This presentation explains the approach of a global utility company to identify the measures and controls available within a cloud service offering.

1. How secure is
your data in the
Clouds?

2. About the presenter
Senior IT security at a global utility company
Worked in IT infrastructure and consultancy roles for
twenty five years
Involved with security related roles and projects for the
last ten years.
Assessing the security of cloud solutions for the last five
years.

3. Scope
 This presentation will mainly discuss the issues around
adoption of Cloud services and data security, and the
approach of a multi-national utility company to cloud
service adoption.
 We will look at the issues, and the assessment and
selection of cloud service providers.
 How to minimise some of the loopholes with contracts

4. Recap - What is Cloud?
NIST – National Institute for Standards and Technology
The NIST Definition of Cloud Computing
Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider interaction.

5. Deployment and Service models
Cloud Deployment models
 Private cloud.
 Community cloud.
 Public cloud.
 Hybrid cloud.
Cloud Service models
 IaaS – Infrastructure as a service
 PaaS – Platform as a service
 SaaS – Software or Application as a service
 DBaaS – database as a service
 BaaS – Business as a service

6. Fundamental business requirements are enabled and
supported by cloud-based application platforms.
 Customer & Partner
Integration
 Digital products, services
& businesses
 Multi-Enterprise EcoSystem
 Digital Utility Market
Transformation
Business Drivers
 Quick response on
unpredictable demand or
requests of customers &
partners
 Time to market / quick
availability of services and
products to customers &
partners
 Flexible / scalable cost
(opex)
 Analysis of large data
volumes to predict
customer demand /
service adoption
Business Requirements Cloud Characteristics
Elasticity
• Ability to handle expected &
unexpected changes in load
High Performance Computing
• “Infinite” computing capacity
aligned with demand
Cost Flexibility
• Flexible IT costs (as you go model)
• Low costs of adoption
• Low exit cost
Speed
• Faster availability of business
functionality
Why are we doing it?

7. The portfolio of application platforms will diversify and the usage of public
cloud services will increase.
Dedicated
platforms
Virtual Servers
Dedicated
platforms
Private cloud
(Paas, Iaas) &
Virtual Servers
Public Cloud
(SaaS)
Dedicated
platforms
Private cloud
(Paas, Iaas)
&
Virtual Servers
Public Cloud
(SaaS)
2013 2016 2020
Others (Cloud, SaaS)
Public Cloud
(IaaS, PaaS)
Public Cloud
(IaaS, PaaS)
How will it change in the future?

8. How do organisations use Cloud services?
Sanctioned Cloud Services
 The IT organisation has assessed various CSPs
 Security options included in service
 Framework Contracts in place
 Services are re-assessed regularly
Shadow IT
 IT organisation has no knowledge
 Paid for out of department budgets
 No assessment of CSP
 Security enhancements missing

9. The Challenge
To assess the abilities of Cloud Service Providers
and their offerings to provide adequate
security for the data and applications that will
entrusted to them.

10. What do we need to know?
 Compliance
 Data Governance
 Human Resources
 Information Security Policy
 Legal
 Operation Management
 Risk Management
 Release Management
 Resiliency
 Security Architecture
Audit Planning
Independent Audits
Third Party Audits
Contact / Authority Maintenance
Information System Regulatory
Mapping
Intellectual Property
Management Program
Impact Analysis
Business Continuity Planning
Environmental Risks
Equipment Location
Equipment Power Failures
Power / Telecommunications

11. Example: Where are they going to
process our data and do we care?
Security approach EU vs USA
 Many public service providers are US based
 US does not have general data privacy legislation
 Safe Harbour was voluntary
 EU very restrictive (Even more so with GDPR)
 Strict rules on what can processed
 Strict rules on where it can be processed
If you plan to use Personal Data in a cloud solution you
need to know that EU rules will be followed

12. Sanctioned Cloud Services
How can you assess CSPs
and their service
offerings?

13. CSP selection - Issues and approach
 Traditional approach, compare third party
service offering with in house service hosting
 Cloud providers will not provide information
about their internal hosting and processes
 Unable to compare CSPs infrastructure model
directly
 Need to discover what we can from what
they publish
 Need to trust intermediary to verify security
measures not visible to us.
 Need to trust information sources.

14. Assessment Processes for Sanctioned
Services
What can you do for yourselves?
 CSA attestation (Cloud Security Alliance)
 Self Certified
 Audited once
 Ongoing auditing
 Custom assessment questionnaires
 What do you cover?
 ISO Accreditation
 SOC Audits

15. CSA - https://cloudsecurityalliance.org
 The Cloud Security Alliance (CSA) is the world’s leading
organization dedicated to defining and raising
awareness of best practices to help ensure a secure
cloud computing environment.
 Star Attestation is based on type 2 SOC attestations
supplemented by the criteria in the Cloud Controls
Matrix (CCM).
 Is based on a mature attest standard
 Does not require the use of any criteria that were not
designed for, or readily accepted by cloud providers
 Provides for robust reporting on the service provider’s
description of its system and on the service provider’s
controls, including a description of the service auditor’s
tests

16. Use of CSA Attestation
Where a CSP has filed a STAR attestation this can
be used as the basis for evaluation
 CSA 3.0.1 Link
This requires expertise to evaluate

17. Example Salesforce.com

18. Example - Microsoft

19. Custom assessment questionnaire
This can be used where there is no existing CSA
attestation or to tailor the information gathered.
 We created Cloud Risks and Controls Analysis
 This was based on CSA 1.3
 This highlighted areas we were particularly
concerned about
 We deleted topic areas about which we
were not concerned
 Process intensive, takes a lot of effort to keep
up to date
 Takes skill to operate
 Tools needs frequent updates

20. What should be covered by Contract?
There are a number of topics which may require
specific references in contracts with CSPs, some
examples:
 Location of processing of data
 Regular production of Audit reports, SOC2, etc.
 Regular report of results of pen testing
 Incident management process
 Change management process
Warning: Do not Expect CSPs do modify their service
to suit you!

21. Assessment Processes
What can you do if you don’t write your own
tool and the CSP is not CSA registered?
 Cloud Access Security Broker services
 Subscription services
 Monitor thousands of CSPs
 Regularly update compliance status
 Add new CSPs and services as they
become available
 Alert if CSP status changes

22. Shadow IT - Background
Shadow IT, also known as stealth IT, describes IT systems or solutions used
within an organisation without the approval, or often even the knowledge, of
corporate IT.
According to the customers of a major vendor of Cloud Service
Management Systems:
• 80% of employees admit to using unsanctioned SaaS
• Software-as-a-Service (SaaS) growing at 199%
• Infrastructure-as-a-Service (IaaS) growing at 122%
The intentions behind this practise are often good, but what appears to
employees to be a great solution, being cheap to buy, agile, and aiding
productivity, can be a huge downside to the company.
Shadow IT opens dangerous security holes that expose the corporate
network and the systems and data within it, to theft, malware, or loss.
There is no central co-ordination of procurement often leading to licensing,
technical and security issues.

23. How can the risks be mitigated?
Organisations which have an established security infrastructure can
monitor internet breakout and manually screen for unsanctioned cloud
service use.
This may be laborious and requires considerable house keeping effort to
keep up to date.
The use of a subscription service is probably going to be more secure
and cost effective, back to CASB services.
There are many tools and products available to evaluate what is
happening in the network.
Most have multi-functionality such as :
 Cloud service discovery
 Broker service
 Policy enforcement
Careful selection of functionality enables the creation of a service fit for
your purpose.
The Objective should be to help the business by helping them to
embrace the cloud service model and realise the benefits while guiding
them towards the more secure solutions.

24. Typical Cloud Service Broker Solutions
Feature SP1 SP2 SP3
Encryption of data leaving the enterprise X X
Tokenization of data leaving the enterprise X
Broker service X X X
Classification of Information X
Cloud service discovery X X X
Investigate Usage X X
Malware Detection X
Discover anomalous behaviour X X
Event Alerting X X
DLP Solution X X X
Policy Enforcement X X
Enable Historical Analysis X
Cloud based service portal X X X
Products for major CSPs X X
SSL Inspection
Central Breakout agnostic (Can cover local breakout) X
Filtering
In Line Protection X
Integrates with SIEM X X
SaaS X X X
IaaS X X
PaaS X X
Customer keeps the keys X

25. Summary
 To operate securely in the cloud care must be taken to
select the right cloud service provider.
 Information a CSP will provide directly to the consumer
is limited.
 They may provide more information via the CSA or to
broker services.
 Contract clauses should cover specific important
areas of compliance
 Maintaining you own tools requires a lot of effort and
knowledge.
 Broker services may be appropriate, particularly if it is
intended to use many different CSPs.

26. Questions?