consumed and managed in a secure manner. Governance Risk & Compliance Company Security BaselineCloud Service Provider Security Baseline Cloud Security Baseline Responsive Security Management Secure Application Development Identity & Access Management Threat & Vulnerability Management Information & Data Protection Security Monitoring Services Cloud Supplier Management Change Management Secure Development Security Testing IR & Crisis Management Disaster Recovery & BCM Legal & Electronic Discovery Training & Awareness
  13. 13. 13Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Prepare Define Customer Security Baseline Define CSP Security Baseline Define new Cloud Security Baseline for the service(s)  Review:  Security strategy  Information Protection requirements  Current compliance regime  Create:  Revised Cloud Security Strategy  Data classification and asset inventory  High Level Target Architecture  Risk Register and align Control frameworks  Security Capabilities Catalogue  Review:  CSP Platform Infrastructure security  Physical and environmental security  Security incident procedures & plans : Contingency planning and disaster recovery policies and procedures, etc  Security of data storage, transmission, residency and audit controls  Gap Assessment  CSP v’s Customer Baseline  Create New:  Security Reference Model  Cloud Security Strategy  Risk Assessment model  Control Framework  Data Handling Model  Cloud Security Target Operating Model  Technology Roadmap
  14. 14. 14 Securing the Journey to the Cloud | 2016 Copyright © 2016 Capgemini and Sogeti. All Rights Reserved Procure Depth of analysis and alignment to enable Leadership decisions White Spot Analysis IT driven research  Identifies and evaluates leading security solutions  Long-list to shortlist  Output: IT target application recommendation. Framing  Vendor driven functional demonstrations  Engages business stakeholders to assess solution fit  Develops initial view of roll out options & value  3 short-listed solutions  Output: Aligned business and IT recommendation Value Prototyping  Business driven validation  Based on Business, IT and program proof points  Involves a working prototype showcasing real customer scenarios and data  Confirms program strategy and business case  1 solution  Output: Aligned business and IT decision with Executive sign off
  15. 15. 15 Securing the Journey to the Cloud | 2016 Copyright © 2016 Capgemini and Sogeti. All Rights Reserved Implement & Orchestrate  Identify Shadow IT cloud services  Evaluate and select cloud services that meet security and compliance requirements using a registry of cloud services and their security controls  Protect enterprise data in the cloud by preventing certain types of sensitive data from being uploaded, and encrypting and tokenizing data  Identify threats, malware, viruses and potential misuse of cloud services  Enforce and monitor Enterprise GRC policies and practices in cloud services  Enforce differing levels of data access, Apps utilisation and cloud service functionality based on the user, the user’s device, location, and operating system Enterprise SaaS IaaSManaged Security Provider (MSP) Ensuring visibility Data Security Regulatory & policy compliance Threat protection
  16. 16. 16 Securing the Journey to the Cloud | 2016 Copyright © 2016 Capgemini and Sogeti. All Rights Reserved Operate & Monitor  A centralised view of all cloud services is best practice, providing a single pane of glass to manage and monitor service delivery against business need and defined security requirements  Visibility is key to deal with evolving threats and maintaining control  Enterprise wide security must be kept, irrespective of Cloud provider, service or application  The security operation and monitoring aspects must also be flexible enough to adapt in an agile and extensible way to support business need.  e.g. use of pre-defined “templated” cloud security controls that can be implemented at short notice to respond to recognised or potential business use-cases Operating in the Cloud brings the need to control and monitor the various Cloud service providers and applications:
  17. 17. 17 Securing the Journey to the Cloud | 2016 Copyright © 2016 Capgemini and Sogeti. All Rights Reserved Transform & Recycle  Sun setting of end-of-life applications which are unsecure or no longer meet the business needs  Sun setting of security applications or services which do not meet security objectives or do not deliver sufficient protection  Identification of next generation solutions which will improve cloud security  Update and reuse of effective standards and practices  Compliance with legal data retention requirements – both in current and successor cloud offerings  Secure migration of services to new cloud offerings  Secure migration/deletion/archiving of data retained in existing or legacy cloud services  Update, reuse and integration of effective supporting security services (e.g. CASB) Transformation and migration to new applications and platforms requires:
  18. 18. 18 Securing the Journey to the Cloud | 2016 Copyright © 2016 Capgemini and Sogeti. All Rights Reserved Lessons Learned Understand the changed risks landscape1 Rethink your existing Security Strategy to address this and shared responsibility model with the Cloud Security Provider (CSP) 2 Align disparate security initiatives under one uniform Information Security Strategy3 Align the revised Information Security Strategy with the overall Cloud Strategy of the organization4 Build the Cloud Security Target Operating Model5 Plan for change with a Cloud Security Transformation Roadmap6 Procure and implement appropriate technical controls7 Monitor, Manage, Revise and maintain…8
  19. 19. 19 Securing the Journey to the Cloud | 2016 Copyright © 2016 Capgemini and Sogeti. All Rights Reserved Cloud Services Security is Possible! Any Questions?
  20. 20. 20Copyright © 2016 Capgemini and Sogeti. All Rights Reserved. Securing the Journey to the Cloud | #CWIN16 Sept 2016 Contact information Andy Powell Head of Cybersecurity BD/Sales UK andy.powell@capgemini.com Doug Davidson Head of Cloud Security Offers & UK Cyber Security CTO doug.davidson@capgemini.com Partnership House Hollingswood road Central park Telford TF29TZ Insert contact picture Insert contact picture

×