3. 3
Disclaimer
The views and opinions expressed in this presentation are
those of the presenter and do not necessarily reflect the
position of any subsidiary of Barclays Bank PLC.
9. 9
Flight Planning
• What is the end-to-end
route?
• What are the alternatives?
• Jurisdictions?
• Regulations?
• Regional Conflicts?
• Airspaces?
• Flight Manifest
10. 10
Push Back
Yes! it is manual…
What can’t the “aircraft" do by
itself? - Risk Management
FG16/5: Guidance for firms
outsourcing to the ‘cloud’ and
other third party IT services - FCA
Guidelines on Outsourcing Risk
Management to financial
institutions (FIs) – New section on
cloud computing - MAS
…use of engine thrust near terminals is restricted
due to the possibility of jet blast damage.
11. 11
Taxiing
• Safest time to abort
• Preparing for Take Off!
• Security checks completed
• Service provider assurance
completed
• Residual Risks known
• Satisfy regulators (especially
for material outsourcing)moves on the ground following the yellow lines, to avoid any
collision with the surrounding buildings, vehicles or other aircrafts
12. 12
Take Off
• Dangerous Time to Abort
• Transition to Flying
• Cloud migration begins
• Migration speed under
control
• Residual risks accepted
• Monitoring of emerging
risks begins
aircraft goes through a transition from moving along the
ground (taxiing) to flying in the air
13. 13
The Climb
• Lift of Wings
• Force must exceed aircraft
weight
• Leverage automation
• Use policy enforcement
technologies
• Manage policy
administration (centrally)
aircraft has to climb to a certain altitude (typically 30,000 ft or 10 km) before
it can cruise at this altitude in a safe and economic way
14. 14
Cruise
• Optimum performance
• Travel at cleared flight speed
• Continuous comms with ATC
• Adjustments to flight plan
• Agility and economy of scale
• Adapt security controls
• But.. How do you control
what you can’t see?
level portion of aircraft travel where flight is most fuel
efficient
15. 15
Air Traffic Control - Visibility is key
CASB
Security Gateways
CSA STARWatch
3rd Party Risk
Scoring
• Service provider security
• Supply chain security
• 4th Party Concentration risks
• Security of service objects
• Data security
17. 17
CSA FSSP
Cloud Security Alliance Financial Services Stakeholders Platform
• Regional (EU, APAC, Americas) and global mechanisms for security and privacy
compliance
• Global best practices and de-facto standards for incident management and
information sharing
• Technical solutions that can improve the security capabilities of the financial
sectors
• Recommendations addressed to policy makers and regulators
• Awareness and educational materials addressed to regulators, financial service
risk/security/compliance/audit officers, and cloud service providers
18. 18
Descent and Landing
• Dangerous time to abort
• Standard landing procedures
• Not many cloud adopters
have made it this far
• Never wait till end of contract
to have an exit strategy
19. 19
Questions
Many Routes to the Cloud,
More Visibility Needed
You can’t protect what you can’t see
You can’t respond to what you don’t know
Shittu O. Shittu
Cyber Security Assurance & Innovation Centre (CSAIC)