1. cloud
Wayne Anderson
@NoCo_Architect

2. @NoCo_Architect
@AccentureSecurity
@schneierblog
@threatintel
@Tripwireinc
@mkrigsman
This presentation does not constitute a professional advisory
relationship and does not necessarily represent the official opinions
of Avanade Inc or its partners and parents.

3. “
”Aristotle (384-322 BC)

4. And lets be clear:
There are a lot of really interesting security
investments available to the modern complex
enterprise.
Among the most effective in “new” models is
cloud analytics backed threat analysis.
We are surrounded by
cloud marketing.

5. Plan
Deliver
Operate
Manage
Who holds the due diligence documentation? Has it been revisited? Does your
contract match your business needs? How do you know? When is the last time
you measured what your residual risk is for ServiceX? ServiceY?
Who owns the incident? Where does your organization pick up investigation?
What specific evidence artifacts will your vendor turn over to you? Can you
even read them? Have you ever tested your incident processWITH your
vendor(s)?
How are you communicating your top risks to your vendor(s)? Do you know
what those vendors’ top risks are likely to be? Checklist: Risk Registry, Record
of RiskTreatment, Record of Risk Acceptance
Does your organization know who is responsible for the vendor(s)? Do you have
a map of who internally is the escalation contact for ServiceX and ServiceY?
What internal services depend on which external services?
http://www.microsoft.com/mof
How does security plug into what you need to do with a cloud vendor? What are
the connections between your vendor and your systems? Are there
appropriate data boundaries over which certain data should not move?
1

6. Plan
Deliver
Operate
Manage
Who holds the due diligence documentation? Has it been revisited? Does your
contract match your business needs? How do you know? When is the last time
you measured what your residual risk is for ServiceX? ServiceY?
Who owns the incident? Where does your organization pick up investigation?
What specific evidence artifacts will your vendor turn over to you? Can you
even read them? Have you ever tested your incident processWITH your
vendor(s)?
How are you communicating your top risks to your vendor(s)? Do you know
what those vendors’ top risks are likely to be? Checklist: Risk Registry, Record
of RiskTreatment, Record of Risk Acceptance
Does your organization know who is responsible for the vendor(s)? Do you have
a map of who internally is the escalation contact for ServiceX and ServiceY?
What internal services depend on which external services?
How does security plug into what you need to do with a cloud vendor? What are
the connections between your vendor and your systems? Are there
appropriate data boundaries over which certain data should not move?
ITIL 2011

7. • AmitYoran, RSA, 2015
• PwC with CIO and CSO Magazines, September 2015
• Available from PwC with targeted guidance for Retail and Financial Services
• Gartner, July 2015
2

8. • http://www.opensecurityarchitecture.org/cms/library/patternlandscape/
• Cloud SecurityAlliance –Trusted Cloud Reference Architecture
• FedRAMP
• https://www.fedramp.gov/

9. http://ithandbook.ffiec.gov/what's-new.aspx
3

10. http://ithandbook.ffiec.gov/what's-new.aspx
3
Use analysts to save you time and money.
Gartner, Forrester, PwC, Accenture Research,
Symantec, IO Active
Can help in “knitting” together multiple
applicable governance frameworks.
Industry offerings like Unified Compliance
Framework are also dedicated to the problem.

11. https://www.accenture.com/us-en/insight-cybersecurity-research-report.aspx
4

12. (ISO 20000, ITIL, MOF)
(Surveys, Cross-IndustryAnalysts)
(Published guidance)

13. “
”
@NoCo_Architect wanderson@wanderson.org