The document discusses a comprehensive checklist for effective cloud security management, highlighting barriers, challenges, and opportunities for return on investment (ROI). It emphasizes the importance of understanding cloud security risks, implementing effective security measures, and developing skills and competencies in cloud security. Additionally, it outlines training programs and certifications available for building a career in cloud security.

1. Checklist for Competent Cloud Security
Management
Barriers and Challenges to Opportunities and ROI
Dr. Mariana Carroll
Cloud Advisor and Trainer

2. © Cloud Credential Council
Poll: Testing - can you hear us and see the slides?
A. Yes, I can hear you and see the slides
B. I can hear you, but not see the slides
C. I can see the slides, but not hear you
D. No, I cannot hear you or see the slides

3. © Cloud Credential Council
> Introduction: Cloud Credential Council
Tristano Vacondio
Marketing Manager
CCC
> Checklist for Competent Cloud Security Management: Barriers and Challenges to
Opportunities and ROI
Dr. Mariana Carroll
Cloud Advisor and Trainer
Mariana Carroll Consulting
Agenda

4. © Cloud Credential Council
A. IT training provider
B. IT consultant
C. IT training and consulting
D. IT practitioner
Poll: What is your area of work?

5. © Cloud Credential Council
A. Extensive experience (approx 6+ years)
B. Some experience (approx 4-6 years)
C. Intermediate (approx 1-3 years)
D. Little (up to 1 year)
E. None
Poll: How much IT security experience do you have?

6. © Cloud Credential Council
A. True
B. False
1. Customers in the same cloud can attack each other.

7. © Cloud Credential Council
A. True
B. False
2. External Internet threats are more
threatening in the cloud.

8. © Cloud Credential Council
A. True
B. False
3. You can't control where your data resides
in the cloud.

9. © Cloud Credential Council
A. True
B. False
4. Certifications are standard in a cloud
environment and provide assurance to subscribers.

10. © Cloud Credential Council
A. True
B. False
5. It is easy to change from one cloud provider to
another whenever I want to.

11. © Cloud Credential Council
Agenda
CCC Introduction
Background
What is the Current State of Cloud Security?
What are the common gaps and how do we address Cloud Security?
Stepping into Cloud Security Management
A Checklist to Ensure Secure Cloud Adoption and Use
Training and Development: Building a Career in Cloud Security
The Future of Cloud Security
Questions and Answers
Quiz Answers

12. © Cloud Credential Council
Introduction

13. © Cloud Credential Council
● Vendor Neutral
● International
● Non Profit
The Cloud Credential Council

14. Professional Cloud SeriesCCC Background

15. CCC Background (cont…)

16. © Cloud Credential Council
Certification Scheme

17. © Cloud Credential Council
Accreditation Scheme

18. © Cloud Credential Council
Checklist for Competent Cloud Security
Management
Barriers and Challenges to Opportunities and ROI

19. © Cloud Credential Council
Background
What is the Current State of Cloud Security?

20. © Cloud Credential Council
Journey to a Digital World
Business
Cloud
Mobile
Data
Social
business
IoT
Wearables
Hacktivists
Insiders
Espionage
Criminal
syndicates
States
Control
failure

21. © Cloud Credential Council
Cloud Characteristics
What is Cloud Computing?
cloud definition
“A network of remote servers hosted on the Internet and used to
store, manage, and process data in stead of local servers or
personal computers”.
Software-as-a-
Service (SaaS)
Platform-as-a-
Service (PaaS)
Infrastructure-as-a-
Service (IaaS)
Public cloud
Private cloud
Community cloud
Hybrid cloud
Virtual private clouds
● On-demand self service
● Broad network access
● Resource pooling
● Rapid elasticity
● Measured service
“A Cloud is a visible mass of tiny, condensed water droplets or ice crystals suspended in
the atmosphere”
CloudServiceModels
Cloud Deployment Models

22. © Cloud Credential Council
The State of Cloud Computing

23. © Cloud Credential Council
The State of Cloud Computing

24. © Cloud Credential Council
The State of Cloud Computing
Gartner:
• Highest growth
expected in IaaS
(38,4%)
• Solid growth across
public cloud services
• SaaS growing 20,3%
• Cloud management
and security services
growing 24,7%
• PaaS growing 21,1%
IDC: Hyper-convergence
spending will nearly double
from $806.8 million in 2015
to nearly $1.6 billion in 2016.

25. © Cloud Credential Council
The State of Cloud Computing

26. © Cloud Credential Council
The State of Cloud Computing
Key takeaways:
• Increased spending on
Security and Cloud Computing

27. © Cloud Credential Council
The State of Cloud Computing
Key takeaways:
• Increased spending on Security and
Cloud Computing
• Large need for Cloud Computing and
Security skills

28. © Cloud Credential Council
Background
What are the common gaps and how do we address
Cloud Security?

29. © Cloud Credential Council
What is Security?
Protecting information and information systems from unauthorised access, use, disclosure,
disruption, modification, or destruction in order to provide:
1. confidentiality, which means preserving authorised restrictions on access and
disclosure, including means for protecting personal privacy and proprietary information;
2. integrity, which means guarding against improper information modification or
destruction, and includes ensuring information nonrepudiation and authenticity; and
3. availability, which means ensuring timely and reliable access to and use of
information.
Information Systems Security (InfoSec):
Protection of information systems against unauthorised access to or modification of
information, whether in storage, processing, or transit, and against the denial of service to
authorised users, including those measures necessary to detect, document, and counter
such threats.
Source: SP 800-66; 44 U.S.C., Sec 3541, CNSSI-4009

30. © Cloud Credential Council
Security Considerations when moving to
the Cloud
Shadow ITThird party risks
Complex hybrid models
outside of traditional
“walls”
Controls gap
Single target for attack Resource capability
constraints

31. © Cloud Credential Council
Cloud Security Opportunities
Free up resources to focus on your core
Cloud providers are in the “business of IT” – security should be their main
concern
Beat the skills gap – cloud providers attract the specialists

32. © Cloud Credential Council
Cloud Security Responsibility

33. © Cloud Credential Council
A Risk-based Approach
Source: Deloitte (2015)

34. © Cloud Credential Council
Stepping into Cloud Security Management
A Checklist to Ensure Secure Cloud Adoption and Use

35. © Cloud Credential Council
Implementing Cloud Security MeasuresPlanningandscoping
What are the key business
objectives, needs or
challenges?
Look at the value proposition drivers of Cloud
adoption to meet business objectives or solve
existing need(s) or challenge(s).
List the key drivers for Cloud
adoption





Examples: Improve business agility, improve
operating cost, enter new markets.
Select the Cloud service model
that best suit the business need
and security requirements
 SaaS
 PaaS
 IaaS
 BPaaS
 Other
Why?
Select the best suited and
secure method of delivery
 Public
 Private
 Community
 Hybrid
Why?
CloudSecurity
Strategy

36. © Cloud Credential Council
Implementing Cloud Security Measures
Develop a security strategy to
manage risks as the business
moves to the cloud
 Evaluate the current state (Inherent Risk)
 Assess residual risk for high priority cloud
services
 Develop draft plans, policies and a
strategic roadmap
Develop a cloud security
reference architecture
(blueprint)
Develop a tailored Cloud Security reference
architecture (blueprint) for the various cloud
models together with recommended
technologies.
Implement security and
governance capabilities to
manage cloud security risks
 Design and Implement security controls
 Design and implement platform specific
controls (i.e., SaaS specific)
 Ensue adequate GRC+R across the
cloud and IT stack
DevelopaCloudStrategy
Formalise
Implement
Reviewandmonitor

37. © Cloud Credential Council
Cloud Security Competencies
• Knowledge of Information Technology concepts, Cloud Computing, IT security, Risk
management, Data security, Network security, Policy creation and maintenance, Regulatory
compliance, IT Governance, Business continuity / disaster recovery, Incident management,
System and application security, Security architecture, and Auditing / Assurance processes /
procedures
• Ability to evaluate business processes and IT technology landscapes, identify risks and
evaluate controls (including risk assessment, gap analysis, business impact analysis, etc.)
• Investigative, analytical and project management skills
• Ability to translate business needs and problems into viable and accepted solutions
• Ability to liaise with individuals across a wide variety of operational, functional, and technical
disciplines
• Effectively communicating with executive management to ensure support for the Cloud
Security program and effective reporting on metrics
• Advising and making recommendations regarding appropriate personnel, physical and
technical security controls

38. © Cloud Credential Council
Training and Development
Building a Career in Cloud Security

39. © Cloud Credential Council
Module 1: Course Introduction
• Course Agenda
• Case Study
• Activities
• Questions and Answers
Module 3: Security Threats and Challenges in Cloud
Computing
• Security and Compliance in the Cloud
• Cloud Operations
• Physical Security and Cloud Computing
Module 2: Security, Governance and Risks
• Cloud Computing Basics
• Security, Governance and Risk in IT
• Cloud Computing Security
Module 4: Security Management in Cloud Computing
• Identity and Access Management
• Data Classification
• Data Security Lifecycle
• Forensics in the Cloud
How far can the CCC Certification get you?

40. © Cloud Credential Council
Module 5: Legal, Contractual and Operational
Monitoring
• Legal and Regulatory Landscape
• Monitoring – Providers and Subscribers
• Security Operations in the Cloud
Module 7: Business Continuity, Disaster Recovery and
Capacity / Performance Planning
• Business Continuity (BC)
• Disaster Recovery (DR) Resilient Technology
• Capacity and Performance Planning for Cloud
Module 6: Network Security Management
• Network Management in the Cloud
• Vulnerability, Patch Management and Pen-Testing
• Cloud Security Architecture
Module 8: Advanced Cloud Security Management
• Container Cloud Security
• Secure Development Standards in Cloud
• Application Programming Interface API Security
Module 9: Security Planning, Standards and Cloud
• Cloud Security Planning
• Cloud Standards, Controls and Auditing
• Cloud Security Evolution
How far can the CCC Certification get you?

41. © Cloud Credential Council
Course Details
• Suggested delivery format is instructor-led classroom-based learning
• Suggested duration: 24 learning hours
Exam Details
• Online
• 25 Questions
• 45 Minutes
• No Prerequisites - however, it is recommended to attain the Cloud Technology Associate certification
• Supervision is via Webcam
• Closed book
• Pass rate of 70%
Course and Exam Details

42. © Cloud Credential Council
Building a Cloud Security Career

43. © Cloud Credential Council
The Future of Cloud Security
What is Next?

44. © Cloud Credential Council
Impact over the next 3-5 years

45. © Cloud Credential Council
What is Next?
Building Block Approach
Business and IT alignment
GRC+R
Fill the skills gap
Identify potential deal breakers & through careful analysis decide on the best approach!

46. © Cloud Credential Council
Questions and Answers

47. © Cloud Credential Council
It is not easy for an attack to be triggered by
another cloud subscriber in a multitenant cloud
environment. In addition, some cloud providers
offer options to further mitigate multitenancy
risks.
Cloud subscribers should evaluate their
applications and requirements and choose a
cloud provider and cloud offering based on the
needs of their applications.
1. Customers in the same cloud can attack each other.

48. © Cloud Credential Council
External Internet threats are real, but no more
threatening to the cloud than to any other service
delivery environment.
Enterprises deploying a private cloud must
provide the same level of scrutiny for both
detection and prevention that they would take
when deploying workloads using a hosting
provider or their own internal IT infrastructure.
2. External Internet threats are more
threatening in the cloud.

49. © Cloud Credential Council
This myth is easily addressed by selecting a cloud
provider that has a global footprint and offers data
accountability. When the workloads and
applications being moved to cloud require it, a
private cloud is a simple way to address data
governance.
3. You can't control where your data resides
in the cloud.

50. © Cloud Credential Council
Certifications are good reference points, but by
themselves they are insufficient proof that the cloud
provider will satisfy all of the subscribed
organization's security and compliance needs.
It is ultimately the cloud consumers who are
accountable for ensuring that their organizations'
security and compliance requirements are met.
Subscribers need to understand the security
capabilities and processes of their cloud provider
and not rely on certifications alone.
4. Certifications are standard in a cloud
environment and provide assurance to subscribers.

51. © Cloud Credential Council
In fact, the bottom lines of many niche cloud
providers require them to lock in their customers,
typically with long-term contracts or painfully high
early termination fees.
If you don’t go with an industry-leading provider,
make sure to read all the fine print and get a
professional second opinion.
5. It is easy to change from one cloud provider to
another whenever I want to.