The document discusses trends in enterprise adoption of cloud computing and provides seven tips for managing security risks associated with cloud adoption. It notes that not adopting cloud is becoming a competitive disadvantage. The seven tips are to understand risk appetite, adopt a control baseline, don't underestimate learning curves, centralize procurement and assessments, identify existing usage, align identity and access strategies, and ready disaster recovery and incident response plans. The document emphasizes that security fundamentals extend to cloud environments and organizations should leverage frameworks for controls and engage stakeholders to manage risks.

1. Cloud Ready or
Steam Rolled?
Larry Whiteside Jr.,
VP, Healthcare and Critical Infrastructure, oCISO

2. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
2
Agenda
1. Enterprise IT and Cloud: Trends
2. Concerns over Cloud Adoption and Risks
3. Seven Cloud Security Tips
4. Summary

3. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
3
The ability to adapt quickly is less of an advantage when
everyone can do it; rather, not adopting cloud is becoming
a competitive disadvantage."
- HBR “Cloud: Driving a Faster, More Connected Business”(2015)

4. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
4
Rise of Cloud Usage
Uptake of cloud in these offerings may mean your data is ALREADY cloud hosted.
**Source: SkyHigh Cloud Adoption Risk Report 2014
Growth of traditional IT will be
5 percent vs. 30 percent in
Cloud
shift of IT budget from
in-house IT cloud.
11%(Goldman Sachs, 2015)
59%Up from 41 percent in 2013
of the total cloud
Workloads will be Software-as-a-
Service (SaaS) workloads. (Cisco, 2015)
Cloud Adoption: By Industry

5. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
5
Seven Tips
Understand Your Cloud
Risk Appetite
Adopt a Control
Baseline
Don’t Underestimate
Learning Curves
Ready your DR
and Incident Plans
Align Identity and
Access to Cloud
Strategy
Identify and Understand
Existing Usage
Centralize Procurement and Assessments
1
2
3
4
5
6
7

6. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
6
• How transparent are our CSPs?
– Control visibility
– Roles & responsibilities
• Do we have inaccurate assumptions?
– Our security it better!
– Their security is worse!
• Do CSP capabilities match our needs?
– May impact compliance efforts
– Controls may not cleanly translate
Tip 1: Understand Your Cloud Risk Appetite

7. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
7
Real Enterprise Cloud Risks
Control Validation and Security Posture
– Risk: Lack of transparency in controls at the provider
– Risk: Inability to maintain governance across multiple providers
Uncontrolled Storage and Service Usage Awareness
– Risk: Data exfiltration - can you tell if it’s okay or not?
– Risk: Uncontrolled service usage (“Shadow IT”)
Enterprise Application and Infrastructure Architecture
– Risk: Approaching cloud designs in a 1:1 manner – expensive and inefficient
– Risk: Not balancing service provider controls and your own

8. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
8
Evolution of the CISO to CIRO
The focus has changed from protecting the IT infrastructure to managing
the information risk to the organization
Securing the
Organization
CISO Secure the
internal
organization
Understand and
manage the risk of
third parties
Understand and
manage regulatory
risks
Communicate
information risk in
business termsBusiness Acumen
Regulatory Compliance
Management
Third-Party Risk
Management
Information
Security
CIRO

9. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
9
Going down (left to right)
• You (IT) do it
• Direct control
• More cost
• Slower to deploy
Control Frameworks
• CSA’s Cloud Control Matrix
• ISO 27001:2013
• ISO 27017, 27018
• NIST 800-53/FedRamp
Tip 2: Adopt a Control Baseline
*“Source: Security Guidance for Critical Areas of Focus in Cloud Computing” (Cloud Security Alliance, 2011).

10. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
10
Ease of Use – Great Power, Great
Responsibility
Architecture and Workload Planning
Additional Layer of Security Management
• Console access
• VM access
• User key management (IAM)
• ACLs for data and services
Tip 3: Don’t Underestimate Learning Curves

11. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
11
Tip 4: Centralize Procurement and Assessments
• Facilitated thorough uniform control selection
• Key partnerships must be developed:
Procurement – due diligence
Privacy and Legal – contracts, policy, incident
IT – architectural considerations, cost, performance
Security – risk analysis, control design, policy enforcement
Line of business – education on usage, consumption and access
• Consolidate into third-party governance processes where possible

12. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
12
Potential Sources:
• Asset inventories
• Endpoint solutions
• Proxy server logs
• NetFlow data
• Data leak prevention solutions
• Cloud access security brokers
• Accounting & expense reports
Tip 5: Identify and Understand Existing Usage

13. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
13
•Forces the issue of identity as the perimeter
•Access Enforcement Considerations:
– Fully integrated (authentication/access)
– Centralized authentication & local access control
– Standalone authentication and access control
•May worsen existing IAM processes if unplanned
Tip 6: Align Identity and Access to Cloud Strategies

14. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
14
•Cloud is not immune from DR tests
•Incident response tests- simulate CSP
– Validate recovery
– Prepare contingencies
•Understand CSP response capabilities
– Legal hold process
– Forensics support (integrity, CoC)
•CSP uptime measurement formulas vary
Tip 7: Ready DR and Incident Response Plans

15. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
15
Plan, Build, Run
• Understand Cloud Risk
Appetite
• Adopt a Control Framework
• Ready and Train Your Staff
• Develop DR & Incident
Response Plans
• Align to IAM Strategy
• Centralize Procurement
• Identify Existing Usage

16. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
16
Summary
•Security fundamentals extend to the cloud environments
•Leverage industry frameworks for controls & measurement
•Prepare contingency and incident plans
•Engage CSPs & stakeholders to manage risks

17. Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
17
Questions
Larry Whiteside Jr.
VP, Healthcare and Critical Infrastructure
Larry.Whiteside@optiv.com
@LarryWhiteside