AM
Uploaded byAlex Mags
279 views

Risk Management for Public Cloud Projects

The document outlines KA2, a consultancy specializing in technology change, particularly in cloud migration and security for various sectors. It emphasizes the importance of a collaborative approach and the implementation of the NIST risk management framework to manage security risks on public clouds. Additionally, it highlights the significance of program management and innovation in delivering effective technology solutions to clients.

Embed presentation

Microsoft Cloud User Group – London Get Your Cloud Project Past IT Security Alex Magnay @AlexMags
About us CONSULT CREATE CHANGE ADVANCE A series of thorough discovery and consultation sessions enables the KA2 team to understand your precise business and technology change programme requirements. We cannot do this without you. Close collaboration, together with unrivalled expertise and fresh thinking enables KA2 to create customised, future- proofed technology change driven programmes that meet your needs. It is all about you. Rigorous end-to-end programme management throughout the entire transformation journey ensures the implementation process is fast and efficient. We will take good care of you. With innovation at the core of everything we do, our clients can embrace the future, safe in the knowledge their businesses will seamlessly adapt to whatever is thrown at them. Your success is our success. https://ka2.io contact@ka2.io
Alex Magnay Twitter: @alexmags Email: alex@alexmags.com
Microsoft’s YOUR Backbone WAN
The Quest for the Public Cloud!
The Quest for the Public Cloud!
The Quest for the Public Cloud! Cyber Defence 1975
Now What?
Security is hard And on public cloud it’s still your problem
Shared Responsibility https://docs.microsoft.com/en-us/azure/security/azure-security-infrastructure
Shared Responsibility https://aws.amazon.com/compliance/shared-responsibility-model
Security is hard And on public cloud it’s still your problem
“To reduce business risk to acceptable levels from outside forces and internal mistakes”
Our two secret weapons! 1. NIST Risk Management Framework 2. Product release roadmap 3. NIST Cyber Security Framework Controls
Our two secret weapons! 1. NIST Risk Management Framework This is aligned with 2. Product release roadmap which implements 3. NIST Cyber Security Framework Controls
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
• What data is moving to public cloud and when? Product Release roadmap
Product Release roadmap
Product Release roadmap Release v0.1 Bootstrap Release v0.2 Test data Release v0.3 Internal data Release v0.4 Confidential data Release v1.0 Secret data
NIST CyberSecurity Framework
NIST CyberSecurity Framework • Identify - who/what you’re protecting • Protect - the data/system • Detect - problems • Respond– know who to tell, what to do • Recover – have a plan https://www.nist.gov/cyberframework
https://www.nist.gov/cyberframework
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework Categorise system • How many users? • Who are they? • What data?
Describe your risks Design your controls to make your risks less likely or lower impact
Example NIST Function NIST Category Your Risks Your Controls Your Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys Misconfiguration results in unauthorised access IT admins complete training module before access (PR.AT) Cloud Admin course tracking Critical data is uploaded before environment is ready Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Data is not protected Classifiy data (PR.DS) Implement AIP Maintenance software vulnerabilities OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology Malware results in outage, unauthorised access or data loss antimalware (PR.PT) Enable Windows Defender ATP (PR.IP) Block inbound internet access Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Service account password and API keys rotated Unauthorised access is obtained Data loss from attack or accidental disclosure
Completed controls reduce risk Sprint1 PR.AC MFA PR.AC Rotate keys Sprint2 PR.AC RBAC PR.IP Block internet Sprint3 PR.AC AAD PIM PR.IP Azure firewall PR.PR Defender ATP PR.MA Auto update
Completed controls reduce risk Sprint1 PR.AC MFA PR.AC Rotate keys Sprint2 PR.AC RBAC PR.IP Block internet Sprint3 PR.AC AAD PIM PR.IP Azure firewall PR.PR Defender ATP PR.MA Auto update RISK
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework Assess Controls • Do they work? • Can they be circumvented? • How much residual risk remains?
NIST Function NIST Category Your Risks Your Controls Your Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys Misconfiguration results in unauthorised access IT admins complete training module before access (PR.AT) Cloud Admin course tracking Critical data is uploaded before environment is ready Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Data is not protected Classifiy data (PR.DS) Implement AIP Maintenance software vulnerabilities OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology Malware results in outage, unauthorised access or data loss antimalware (PR.PT) Enable Windows Defender ATP (PR.IP) Block inbound internet access Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Service account password and API keys rotated Unauthorised access is obtained Data loss from attack or accidental disclosure
Completed controls reduce risk Sprint1 PR.AC MFA PR.AC Rotate keys Sprint2 PR.AC RBAC PR.IP Block internet Sprint3 PR.AC AAD PIM PR.IP Azure firewall PR.PR Defender ATP PR.MA Auto update Release v0.1 Bootstrap RISK
Categorise system and data Select controls to reduce risk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
Risk based approach to Infra as a Service (IaaS) Virtual Datacentre example (Check this: http://aka.ms/VDC)
Every quest needs a map Or roadmap, storymap, whatever….
http://www.infrastructures.org/papers/bootstrap/bootstrap.htm
• It’s waterfall (build then run) • Visualisation of the end goal • Clear interdependencies http://www.infrastructures.org/papers/bootstrap/bootstrap.htm
NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss
NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss
Shortcuts • Embed someone from InfoSec in your team (DevSecOps) They can review controls as they’re implemented • Learning by doing takes time… Work with a cloud migration specialist Inherit their code and security controls Jump ahead to IAM v7, landing zone v9 etc.. • Be a chameleon. Fold into existing governance • Call your team the Cloud Adoption Team (CAT)
Thanks! KA2 is an expert technology change consultancy specialising in financial services, the insurance industry and public sector. The company provides expert services across the entire technology change spectrum including; cloud migration, target operating models and digital transformation strategies; the modern workplace; service management; enterprise architecture; network design; enterprise security and voice and unified communications. The team includes highly skilled and experienced programme leaders, technical architects, solutions consultants and business analysts who all bring a proven track record in delivering successful technology change programmes for a wide range of blue-chip organisations. Email: contact@ka2.io

More Related Content

PDF
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
byEnterpriseGRC Solutions, Inc.
 
PDF
IKare Vulnerability Scanner - Datasheet EN
byITrust - Cybersecurity as a Service
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
PDF
Cis controls v8_guide (1)
byMHumaamAl
 
PDF
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
byPriyanka Aash
 
PPTX
Using a Network Model to Address SANS Critical Controls 10 and 11
bySkybox Security
 
PDF
Qualys Corporate Brochure
byQualys
 
PDF
The Dynamic Nature of Virtualization Security
byRapid7
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
byEnterpriseGRC Solutions, Inc.
 
IKare Vulnerability Scanner - Datasheet EN
byITrust - Cybersecurity as a Service
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
Cis controls v8_guide (1)
byMHumaamAl
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
byPriyanka Aash
 
Using a Network Model to Address SANS Critical Controls 10 and 11
bySkybox Security
 
Qualys Corporate Brochure
byQualys
 
The Dynamic Nature of Virtualization Security
byRapid7
 

What's hot

PDF
ExpertsLiveNL - Post Breach Security with ATA or ATP
byTim De Keukelaere
 
PPTX
IBM QRadar Xforce
bysreenivas1591
 
PPTX
Securing Your Public Cloud Infrastructure
byQualys
 
PPTX
Cyber Security Threat Modeling
byDr. Anish Cheriyan (PhD)
 
PDF
Making Threat Intelligence Actionable Final
byPriyanka Aash
 
PDF
How to Choose the Right Security Information and Event Management (SIEM) Solu...
byIBM Security
 
PDF
Achieving Defendable Architectures Via Threat Driven Methodologies
byPriyanka Aash
 
PDF
Whitepaper IBM Qradar Security Intelligence
byCamilo Fandiño Gómez
 
PPTX
PPT-Splunk-LegacySIEM-101_FINAL
byRisi Avila
 
PDF
Westjets Security Architecture Made Simple We Finally Got It Right
byPriyanka Aash
 
PDF
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
byQualys
 
PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PDF
Industrial Control Systems Cybersecurity Technology Selection
byDragos, Inc.
 
PDF
Qualys Brochure for CISOs
byQualys
 
PDF
2019 10-app gate sdp 101 09a
byCristian Garcia G.
 
PDF
Incident response-in-the-cloud
byPriyanka Aash
 
PDF
SplunkSummit 2015 - Splunk User Behavioral Analytics
bySplunk
 
PDF
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
byAndris Soroka
 
PPTX
Splunk for Security-Hands On
bySplunk
 
PDF
Identity-Based Security and Privacy for the Internet of Things
byPriyanka Aash
 
ExpertsLiveNL - Post Breach Security with ATA or ATP
byTim De Keukelaere
 
IBM QRadar Xforce
bysreenivas1591
 
Securing Your Public Cloud Infrastructure
byQualys
 
Cyber Security Threat Modeling
byDr. Anish Cheriyan (PhD)
 
Making Threat Intelligence Actionable Final
byPriyanka Aash
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
byIBM Security
 
Achieving Defendable Architectures Via Threat Driven Methodologies
byPriyanka Aash
 
Whitepaper IBM Qradar Security Intelligence
byCamilo Fandiño Gómez
 
PPT-Splunk-LegacySIEM-101_FINAL
byRisi Avila
 
Westjets Security Architecture Made Simple We Finally Got It Right
byPriyanka Aash
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
byQualys
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
Industrial Control Systems Cybersecurity Technology Selection
byDragos, Inc.
 
Qualys Brochure for CISOs
byQualys
 
2019 10-app gate sdp 101 09a
byCristian Garcia G.
 
Incident response-in-the-cloud
byPriyanka Aash
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
bySplunk
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
byAndris Soroka
 
Splunk for Security-Hands On
bySplunk
 
Identity-Based Security and Privacy for the Internet of Things
byPriyanka Aash
 

Similar to Risk Management for Public Cloud Projects

PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PPTX
So I DevSecOpsed Office 365
byAlex Mags
 
PPTX
Azure security and Compliance
byKarina Matos
 
PPTX
Privacies are coming
byErnest Staats
 
PDF
Martin Vliem (Microsoft): Met vertrouwen naar de cloud
byContent Guru Benelux
 
PPTX
Azure Security Compass v1.1 - Presentation.pptx
byZaheerEbrahim5
 
PPTX
NIST_Framework_overview_20150219 YEAR 2015
bymagesh527916
 
PPTX
ciso-workshop-1-cybersecurity-briefing.pptx
bypravinsp141
 
PDF
Cloud Security Demystified
byMichael Torres
 
PPTX
MS. Cybersecurity Reference Architecture
byangelohammond
 
PDF
Cloud Security Enforcement First Meetup 10092025.pdf
bylior mazor
 
PPT
Cyber crime with privention
byManish Dixit Ceh
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
PPTX
Privacies are Coming
byErnest Staats
 
PDF
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
PPTX
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
bywalk2talk srl
 
PPTX
Information security trends and concerns
byJohn Napier
 
PDF
ScotSecure Cyber Security Summit 2025 Edinburgh
byRay Bugg
 
PDF
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
byMSAdvAnalytics
 
PDF
Tour to Azure Security Center
byLalit Rawat
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
So I DevSecOpsed Office 365
byAlex Mags
 
Azure security and Compliance
byKarina Matos
 
Privacies are coming
byErnest Staats
 
Martin Vliem (Microsoft): Met vertrouwen naar de cloud
byContent Guru Benelux
 
Azure Security Compass v1.1 - Presentation.pptx
byZaheerEbrahim5
 
NIST_Framework_overview_20150219 YEAR 2015
bymagesh527916
 
ciso-workshop-1-cybersecurity-briefing.pptx
bypravinsp141
 
Cloud Security Demystified
byMichael Torres
 
MS. Cybersecurity Reference Architecture
byangelohammond
 
Cloud Security Enforcement First Meetup 10092025.pdf
bylior mazor
 
Cyber crime with privention
byManish Dixit Ceh
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
Privacies are Coming
byErnest Staats
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
bywalk2talk srl
 
Information security trends and concerns
byJohn Napier
 
ScotSecure Cyber Security Summit 2025 Edinburgh
byRay Bugg
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
byMSAdvAnalytics
 
Tour to Azure Security Center
byLalit Rawat
 

Recently uploaded

PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 

Risk Management for Public Cloud Projects

  • 1.
    Microsoft Cloud UserGroup – London Get Your Cloud Project Past IT Security Alex Magnay @AlexMags
  • 2.
    About us CONSULT CREATECHANGE ADVANCE A series of thorough discovery and consultation sessions enables the KA2 team to understand your precise business and technology change programme requirements. We cannot do this without you. Close collaboration, together with unrivalled expertise and fresh thinking enables KA2 to create customised, future- proofed technology change driven programmes that meet your needs. It is all about you. Rigorous end-to-end programme management throughout the entire transformation journey ensures the implementation process is fast and efficient. We will take good care of you. With innovation at the core of everything we do, our clients can embrace the future, safe in the knowledge their businesses will seamlessly adapt to whatever is thrown at them. Your success is our success. https://ka2.io contact@ka2.io
  • 3.
  • 8.
  • 9.
    The Quest forthe Public Cloud!
  • 10.
    The Quest forthe Public Cloud!
  • 11.
    The Quest forthe Public Cloud! Cyber Defence 1975
  • 12.
  • 13.
    Security is hard Andon public cloud it’s still your problem
  • 14.
  • 15.
  • 18.
    Security is hard Andon public cloud it’s still your problem
  • 19.
    “To reduce businessrisk to acceptable levels from outside forces and internal mistakes”
  • 20.
    Our two secretweapons! 1. NIST Risk Management Framework 2. Product release roadmap 3. NIST Cyber Security Framework Controls
  • 21.
    Our two secretweapons! 1. NIST Risk Management Framework This is aligned with 2. Product release roadmap which implements 3. NIST Cyber Security Framework Controls
  • 22.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 23.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 24.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 25.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 26.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 27.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 28.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 29.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 30.
    • What datais moving to public cloud and when? Product Release roadmap
  • 31.
  • 32.
    Product Release roadmap Release v0.1 Bootstrap Release v0.2 Testdata Release v0.3 Internal data Release v0.4 Confidential data Release v1.0 Secret data
  • 33.
  • 34.
    NIST CyberSecurity Framework •Identify - who/what you’re protecting • Protect - the data/system • Detect - problems • Respond– know who to tell, what to do • Recover – have a plan https://www.nist.gov/cyberframework
  • 35.
  • 36.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework Categorise system • How many users? • Who are they? • What data?
  • 37.
    Describe your risks Designyour controls to make your risks less likely or lower impact
  • 38.
    Example NIST Function NISTCategory Your Risks Your Controls Your Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys Misconfiguration results in unauthorised access IT admins complete training module before access (PR.AT) Cloud Admin course tracking Critical data is uploaded before environment is ready Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Data is not protected Classifiy data (PR.DS) Implement AIP Maintenance software vulnerabilities OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology Malware results in outage, unauthorised access or data loss antimalware (PR.PT) Enable Windows Defender ATP (PR.IP) Block inbound internet access Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Service account password and API keys rotated Unauthorised access is obtained Data loss from attack or accidental disclosure
  • 39.
    Completed controls reducerisk Sprint1 PR.AC MFA PR.AC Rotate keys Sprint2 PR.AC RBAC PR.IP Block internet Sprint3 PR.AC AAD PIM PR.IP Azure firewall PR.PR Defender ATP PR.MA Auto update
  • 40.
    Completed controls reducerisk Sprint1 PR.AC MFA PR.AC Rotate keys Sprint2 PR.AC RBAC PR.IP Block internet Sprint3 PR.AC AAD PIM PR.IP Azure firewall PR.PR Defender ATP PR.MA Auto update RISK
  • 41.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework Assess Controls • Do they work? • Can they be circumvented? • How much residual risk remains?
  • 42.
    NIST Function NISTCategory Your Risks Your Controls Your Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys Misconfiguration results in unauthorised access IT admins complete training module before access (PR.AT) Cloud Admin course tracking Critical data is uploaded before environment is ready Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Data is not protected Classifiy data (PR.DS) Implement AIP Maintenance software vulnerabilities OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology Malware results in outage, unauthorised access or data loss antimalware (PR.PT) Enable Windows Defender ATP (PR.IP) Block inbound internet access Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Service account password and API keys rotated Unauthorised access is obtained Data loss from attack or accidental disclosure
  • 43.
    Completed controls reducerisk Sprint1 PR.AC MFA PR.AC Rotate keys Sprint2 PR.AC RBAC PR.IP Block internet Sprint3 PR.AC AAD PIM PR.IP Azure firewall PR.PR Defender ATP PR.MA Auto update Release v0.1 Bootstrap RISK
  • 44.
    Categorise system and data Select controls to reducerisk Implement controls Assess controls Authorise. Risk is acceptable Monitor https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf Risk Management Framework
  • 45.
    Risk based approachto Infra as a Service (IaaS) Virtual Datacentre example (Check this: http://aka.ms/VDC)
  • 46.
    Every quest needsa map Or roadmap, storymap, whatever….
  • 47.
  • 48.
    • It’s waterfall(build then run) • Visualisation of the end goal • Clear interdependencies http://www.infrastructures.org/papers/bootstrap/bootstrap.htm
  • 50.
    NIST Function YourRisks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss
  • 55.
    NIST Function YourRisks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor Categoris e system and data Select controls to reduce risk Impleme nt controls Assess controls Authorise . Risk is acceptabl e Monitor NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss NIST Function Your Risks NIST Category Your Controls Work items Multifactor authentication (PR.AC) Enable MFA Priv Identity Management (PR.AC) Enable AAD PIM Admin roles follow least rights privileged (PR.AC) Implement RBAC Encrypt communications containing credentails (PR.AC) Disable basic auth (PR.AC) Rotate service passwords (PR.AC) Rotate API Keys IT admins complete training module before access (PR.AT) Cloud Admin course tracking Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS Data Security Classifiy data (PR.DS) Implement AIP (PR.IP) Block inbound internet access (PR.IP) Block outbound internet access (PR.IP) Implement proxy URL filtering (PR.IP) Implement proxy DLP Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates Protective Technology antimalware (PR.PT) Enable Windows Defender ATP Identity Management and Access Control Awareness and Training Information Protection Processes and Procedures Data loss protection Protect Unauthorised access is obtained Data loss from attack or accidental disclosure Service account password and API keys rotated Malware results in outage, unauthorised access or data loss
  • 56.
    Shortcuts • Embed someonefrom InfoSec in your team (DevSecOps) They can review controls as they’re implemented • Learning by doing takes time… Work with a cloud migration specialist Inherit their code and security controls Jump ahead to IAM v7, landing zone v9 etc.. • Be a chameleon. Fold into existing governance • Call your team the Cloud Adoption Team (CAT)
  • 59.
    Thanks! KA2 is anexpert technology change consultancy specialising in financial services, the insurance industry and public sector. The company provides expert services across the entire technology change spectrum including; cloud migration, target operating models and digital transformation strategies; the modern workplace; service management; enterprise architecture; network design; enterprise security and voice and unified communications. The team includes highly skilled and experienced programme leaders, technical architects, solutions consultants and business analysts who all bring a proven track record in delivering successful technology change programmes for a wide range of blue-chip organisations. Email: contact@ka2.io

Editor's Notes

  • #2 A problem my consultancy hit on a recent cloud migration engagement, whats happening now and hopefully you’ll be able to make use of this too.
  • #4 Last seen working at public cloud service provider Hentsu spinning up infra for new hedge funds and migrating hedge funds to public cloud Background engineering teams investment banking, asset management regulatory compliance, high security, high availability, high tech Industry cert certifications & scout computer badge!!
  • #5 Loaded up with Historical cargo
  • #7 CEO of Infor at AWS Summit 2014 Building a computer room/dc is kind of interesting Keeping it running is a burden Huge distraction from working on stuff the business or the customer actually cares about Move dcs to public cloud and refocus on more important stuff that’s going to make company money/customers happy Building and maintaining DCs does keep you busy, doesn't make you valuable
  • #9 Azure datacenters are positioned on laylines of tremendous connectivity If you’re an international organization , investigate if you can ditch your point to point international lease lines and use public cloud provider as a hub to link your offices and datacenters. When comparing the cost of on prem vs public cloud
  • #10 You assemble a team of mercenaries/contractors
  • #11 Infosec Fortress
  • #12 Cyber defence 1976
  • #15 Administration – who has access to what (from where), rbac, how you operate the service, still you
  • #16 AWS – same deal, still up to you to secure the data
  • #18 Where’s the magic dial?
  • #21 1 A way of discussing risk with infosec and getting approvals 2. Release roadmap, what we’re going to do in stages 3. Helps us figure out risks and what to do about them
  • #23 Click through
  • #24 Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss Describe the risk – what bad things could happen with this system / this data
  • #25 Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. Technical/process NIST Cyber Framework can help with this
  • #26 Implement the controls and describe how the controls are employed within the system and its environment of operation.
  • #27 Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
  • #28 Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.
  • #29 Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
  • #30 Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss Describe the risk – what bad things could happen with this system / this data
  • #32 Click to releases
  • #33 Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. Implement the controls and describe how the controls are employed within the system and its environment of operation. Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable. Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
  • #35 Secret weapon number 3
  • #37 Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. Technical/process Implement the controls and describe how the controls are employed within the system and its environment of operation. Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable. Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
  • #39 Risk – whats the bad thing that could happen Control – what makes it unlikely or lower impact Work items – well defined so people can crack on Talk with infosec, which risks and controls will get you to next stage on your roadmap?
  • #42 Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. Technical/process Implement the controls and describe how the controls are employed within the system and its environment of operation. Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable. Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
  • #43 50% green
  • #45 Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
  • #49 Excuse the GFX, it was 1998, on unix, we’re lucky it’s not ASCII art!
  • #50 High risk – don’t put anything important here! Getting better, safer… Time for low value apps…. Party time, upload the business critical data
  • #51 High risk – don’t put anything important here! Getting better, safer… Time for low value apps…. Party time, upload the business critical data
  • #52 Bootstrap – POCs look like this often
  • #53 Central ID and RBAC
  • #54 App ready
  • #55 Data ready
  • #56 High risk – don’t put anything important here! Getting better, safer… Time for low value apps…. Party time, upload the business critical data
  • #58 But the burners on
  • #59 Stop fighting with IT Security Find that common ground, common language. Agree a plan, execute the plan and keep talking throughout.
  • #60 May your quests by really successful!
  • #61 A problem my consultancy hit on a recent cloud migration engagement, whats happening now and hopefully you’ll be able to make use of this too.