5. Key Security Concerns
• CSP insider threat
• Identity and access management
• Data protection/Handling
• Data destruction
• Backups security
• Management Portal
• Incident Response
• Patching Vulnerabilities
• Shadow IT
6. Our Role
• Balance Agility with Security
• Lead the effort to a more secure cloud
• Build a cloud adoption strategy
7. Due Diligence Methods
• POC
• Trial Period
• Reference visits
• CSP site visit
• Review Audits
8. Key questions to assess CSP
• Years in service
• Previous incidentsReputation
• Authentication Controls (Customer, Admins)
• Tenant IsolationAccess Control
• Server Location
• Data retention on terminationData Location
• What’s there for customers
• Logs for privileged activitiesAudit Trail
• Backup Frequency & Security
• Inline with your recovery objectivesRecovery
• Certifications
• Future plansCompliance
• For Data In Transit and At Rest
• Who owns the keyEncryption
• Jurisdictional/Dispute Location
• Auto renewalLegal
11. Resources
• How to Secure Data in the Cloud: Due Diligence
http://www.cloudcomputinginsights.com/security/how-to-secure-data-
in-the-cloud-due-diligence/?mode=featured
• Cloud Controls Matrix Working Group
https://cloudsecurityalliance.org/group/cloud-controls-matrix/
• Cloud Computing Risk Assessment
https://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-assessment