3. Agenda
• Cloud service models and types
• Cloud Service Provider (CSP) standards
• Responsibility for securing data
• Cloud security and governance
• Protecting critical data in the cloud
• Cloud cyber risk offerings overview
• Questions
4. Cloud service models and types
Adoption of cloud technologies is rapidly becoming the norm…..
Private Cloud
Tools that provide scalability and self-service on proprietary architecture
Infrastructure as a Service (IaaS)
On-demand and scalable compute, storage and networking hosted by a
provider
Platform as a Service (PaaS)
Collection of tools needed for application development hosted by a provider
Software as a Service (SaaS)
Applications hosted by a provider and consumed by customers over the
internet
Personal Cloud
Provider-hosted capabilities from storage, to media streaming, to collaboration,
accessible through personal accounts
5. Consumer/Shadow IT
Business and consumers
using cloud with or without
cyber controls
Third-party Risk
Enterprises are dependent
on cloud providers’ controls
Concentrated Risk
Cloud providers are a
bigger target because
“that’s where the data is”
Modern Attack Surface
The walled enterprise is
replaced by a hybrid, more
complicated technology
environment
Controls Gap
Traditional cyber risk
controls need to extend to
the cloud at a time when
many enterprises are
barely keeping up with
existing threats
There are a variety of cyber risks associated with moving to the cloud.
Common concerns include:
6. Cloud Service Provider (CSP) standards
Cloud security standards and their support by prospective CSPs and within the
enterprise should be a critical area of focus for cloud service customers.
The benefits of supporting key security standards are numerous:
• Standards promote interoperability, eliminating vendor lock-in and making it simpler
to transition from one cloud service provider to another.
• Standards facilitate hybrid cloud computing by making it easier to integrate on-
premises security technologies with those of cloud service providers.
• Standards provide a level of assurance that critical best practices are being followed
both internally within an enterprise and by cloud service providers – certifications
are available for several security standards.
• Standards support provides an effective means by which cloud service customers
can compare and contrast cloud service providers.
• Standards support enables an easier path to regulatory compliance.
7. CSPs should know that it
is in their interest to be
transparent about their
compliance to security
standards.
Though customers should
always look to interrogate
this information and
ensure that it matches
their expectations.
8. Responsibility for securing data
A shared responsibility model for cloud security or an
approach by which both the CSP and its customers are
accountable for certain aspects of security is the ideal.
Enterprises must clearly define their own responsibilities,
along with those of the CSP. A distinct line should be drawn
that indicates which party is accountable, not only for certain
aspects of data security, but the security of applications,
virtual machines, interfaces, service configurations and any
artefact stored or processed in the cloud.
Though this is not generally a combined effort…
9. While cloud providers’ security is often a focus, managing cyber risk is a
shared responsibility between the enterprise and the cloud provider
Private Cloud
(Self-Hosted)
Private Cloud
(Co-Located)
IaaS PaaS SaaS
Security Governance,
Risk & Compliance (GRC)
Data Security
Application Security
Platform Security
Infrastructure Security
Physical Security
10. The software industry is evolving to address cyber risks in the cloud
CASB Emerging Capabilities
Identity as a Service
(IDaaS) – the first and
most mature capability
in the cloud security
market
Data protection and
governance is rapidly maturing
into a common set of Cloud
Access Security Broker (CASB)
capabilities
As enterprises mature more advanced
capabilities are emerging – will CASBs add
capabilities or will there be more
acquisitions and partnerships?
IDaaS
Virtualisation SIEM Governance
Analytics
Workflow
Orchestration
11. Cloud security and governance
There are several cloud specific security standards that have been published,
including Cloud Security Alliance CCM, ISO/IEC 27017 and ISO/IEC 27018.
These standards provide quite detailed guidance and recommendations for
both cloud service customers and cloud service providers.
The standards are valuable tools to help customers shape their strategy for
cloud security. Though not exhaustive, they do provide a good initial source
of guidance in assessing Cloud Service Providers and help to highlight the
impact of utilising cloud services in their organisation.
12. While initial focus is often on compliance, many organisations are looking at
aligning controls to the actual risk in the cloud
Maturity
Time since Cloud Adoption
Achieve required compliance through the
protection of regulated data
Integrate cloud technologies into the enterprise
security architecture
Adapt controls to the evolving threats by
discerning the context, relevance and required
response
Compliant
Risk-aligned
Adaptive
13. Protecting critical data in the cloud
• Build traditional security into your cloud
• Take a risk based approach to your data and your choice of CSP
• Utilise the security features available from your CSP
• Complement their security features with your own
• Audit, Assess, Review, Repeat…often!
14. Assess cloud cyber risk and assemble a prioritised action plan
Deloitte Advisory’s Cloud Cyber Risk Assessment provides a broad analysis of a client’s current “point in time” state of
cyber risks in the cloud and an actionable roadmap to address shortcomings.
What is my actual cloud service
inventory/use?
Do my existing controls meet industry and
organisation standards?
What is my inherent risk?
What can I do to manage my risks and
align to the goals of my business?
Cloud
Resilience
Cloud Vigilance Application Security
Infrastructure
Security
Cloud Provider
Cyber Risk
Governance
Identity and
Context
On Premise Users
Unsanctioned Cloud:
Apps, Data and Infra
SaaS
New Cloud Services:
Custom & SaaS
IaaS
Traditional Apps and
Databases in the
Cloud
?
Cloud Data
Protection
Traditional Enterprise
• Applications • Databases • Infrastructure
Enterprise Networks and Legacy Data Centers
Public
Internet
BYOD and Remote Users
Protecting critical data in the cloud
15. Securing your Cloud Architecture
Enterprise
Cloud
User Sync
Cloud
Customers Remote Users
On Premise
Users
User Sync
Application Pass-through
Platform
Pass-through
App. / Plat. / Infra. Event Data
Data Prot.
Event Data
Configuration
Event Data
Security Policy / Configuration Data
Event/Usage Data Keys and Certs. Event/Usage Data Keys and Certs.
Config. Data
IAM Event Data
Security Event Data
Network Security Infrastructure Event
Data
Strong / Adaptive
Authentication
Low Risk Access Only
Keys and Certs.
Data Sec. Policy
Keys and
Certificates
Security Policy / Configuration Data
Data Sec. Policy
Security Policy
Cloud platform / infrastructure
Cloud Applications
Cloud IAM / GRC
Cloud SIEM and Analytics
Cloud Config Mgmt.
Cloud Data Protection
Enterprise
Security
Infrastructure
Cloud Ecosystem
Portal
App. / Plat. / Infra. Event
Data
• Pinpoint
solutions to
mitigate cloud
related risks
16. Core Cloud Cyber Risk Offerings
Strategy
Develop company strategy to manage
cyber risk as the business moves to the
cloud
Blueprint
Develop a tailored blueprint of cloud
risk capabilities to meet business
needs
Implementation
Put protection and governance capabilities
into action to manage cloud cyber risks
• Discovery and interviews to obtain
risk posture (inherent & residual)
• Develop a prioritised set of
recommendations and strategic
roadmap
• Cloud reference architectures for
various cloud models together with
recommended technologies
• Design and implement cloud security
solutions
• Design and implement platform
specific controls (i.e., SaaS specific)
• Design and implement identity for the
cloud
• GRC for the cloud, in the cloud - pure
cloud GRC stack for cloud vendors
Scope Considerations
Type of cloud
What type of ‘cloud’ is needed to meet business needs?
• Private, IaaS, PaaS, SaaS
Business Objectives
How could cloud enable your business?
• Improve business agility, improve operating cost, enter
new markets, etc.
Help to scope and define cloud requirements
Cloud cyber risk offerings overview
17. Cloud cyber risk offerings overview
Cloud Cyber Risk Strategy
“To Be” Environment
“As Is” Environment
Activities
Deliverables
Evaluate current state – Inherent Risk
Assess residual risk for high priority
cloud services
Develop initiative plans & strategic
roadmap
• Identify and categorise current cloud usage
• Review cloud strategy for business usage
• Review applicable risk and regulatory
landscape
• Determine security and compliance
requirements
• Determine providers’ controls from CSA
• Review high priority cloud providers to
determine existing controls
• Review enterprise’s cloud security controls
• Assess overall cyber risk
• Define cloud cyber risk program vision
• Identify and prioritise recommendations
• Develop strategic roadmap
Take a measured, risk-based approach to
what we secure and how we secure it
Monitor systems, applications, people, and
the outside environment to rapidly detect
incidents more effectively
Be prepared for
incidents and
minimize their
business impact
Organization & Operating
Model
Strategy & Roadmap
Policies &
Standards
Risk Reporting & Culture
Governance
Business
Objectives
Regulatory Compliance
Growth/Innovation Operational Efficiency Risk Management
Cyber Risk
Domains
Threat Management
Vulnerability Management
Endpoint Monitoring
Cybersecurity Operations
Risk Analytics
Insider Threat Monitoring
Vigilant
Risk & Compliance Management
Infrastructure Security
Identity & Access Management
Application Security
Data Security
Workforce Management
Training & Awareness
Third Party Management
Physical & Environmental
Integration with Business Processes
Integration with IT Processes
Secure
Incident Response
& Forensics
Resiliency &
Recovery
Crisis Management
Cyber Simulations
Resilient
Business Value
Foundational
Elements
Know Your Third
Parties
Know Your
Assets
Know Your
Customers
Know Your Data
Know Your
Employees
Know Your
Attackers
Know Your
Services /
Processes
Information security risk
management framework
Initial assessment results
Assessment results report
including residual risk score
Gap 3 – Data Protection
Define policies &
PII training
• Adopt revamped information security policy framework currently in development to
serve as baseline for data protection and DLP strategy
• Move forward with PII training as described in Gap 2 recommendations
2 FTEs
$80K - $100K
None
• Develop strategy that defines data to protect and approved methods to protect it
• Consider database, tape, and email encryption. Study capabilities of existing products
licensed by Company A
Develop DLP
strategy
2 FTEs
$ 80K - $100K
Define Policies
• Establish data classification guidelines that consider conventions for initial
classification and reclassification of information throughout the data life cycle,
considering current usage as well as environmental and regulatory changes
Data
classification
3 FTEs
$275K - $300K
Develop DLP Strategy
• Implement automated policy to prevent data transfer to devices that are not encrypted,
e.g. Microsoft BitLocker enforcement through Group Policy
• Ensure that mobile device protection is enforced based on policy and DLP strategy
Restrict flash
drives and
mobile data
1 FTEs
$75K - $100K
Develop DLP Strategy
• Evaluate criteria for DLP solutions based on data protection requirements. Evaluate and
identify the best-fit solution.
• Conduct a Proof of Concept for the DLP solution. Test and deploy with select systems.
Select, pilot, and
test DLP solution
2 FTEs
$270K - $300K
Data Classification
• Implement the DLP solution in a phased approach across the business
Roll out DLP
across
Subsidiary A
4 FTEs
$700K - $750K
DLP Solution
FY13 FY14 FY15
Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Gap 3
Data Protection PII
Training
Data classification
Define
policies
Develop DLP
strategy
Resource
Estimate1
Activities & Objectives
Initiative
Inputs
Initiative
26
Restrict flash drives
and mobile data
Select, pilot, and test DLP solution
(Incl. email and database encryption)
Roll out DLP across Subsidiary A
1 Varies by scope and complexity Priority activity Activity already planned Business activity ISD activity
Cloud cyber risk program
vision
Prioritised
recommendations &
strategic roadmap
18. Cloud Cyber Risk Management Blueprint
Solution Architecture
Strategy Requirements
Activities
Scoping and Planning
Capability Analysis
• Strategy, governance, operations, and support review
• Understand existing capabilities and gaps aligned to
security strategy for cloud
• Identify appropriate capabilities and controls to meet
requirements
Capability Design
Architect the Integration of Capabilities
Deliverables
Capability Blueprint
Capabilities Blueprint
• Architect and design capability integration:
• Governance
• Secure
• Vigilant
• Resilient
• Define SLAs, roles and responsibilities between enterprise and providers
Cloud Reference Architecture
Cloud cyber risk offerings overview
Editor's Notes
How different cloud service models and types will affect cost, ease of use, privacy, and security
How different cloud service models and types will affect cost, ease of use, privacy, and security
How different cloud service models and types will affect cost, ease of use, privacy, and security
How privacy and security are managed by the cloud service provider (CSP)
Policy, risk assessment and governance within cloud environments
Using the cloud to store critical data and how to protect critical data in the cloud
Using a combination of IAM, CASB (Cloud Access Security Broker) solutions and traditional solutions such as SIEM
Using the cloud to store critical data and how to protect critical data in the cloud