Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security: A Government Step Change

331 views

Published on

A presentation given by Tony Richards of IACS, at the Central Government Strategy Forum in December 2015, on the changes to government security assurance for G-Cloud services, including: how to use the G-Cloud security approach and Supplier security assertions, both as part of the service procurement and selection process but also to assist in the assurance of the Suppliers security.

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

Cloud Security: A Government Step Change

  1. 1. CLOUD SECURITY: A GOVERNMENT STEP CHANGE With TONY RICHARDS
  2. 2. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM G-CLOUD WE HAVE VERY RELEVANT EXPERIENCESuppliers offer commodity cloud services Published via www.gov.uk/digital-marketplace UK Government buyers select and purchase best fit services
  3. 3. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM OLD RULES – BAD BADGES WE HAVE VERY RELEVANT EXPERIENCE Suppliers submitted services to a Pan Government Accreditation service In 3 years, out of 19000 services, only 200 were Pan Government Accredited Buyers were biased towards the PGA badged services A PGA badged service may not have been appropriate or proportional
  4. 4. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM USER SECURTY NEEDS WE HAVE VERY RELEVANT EXPERIENCE Move away from centralised compliance to Principles based Risk Management Align security with the commercial offerings of commodity services Simplified - Offer a service, state the security Buyers select what is relevant and proportional
  5. 5. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM G-CLOUD SECURITY APPROACH 1. Data in transit protection 2. Asset protection and resilience 3. Separation between consumers 4. Governance framework 5. Operational security 6. Personnel security 7. Secure development 8. Supply chain security 9. Secure consumer management 10. Identity and authentication 11. External interface protection 12. Secure service administration 13. Audit information provision to consumers 14. Secure use of the service by the consumer CLOUD SECURITY PRINCIPLES 51 SECURITY ASSERTIONS SELECT APPROPRIATE ANSWERS STATE APPROPRIATE EVIDENCE
  6. 6. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM G-CLOUD SECURITY APPROACH Suppliers security information published as part of their service description on the UK Digital Marketplace Buyers can assess Suppliers services relevant to business needs and make pragmatic risk management decisions from a position of knowledge
  7. 7. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM TRANSPARENCY WE HAVE VERY RELEVANT EXPERIENCE Suppliers state what security they currently have in place No wrong answer, No minimum baseline Suppliers can update the security information at any time, for any change Transparency, not compliance
  8. 8. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM MANAGE THE RISK Buyers should develop a minimum Security Profile for the service: 1. Identify any legal or regulatory requirements or constraints 2. Agree with the business any security or Risk “Red Lines” 3. Identify applicable security questions 4. Determine the minimum security assertions that meet your security requirements 5. Select the minimum supporting approaches that meet your Risk Appetite MINIMUM SECURITY PROFILE
  9. 9. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM SERVICE SELECTON Using the assertions in the Security Profile, Buyers can incorporate security into the selection criteria for filtering the Digital Marketplace to create the Supplier Long List Buyers can also utilise the supporting assurance mechanisms to develop a set of criteria for filtering the Long List to create the Supplier Short List selection
  10. 10. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM SUPPLIER DISCUSSIONS WE HAVE VERY RELEVANT EXPERIENCE On request, Suppliers should provide further details supporting their security assertions And additional information about their Supporting Approach’s with references where relevant
  11. 11. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM SERVICE ASSURANCE The consuming organisations Security Team can compare the Supplier’s Security Assertions and stated supporting approaches evidence, against the Security Profile The consuming organisations Security Team can then identify any gaps, or areas which require additional assurance activities A winning G-Cloud service should be BEST FIT, and does not need to be 100% perfect
  12. 12. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM USEFUL LINKS https://www.gov.uk/government/collections/cloud-security-guidance https://digitalmarketplace.blog.gov.uk/2014/11/04/the-g-cloud-6-security- questions/
  13. 13. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM WHO ARE IACS? • WE ARE SECURITY EXPERTS that understand business. • WE ARE DIFFERENT. We thrive on solving challenges pragmatically at low costs. • WE BRING BIG 4 EXPERIENCE. Low overheads enable us to flexible and value driven. • GROWING UK SME WITH CREDIBILITY. Working with UK Government, European and Asian FS Clients and Partners. • WE INVEST IN OUR PEOPLE. We are ISO27001 LAs, ex-CLAS, CCP, CISSP, CSA CCSK, CSA STAR Advanced Auditors, TOGAF and Cyber Essential certified. CLOUD SECURITY CYBER SECURITY SECURITY and COMPLIANCE THREAT and VULNERABILITY
  14. 14. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM UK GOVERNMENT EXPERIENCE CLOUD SECURITY CYBER SECURITY • Carried out a discovery exercise and then re-architected and assured a government departments applications, including full audit and accreditation. • Provided advice and guidance on cyber security and secure architecture to a government agency. • Providing an outsourced & managed security service to a government agency. • Non-government organisation's key applications secured and assured as part of the implementation of cloud based, corporate services. • Architected and assured a government agency’s key applications migration to cloud infrastructure. • Developed UK government’s security approach for cloud services. THREAT and VULNERABILITY • Government agency’s applications penetration tested and assured annually as part of a managed security service, including cloud services. • Conducted penetration testing and IT health checks on a range of secure systems across a number of prisons.
  15. 15. WHO WE ARE THE EXPERT SECURITY ADVISORS WWW.IACS-LLP.COM CONTACT US • Information Assurance Consulting Services LLP • Unit 7 Park Farm, Tyringham, Newport Pagnell, MK16 9ES • See our G-Cloud 7 services on the Digital Marketplace: • Cloud Security Architecture Service – G-Cloud ID: 7795260587117876 • Certified Cyber Security Consultancy and Cloud Assurance – G-Cloud ID: 7126790914748078 • Cloud IT Health Check Services – G-Cloud ID: 7262973877382092 • Cloud Security Managed Services – G-Cloud ID: 7731390423841686 EMAIL: g-cloud@iacs-llp.com WEB: www.iacs-llp.com TEL: 0845 519 6138 TWITTER: @IACSLLP
  16. 16. ANY QUESTIONS? WWW.IACS-LLP.COM

×