SlideShare a Scribd company logo

ShareResponsibilityModel.pptx

Download as PPTX, PDF
B
BabatundeAbioye2

SSRM

Business
1 of 18
Shared Responsibilities For Cloud Security
2 © 2016 Deloitte. All rights reserved • Always-on availability • Flexibility • Disaster recovery • Fresh Software • Automatic software updates • Capital-expenditure Free • Do more with less • Increased collaboration • Work from anywhere • Document control • Security • Improved collaboration • Expenses can be quickly reduced Cloud computing, risks and security Preface Many businesses are moving to cloud solutions and services because cloud computing increases efficiency, helps improve cash flow and offers many more benefits. The benefits which can be gained through the use of cloud services or solutions come with additional risks. Risks to the security of enterprise information in the cloud need to be fully understood in advance of exposure to cloud services or solutions. Organisations also need to fully understand their responsibility for securing their data in cloud environments. Benefits to cloud computing
Agenda • Cloud service models and types • Cloud Service Provider (CSP) standards • Responsibility for securing data • Cloud security and governance • Protecting critical data in the cloud • Cloud cyber risk offerings overview • Questions
Cloud service models and types Adoption of cloud technologies is rapidly becoming the norm….. Private Cloud Tools that provide scalability and self-service on proprietary architecture Infrastructure as a Service (IaaS) On-demand and scalable compute, storage and networking hosted by a provider Platform as a Service (PaaS) Collection of tools needed for application development hosted by a provider Software as a Service (SaaS) Applications hosted by a provider and consumed by customers over the internet Personal Cloud Provider-hosted capabilities from storage, to media streaming, to collaboration, accessible through personal accounts
Consumer/Shadow IT Business and consumers using cloud with or without cyber controls Third-party Risk Enterprises are dependent on cloud providers’ controls Concentrated Risk Cloud providers are a bigger target because “that’s where the data is” Modern Attack Surface The walled enterprise is replaced by a hybrid, more complicated technology environment Controls Gap Traditional cyber risk controls need to extend to the cloud at a time when many enterprises are barely keeping up with existing threats There are a variety of cyber risks associated with moving to the cloud. Common concerns include:
Cloud Service Provider (CSP) standards Cloud security standards and their support by prospective CSPs and within the enterprise should be a critical area of focus for cloud service customers. The benefits of supporting key security standards are numerous: • Standards promote interoperability, eliminating vendor lock-in and making it simpler to transition from one cloud service provider to another. • Standards facilitate hybrid cloud computing by making it easier to integrate on- premises security technologies with those of cloud service providers. • Standards provide a level of assurance that critical best practices are being followed both internally within an enterprise and by cloud service providers – certifications are available for several security standards. • Standards support provides an effective means by which cloud service customers can compare and contrast cloud service providers. • Standards support enables an easier path to regulatory compliance.
CSPs should know that it is in their interest to be transparent about their compliance to security standards. Though customers should always look to interrogate this information and ensure that it matches their expectations.
Responsibility for securing data A shared responsibility model for cloud security or an approach by which both the CSP and its customers are accountable for certain aspects of security is the ideal. Enterprises must clearly define their own responsibilities, along with those of the CSP. A distinct line should be drawn that indicates which party is accountable, not only for certain aspects of data security, but the security of applications, virtual machines, interfaces, service configurations and any artefact stored or processed in the cloud. Though this is not generally a combined effort…
While cloud providers’ security is often a focus, managing cyber risk is a shared responsibility between the enterprise and the cloud provider Private Cloud (Self-Hosted) Private Cloud (Co-Located) IaaS PaaS SaaS Security Governance, Risk & Compliance (GRC) Data Security Application Security Platform Security Infrastructure Security Physical Security
The software industry is evolving to address cyber risks in the cloud CASB Emerging Capabilities Identity as a Service (IDaaS) – the first and most mature capability in the cloud security market Data protection and governance is rapidly maturing into a common set of Cloud Access Security Broker (CASB) capabilities As enterprises mature more advanced capabilities are emerging – will CASBs add capabilities or will there be more acquisitions and partnerships? IDaaS Virtualisation SIEM Governance Analytics Workflow Orchestration
Cloud security and governance There are several cloud specific security standards that have been published, including Cloud Security Alliance CCM, ISO/IEC 27017 and ISO/IEC 27018. These standards provide quite detailed guidance and recommendations for both cloud service customers and cloud service providers. The standards are valuable tools to help customers shape their strategy for cloud security. Though not exhaustive, they do provide a good initial source of guidance in assessing Cloud Service Providers and help to highlight the impact of utilising cloud services in their organisation.
While initial focus is often on compliance, many organisations are looking at aligning controls to the actual risk in the cloud Maturity Time since Cloud Adoption Achieve required compliance through the protection of regulated data Integrate cloud technologies into the enterprise security architecture Adapt controls to the evolving threats by discerning the context, relevance and required response Compliant Risk-aligned Adaptive
Protecting critical data in the cloud • Build traditional security into your cloud • Take a risk based approach to your data and your choice of CSP • Utilise the security features available from your CSP • Complement their security features with your own • Audit, Assess, Review, Repeat…often!
Assess cloud cyber risk and assemble a prioritised action plan Deloitte Advisory’s Cloud Cyber Risk Assessment provides a broad analysis of a client’s current “point in time” state of cyber risks in the cloud and an actionable roadmap to address shortcomings. What is my actual cloud service inventory/use? Do my existing controls meet industry and organisation standards? What is my inherent risk? What can I do to manage my risks and align to the goals of my business? Cloud Resilience Cloud Vigilance Application Security Infrastructure Security Cloud Provider Cyber Risk Governance Identity and Context On Premise Users Unsanctioned Cloud: Apps, Data and Infra SaaS New Cloud Services: Custom & SaaS IaaS Traditional Apps and Databases in the Cloud ? Cloud Data Protection Traditional Enterprise • Applications • Databases • Infrastructure Enterprise Networks and Legacy Data Centers Public Internet BYOD and Remote Users Protecting critical data in the cloud
Securing your Cloud Architecture ‫‏‬ Enterprise ‫‏‬ Cloud ‫‏‬ User Sync Cloud Customers Remote Users On Premise Users ‫‏‬ User Sync ‫‏‬ Application Pass-through ‫‏‬ Platform Pass-through ‫‏‬ App. / Plat. / Infra. Event Data Data Prot. Event Data Configuration Event Data ‫‏‬ Security Policy / Configuration Data ‫‏‬ Event/Usage Data Keys and Certs. ‫‏‬ Event/Usage Data Keys and Certs. Config. Data IAM Event Data ‫‏‬ Security Event Data ‫‏‬ Network Security Infrastructure Event Data Strong / Adaptive Authentication Low Risk Access Only Keys and Certs. Data Sec. Policy Keys and Certificates ‫‏‬ Security Policy / Configuration Data Data Sec. Policy Security Policy Cloud platform / infrastructure Cloud Applications Cloud IAM / GRC Cloud SIEM and Analytics Cloud Config Mgmt. Cloud Data Protection Enterprise Security Infrastructure Cloud Ecosystem Portal ‫‏‬ App. / Plat. / Infra. Event Data • Pinpoint solutions to mitigate cloud related risks
Core Cloud Cyber Risk Offerings Strategy Develop company strategy to manage cyber risk as the business moves to the cloud Blueprint Develop a tailored blueprint of cloud risk capabilities to meet business needs Implementation Put protection and governance capabilities into action to manage cloud cyber risks • Discovery and interviews to obtain risk posture (inherent & residual) • Develop a prioritised set of recommendations and strategic roadmap • Cloud reference architectures for various cloud models together with recommended technologies • Design and implement cloud security solutions • Design and implement platform specific controls (i.e., SaaS specific) • Design and implement identity for the cloud • GRC for the cloud, in the cloud - pure cloud GRC stack for cloud vendors Scope Considerations Type of cloud What type of ‘cloud’ is needed to meet business needs? • Private, IaaS, PaaS, SaaS Business Objectives How could cloud enable your business? • Improve business agility, improve operating cost, enter new markets, etc. Help to scope and define cloud requirements Cloud cyber risk offerings overview
Cloud cyber risk offerings overview Cloud Cyber Risk Strategy “To Be” Environment “As Is” Environment Activities Deliverables Evaluate current state – Inherent Risk Assess residual risk for high priority cloud services Develop initiative plans & strategic roadmap • Identify and categorise current cloud usage • Review cloud strategy for business usage • Review applicable risk and regulatory landscape • Determine security and compliance requirements • Determine providers’ controls from CSA • Review high priority cloud providers to determine existing controls • Review enterprise’s cloud security controls • Assess overall cyber risk • Define cloud cyber risk program vision • Identify and prioritise recommendations • Develop strategic roadmap Take a measured, risk-based approach to what we secure and how we secure it Monitor systems, applications, people, and the outside environment to rapidly detect incidents more effectively Be prepared for incidents and minimize their business impact Organization & Operating Model Strategy & Roadmap Policies & Standards Risk Reporting & Culture Governance Business Objectives Regulatory Compliance Growth/Innovation Operational Efficiency Risk Management Cyber Risk Domains  Threat Management  Vulnerability Management  Endpoint Monitoring  Cybersecurity Operations  Risk Analytics  Insider Threat Monitoring Vigilant  Risk & Compliance Management  Infrastructure Security  Identity & Access Management  Application Security  Data Security  Workforce Management  Training & Awareness  Third Party Management  Physical & Environmental  Integration with Business Processes  Integration with IT Processes Secure  Incident Response & Forensics  Resiliency & Recovery  Crisis Management  Cyber Simulations Resilient Business Value Foundational Elements Know Your Third Parties Know Your Assets Know Your Customers Know Your Data Know Your Employees Know Your Attackers Know Your Services / Processes Information security risk management framework Initial assessment results Assessment results report including residual risk score Gap 3 – Data Protection Define policies & PII training • Adopt revamped information security policy framework currently in development to serve as baseline for data protection and DLP strategy • Move forward with PII training as described in Gap 2 recommendations 2 FTEs $80K - $100K None • Develop strategy that defines data to protect and approved methods to protect it • Consider database, tape, and email encryption. Study capabilities of existing products licensed by Company A Develop DLP strategy 2 FTEs $ 80K - $100K Define Policies • Establish data classification guidelines that consider conventions for initial classification and reclassification of information throughout the data life cycle, considering current usage as well as environmental and regulatory changes Data classification 3 FTEs $275K - $300K Develop DLP Strategy • Implement automated policy to prevent data transfer to devices that are not encrypted, e.g. Microsoft BitLocker enforcement through Group Policy • Ensure that mobile device protection is enforced based on policy and DLP strategy Restrict flash drives and mobile data 1 FTEs $75K - $100K Develop DLP Strategy • Evaluate criteria for DLP solutions based on data protection requirements. Evaluate and identify the best-fit solution. • Conduct a Proof of Concept for the DLP solution. Test and deploy with select systems. Select, pilot, and test DLP solution 2 FTEs $270K - $300K Data Classification • Implement the DLP solution in a phased approach across the business Roll out DLP across Subsidiary A 4 FTEs $700K - $750K DLP Solution FY13 FY14 FY15 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Gap 3 Data Protection PII Training Data classification Define policies Develop DLP strategy Resource Estimate1 Activities & Objectives Initiative Inputs Initiative 26 Restrict flash drives and mobile data Select, pilot, and test DLP solution (Incl. email and database encryption) Roll out DLP across Subsidiary A 1 Varies by scope and complexity Priority activity Activity already planned Business activity ISD activity Cloud cyber risk program vision Prioritised recommendations & strategic roadmap
Cloud Cyber Risk Management Blueprint Solution Architecture Strategy Requirements Activities Scoping and Planning Capability Analysis • Strategy, governance, operations, and support review • Understand existing capabilities and gaps aligned to security strategy for cloud • Identify appropriate capabilities and controls to meet requirements Capability Design Architect the Integration of Capabilities Deliverables Capability Blueprint Capabilities Blueprint • Architect and design capability integration: • Governance • Secure • Vigilant • Resilient • Define SLAs, roles and responsibilities between enterprise and providers Cloud Reference Architecture Cloud cyber risk offerings overview

Recommended

(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises
Amazon Web Services
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
East Midlands Cyber Security Forum
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
Dr. Sunil Kr. Pandey
 
Cloud Migration - CCS Technologies (P) Ltd.
Cloud Migration - CCS Technologies (P) Ltd.Cloud Migration - CCS Technologies (P) Ltd.
Cloud Migration - CCS Technologies (P) Ltd.
CCS Technologies (P) Ltd.
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
Scalar Decisions
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
Cloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniCloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav Chablani
OWASP Delhi
 

Recommended

(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises
Amazon Web Services
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
East Midlands Cyber Security Forum
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
Dr. Sunil Kr. Pandey
 
Cloud Migration - CCS Technologies (P) Ltd.
Cloud Migration - CCS Technologies (P) Ltd.Cloud Migration - CCS Technologies (P) Ltd.
Cloud Migration - CCS Technologies (P) Ltd.
CCS Technologies (P) Ltd.
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
Scalar Decisions
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
Cloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniCloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav Chablani
OWASP Delhi
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
Shah Sheikh
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --Symantec
Abhishek Sood
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
Sweta Kumari Barnwal
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
SBWebinars
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
Cognizant
 
Barracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWSBarracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWS
Amazon Web Services
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
Armor
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 
Top Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptxTop Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptx
SaadZaman23
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
Glenn Ambler
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
What is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptxWhat is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptx
infosec train
 
Cloud migration
Cloud migrationCloud migration
Cloud migration
ChahalDhilraj
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Orange Business Services
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
Amazon Web Services
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
jmcdaniel650
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Adnet Communications
 
PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book nowPITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 

More Related Content

Similar to ShareResponsibilityModel.pptx

SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
SBWebinars
 
Barracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWSBarracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWS
Amazon Web Services
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
Glenn Ambler
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
Amazon Web Services
 

Similar to ShareResponsibilityModel.pptx (20)

ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --Symantec
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
Barracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWSBarracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWS
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Top Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptxTop Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptx
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
What is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptxWhat is the significance of cybersecurity in cloud.pptx
What is the significance of cybersecurity in cloud.pptx
 
Cloud migration
Cloud migrationCloud migration
Cloud migration
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 

Recently uploaded

PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book nowPITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book nowALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 

Recently uploaded (20)

Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 
PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book nowPITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
PITHAMPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
WheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond InsightsWheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond Insights
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAIGetting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSJAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
 
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxQSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Solan Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Solan Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableSolan Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Solan Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSDurg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Nanded Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Nanded Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableNanded Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Nanded Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book nowALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 

ShareResponsibilityModel.pptx

  • 2. 2 © 2016 Deloitte. All rights reserved • Always-on availability • Flexibility • Disaster recovery • Fresh Software • Automatic software updates • Capital-expenditure Free • Do more with less • Increased collaboration • Work from anywhere • Document control • Security • Improved collaboration • Expenses can be quickly reduced Cloud computing, risks and security Preface Many businesses are moving to cloud solutions and services because cloud computing increases efficiency, helps improve cash flow and offers many more benefits. The benefits which can be gained through the use of cloud services or solutions come with additional risks. Risks to the security of enterprise information in the cloud need to be fully understood in advance of exposure to cloud services or solutions. Organisations also need to fully understand their responsibility for securing their data in cloud environments. Benefits to cloud computing
  • 3. Agenda • Cloud service models and types • Cloud Service Provider (CSP) standards • Responsibility for securing data • Cloud security and governance • Protecting critical data in the cloud • Cloud cyber risk offerings overview • Questions
  • 4. Cloud service models and types Adoption of cloud technologies is rapidly becoming the norm….. Private Cloud Tools that provide scalability and self-service on proprietary architecture Infrastructure as a Service (IaaS) On-demand and scalable compute, storage and networking hosted by a provider Platform as a Service (PaaS) Collection of tools needed for application development hosted by a provider Software as a Service (SaaS) Applications hosted by a provider and consumed by customers over the internet Personal Cloud Provider-hosted capabilities from storage, to media streaming, to collaboration, accessible through personal accounts
  • 5. Consumer/Shadow IT Business and consumers using cloud with or without cyber controls Third-party Risk Enterprises are dependent on cloud providers’ controls Concentrated Risk Cloud providers are a bigger target because “that’s where the data is” Modern Attack Surface The walled enterprise is replaced by a hybrid, more complicated technology environment Controls Gap Traditional cyber risk controls need to extend to the cloud at a time when many enterprises are barely keeping up with existing threats There are a variety of cyber risks associated with moving to the cloud. Common concerns include:
  • 6. Cloud Service Provider (CSP) standards Cloud security standards and their support by prospective CSPs and within the enterprise should be a critical area of focus for cloud service customers. The benefits of supporting key security standards are numerous: • Standards promote interoperability, eliminating vendor lock-in and making it simpler to transition from one cloud service provider to another. • Standards facilitate hybrid cloud computing by making it easier to integrate on- premises security technologies with those of cloud service providers. • Standards provide a level of assurance that critical best practices are being followed both internally within an enterprise and by cloud service providers – certifications are available for several security standards. • Standards support provides an effective means by which cloud service customers can compare and contrast cloud service providers. • Standards support enables an easier path to regulatory compliance.
  • 7. CSPs should know that it is in their interest to be transparent about their compliance to security standards. Though customers should always look to interrogate this information and ensure that it matches their expectations.
  • 8. Responsibility for securing data A shared responsibility model for cloud security or an approach by which both the CSP and its customers are accountable for certain aspects of security is the ideal. Enterprises must clearly define their own responsibilities, along with those of the CSP. A distinct line should be drawn that indicates which party is accountable, not only for certain aspects of data security, but the security of applications, virtual machines, interfaces, service configurations and any artefact stored or processed in the cloud. Though this is not generally a combined effort…
  • 9. While cloud providers’ security is often a focus, managing cyber risk is a shared responsibility between the enterprise and the cloud provider Private Cloud (Self-Hosted) Private Cloud (Co-Located) IaaS PaaS SaaS Security Governance, Risk & Compliance (GRC) Data Security Application Security Platform Security Infrastructure Security Physical Security
  • 10. The software industry is evolving to address cyber risks in the cloud CASB Emerging Capabilities Identity as a Service (IDaaS) – the first and most mature capability in the cloud security market Data protection and governance is rapidly maturing into a common set of Cloud Access Security Broker (CASB) capabilities As enterprises mature more advanced capabilities are emerging – will CASBs add capabilities or will there be more acquisitions and partnerships? IDaaS Virtualisation SIEM Governance Analytics Workflow Orchestration
  • 11. Cloud security and governance There are several cloud specific security standards that have been published, including Cloud Security Alliance CCM, ISO/IEC 27017 and ISO/IEC 27018. These standards provide quite detailed guidance and recommendations for both cloud service customers and cloud service providers. The standards are valuable tools to help customers shape their strategy for cloud security. Though not exhaustive, they do provide a good initial source of guidance in assessing Cloud Service Providers and help to highlight the impact of utilising cloud services in their organisation.
  • 12. While initial focus is often on compliance, many organisations are looking at aligning controls to the actual risk in the cloud Maturity Time since Cloud Adoption Achieve required compliance through the protection of regulated data Integrate cloud technologies into the enterprise security architecture Adapt controls to the evolving threats by discerning the context, relevance and required response Compliant Risk-aligned Adaptive
  • 13. Protecting critical data in the cloud • Build traditional security into your cloud • Take a risk based approach to your data and your choice of CSP • Utilise the security features available from your CSP • Complement their security features with your own • Audit, Assess, Review, Repeat…often!
  • 14. Assess cloud cyber risk and assemble a prioritised action plan Deloitte Advisory’s Cloud Cyber Risk Assessment provides a broad analysis of a client’s current “point in time” state of cyber risks in the cloud and an actionable roadmap to address shortcomings. What is my actual cloud service inventory/use? Do my existing controls meet industry and organisation standards? What is my inherent risk? What can I do to manage my risks and align to the goals of my business? Cloud Resilience Cloud Vigilance Application Security Infrastructure Security Cloud Provider Cyber Risk Governance Identity and Context On Premise Users Unsanctioned Cloud: Apps, Data and Infra SaaS New Cloud Services: Custom & SaaS IaaS Traditional Apps and Databases in the Cloud ? Cloud Data Protection Traditional Enterprise • Applications • Databases • Infrastructure Enterprise Networks and Legacy Data Centers Public Internet BYOD and Remote Users Protecting critical data in the cloud
  • 15. Securing your Cloud Architecture ‫‏‬ Enterprise ‫‏‬ Cloud ‫‏‬ User Sync Cloud Customers Remote Users On Premise Users ‫‏‬ User Sync ‫‏‬ Application Pass-through ‫‏‬ Platform Pass-through ‫‏‬ App. / Plat. / Infra. Event Data Data Prot. Event Data Configuration Event Data ‫‏‬ Security Policy / Configuration Data ‫‏‬ Event/Usage Data Keys and Certs. ‫‏‬ Event/Usage Data Keys and Certs. Config. Data IAM Event Data ‫‏‬ Security Event Data ‫‏‬ Network Security Infrastructure Event Data Strong / Adaptive Authentication Low Risk Access Only Keys and Certs. Data Sec. Policy Keys and Certificates ‫‏‬ Security Policy / Configuration Data Data Sec. Policy Security Policy Cloud platform / infrastructure Cloud Applications Cloud IAM / GRC Cloud SIEM and Analytics Cloud Config Mgmt. Cloud Data Protection Enterprise Security Infrastructure Cloud Ecosystem Portal ‫‏‬ App. / Plat. / Infra. Event Data • Pinpoint solutions to mitigate cloud related risks
  • 16. Core Cloud Cyber Risk Offerings Strategy Develop company strategy to manage cyber risk as the business moves to the cloud Blueprint Develop a tailored blueprint of cloud risk capabilities to meet business needs Implementation Put protection and governance capabilities into action to manage cloud cyber risks • Discovery and interviews to obtain risk posture (inherent & residual) • Develop a prioritised set of recommendations and strategic roadmap • Cloud reference architectures for various cloud models together with recommended technologies • Design and implement cloud security solutions • Design and implement platform specific controls (i.e., SaaS specific) • Design and implement identity for the cloud • GRC for the cloud, in the cloud - pure cloud GRC stack for cloud vendors Scope Considerations Type of cloud What type of ‘cloud’ is needed to meet business needs? • Private, IaaS, PaaS, SaaS Business Objectives How could cloud enable your business? • Improve business agility, improve operating cost, enter new markets, etc. Help to scope and define cloud requirements Cloud cyber risk offerings overview
  • 17. Cloud cyber risk offerings overview Cloud Cyber Risk Strategy “To Be” Environment “As Is” Environment Activities Deliverables Evaluate current state – Inherent Risk Assess residual risk for high priority cloud services Develop initiative plans & strategic roadmap • Identify and categorise current cloud usage • Review cloud strategy for business usage • Review applicable risk and regulatory landscape • Determine security and compliance requirements • Determine providers’ controls from CSA • Review high priority cloud providers to determine existing controls • Review enterprise’s cloud security controls • Assess overall cyber risk • Define cloud cyber risk program vision • Identify and prioritise recommendations • Develop strategic roadmap Take a measured, risk-based approach to what we secure and how we secure it Monitor systems, applications, people, and the outside environment to rapidly detect incidents more effectively Be prepared for incidents and minimize their business impact Organization & Operating Model Strategy & Roadmap Policies & Standards Risk Reporting & Culture Governance Business Objectives Regulatory Compliance Growth/Innovation Operational Efficiency Risk Management Cyber Risk Domains  Threat Management  Vulnerability Management  Endpoint Monitoring  Cybersecurity Operations  Risk Analytics  Insider Threat Monitoring Vigilant  Risk & Compliance Management  Infrastructure Security  Identity & Access Management  Application Security  Data Security  Workforce Management  Training & Awareness  Third Party Management  Physical & Environmental  Integration with Business Processes  Integration with IT Processes Secure  Incident Response & Forensics  Resiliency & Recovery  Crisis Management  Cyber Simulations Resilient Business Value Foundational Elements Know Your Third Parties Know Your Assets Know Your Customers Know Your Data Know Your Employees Know Your Attackers Know Your Services / Processes Information security risk management framework Initial assessment results Assessment results report including residual risk score Gap 3 – Data Protection Define policies & PII training • Adopt revamped information security policy framework currently in development to serve as baseline for data protection and DLP strategy • Move forward with PII training as described in Gap 2 recommendations 2 FTEs $80K - $100K None • Develop strategy that defines data to protect and approved methods to protect it • Consider database, tape, and email encryption. Study capabilities of existing products licensed by Company A Develop DLP strategy 2 FTEs $ 80K - $100K Define Policies • Establish data classification guidelines that consider conventions for initial classification and reclassification of information throughout the data life cycle, considering current usage as well as environmental and regulatory changes Data classification 3 FTEs $275K - $300K Develop DLP Strategy • Implement automated policy to prevent data transfer to devices that are not encrypted, e.g. Microsoft BitLocker enforcement through Group Policy • Ensure that mobile device protection is enforced based on policy and DLP strategy Restrict flash drives and mobile data 1 FTEs $75K - $100K Develop DLP Strategy • Evaluate criteria for DLP solutions based on data protection requirements. Evaluate and identify the best-fit solution. • Conduct a Proof of Concept for the DLP solution. Test and deploy with select systems. Select, pilot, and test DLP solution 2 FTEs $270K - $300K Data Classification • Implement the DLP solution in a phased approach across the business Roll out DLP across Subsidiary A 4 FTEs $700K - $750K DLP Solution FY13 FY14 FY15 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Gap 3 Data Protection PII Training Data classification Define policies Develop DLP strategy Resource Estimate1 Activities & Objectives Initiative Inputs Initiative 26 Restrict flash drives and mobile data Select, pilot, and test DLP solution (Incl. email and database encryption) Roll out DLP across Subsidiary A 1 Varies by scope and complexity Priority activity Activity already planned Business activity ISD activity Cloud cyber risk program vision Prioritised recommendations & strategic roadmap
  • 18. Cloud Cyber Risk Management Blueprint Solution Architecture Strategy Requirements Activities Scoping and Planning Capability Analysis • Strategy, governance, operations, and support review • Understand existing capabilities and gaps aligned to security strategy for cloud • Identify appropriate capabilities and controls to meet requirements Capability Design Architect the Integration of Capabilities Deliverables Capability Blueprint Capabilities Blueprint • Architect and design capability integration: • Governance • Secure • Vigilant • Resilient • Define SLAs, roles and responsibilities between enterprise and providers Cloud Reference Architecture Cloud cyber risk offerings overview

Editor's Notes

  1. How different cloud service models and types will affect cost, ease of use, privacy, and security
  2. How different cloud service models and types will affect cost, ease of use, privacy, and security
  3. How different cloud service models and types will affect cost, ease of use, privacy, and security
  4. How privacy and security are managed by the cloud service provider (CSP)
  5. Policy, risk assessment and governance within cloud environments
  6. Using the cloud to store critical data and how to protect critical data in the cloud
  7. Using a combination of IAM, CASB (Cloud Access Security Broker) solutions and traditional solutions such as SIEM
  8. Using the cloud to store critical data and how to protect critical data in the cloud