Cloud Governance at KBCCyber Security Coalition

27 May 2020

Roel WoutersGroup Cloud Risk ManagerKBC Group NV

KBC Group NV

Public

KBC Group NV 2

1. Introduction

2. Wave 1: Office 365

3. Cloud Governance

4. Cloud Strategy

5. Wave 2: contained cases

6. Challenges

1

KBC Group NV 3

Introduction

Public

Bio Roel Wouters

KBC Group NV 4

▪ Education

- MSc, Applied Biological Sciences cell & gene biotechnology (1993-1998)

- Post-academic ICT System Management (2000-2001)

- Certified Business Continuity Manager, AMBCI (2012)

▪ Experience

- Ghent University, Teaching Assistant (1998-2001)

- KBC

▪ Information Security Officer (2001-2008)

▪ Functional Analyst EAI (2008-2011)

▪ Operational Risk Advisor (2011-2018)

▪ Group Cloud Risk Manager (2018-…)

Public

KBC, a European Bank & Insurance Group

5KBC Group NV

KBC group - our area of operationKBC is an integrated bank-insurance group, catering mainly for retail,private banking, SME and mid-cap clients. Our core markets are Belgium, the Czech Republic, Slovakia, Hungary, Bulgaria and Ireland. Also present, to a limited extent, in other countries to support corporate clients from our core markets.

KBC group - clients, staff and networkCustomers: 12 millionStaff: 41 000 Network: ca. 1 300 bank branches, insurance sales via own agents and other channels, various electronic channels.

KBC Belgium is a Belgian bank-insurer with 15 000 employees at various locations, each with their own dynamics.

Customers: 3,5 millionStaff: 15 000Bank Branches: 518Insurance Agencies: 355

ww

w.k

bc.

com

Welcome to KBC

As a bank-insurer, our purpose is tohelp all ourstakeholders realise theirdreams and protectthem.

ww

w.k

bc.

be

Public

KBC offers 3 Application Hosting Platforms

6KBC Group NV

Wave 1:2

7KBC Group NV

Public

Like many companies

KBC Group NV 8

we had a mix of applications and tools for collaboration and information…

Mail

Personal drive

Calendar

Tasks

Presenceawareness

Chat

drive dienst

CCS net

drive DIR

Connections

Project drive

QuickrProject

Confluence

Bnet

Quickr

ADlog

HR4U

ICT net

Kennisbank

Pearl community

Mijn community

LN community

Pitch

Linkedin

Youtube

Facebook

Mail

Sametime/lync

Mail

Video call Lync

callSoftphone

We were facingseveral challenges:

❑ High complexity❑ Old technology❑ High ICT cost❑ Huge amount of

information❑ Bumpy road to

explore, find andshare the right info.

Physical

meeting

Phone

Conference

call

Mobile

Video

Conference

360 Video

Conference

KBC Group NV 9

Our business case: why O365 in the cloud?

▪ Lowering TCO by a factor of 3

▪ Improve operational stability

▪ Enable New Way of Working

▪ Enable Innovation & Digital Company

▪ Find adequate tools for delivering data security in a user friendly way

Much more than just

moving email into

the cloud…

Public

O365 regulatory approach

KBC Group NV 10

▪

▪ Open & transparent relationships

▪ Acknowledge the ‘learning process’

▪ 3-way interaction MS – Supervisors – KBC

▪ Focus on specific “cloud services sensitive” compliance, legal and security related topics … in a forward-looking manner

▪ Baseline:

Public

11KBC Group NV

Cloud3

12KBC Group NV

Public

Looking back in time

▪ Several cloud initiatives on (and under) the radar

▪ Business seeks, finds and starts using tools (SaaS)

▪ Related to Office 365 and the contacts with NBB/ECB: all data needs to be handled in a secure way

▪ Audit requirements in (group wide) cloud related cases

▪ In short: there was a gap that called for action!

13KBC Group NV

Public

KBC’s answer: Cloud Enablement Forum

▪ Cloud Enablement Forum (CEF) has a business & IT mandate for each cloud case of BU BE or where IT BE is involved

▪ Mandatory decision body for each new cloud initiative or important change in scope of an existing cloud initiative

▪ Expert group that evaluates and authorizes each cloud case (PoC – PRO)

14KBC Group NV

Business

IT Information Security Officer

Legal

Data Protection

OfficerArchitecture

Procurement

Business Information

Security Officer

IT Operations & Development

Public

Scope Cloud Governance in BE / CEF

▪ “KBC Cloud Services” meet the following 3 criteria

1. Service is delivered over the Internet, and

2. Service is delivered by a 3rd party external to KBC, and

3. KBC-information stored or processed outside of KBC

▪ From cradle to grave, the full-life cycle of a cloud case

▪ Remark: EBA states all cloud is ‘outsourcing’, only a subset is ‘critical or important outsourcing’

15KBC Group NV

Public

Goal Cloud Enablement Forum

Make sure we help our internal customer

▪ One place for all cloud-related questions

▪ Easy process / low threshold (post your question in the discussion forum)

▪ Template that assists take-in

▪ Quick response (weekly meeting via Skype), binding decision

➔ GO / GO with blocking conditions / NO GO

▪ Also preparatory body towards other decision levels when further approvals are needed

▪ Ensures the delivery of necessary (regulatory) output documents

16KBC Group NV

Public

Critical or important cases

▪ Output documentation requirements

• Case summary: High-level description of the purpose

• High-level architectural overview: providing a quick conceptual overview of how the environment was set up, also showing the integrations with other on premise environments

• DPIA

• Legal summary

• E2E risk assessment of the Cloud provider

• E2E risk assessment of the implementation

• Exit strategy

17KBC Group NV

Public

Full life-cycle of a cloud service

▪ Cloud Service Provider re-assessment period

- For ‘critical or important’ cases: by default every year

- For non-’critical or important’ cases: by default every 2 years

▪ The (B)ISO can decide to shorten or expand this period

• Maximum period for re-assessment is 5 years

• When certificates/attestations expire or when there is a significant change in the setup of the service it should trigger a re-assessment

▪ Outsourcing register is updated with new and/or terminated cloud cases

18KBC Group NV

Public

Appreciation

▪ Cloud Enablement Forum is well-known and appreciated within Belgium and misses almost no cloud cases

▪ Also other KBC entities are more and more looking at cloud solutions and are launching cloud initiatives

▪ Belgium’s CEF approach is being copied by all KBC group entities

19KBC Group NV

Cloud4

20KBC Group NV

KBC Group NV 21

Overall: Reuse before buy before build

▪ New functionality or heavy upgrade?

➔ look for cloud alternatives

▪ Evolution to SaaS (SaaS before PaaS)

Bought applications

‘Cloud First’ Assessment

KBC Group NV 22

▪ New functionality with less or no integration with mainframe?

➔ Cloud Native Development

▪ Unlock public cloud PaaS services for integration in innovative applications

Own development

‘Cloud First’ Assessment

Public

Cloud enabled security & integration

23KBC Group NV

Bought applications

Infrastructure

▪ Access▪ Security▪ Storage▪ Integration

Own development

‘Cloud First’ Assessment

Wave 2: Contained Cases5

24KBC Group NV

Public

25

Identify the business drivers

Determine the stakeholders

Assess the organization’s assets

Select service and deployment modelIdentify existing business controls

Design the new environment

Identify Control Gaps

Select a Cloud Service Provider

Negotiate SLAs

Build as required

Implement controls to fill the gaps

Launch

Monitor

Account

CSAVerify solution to fill control gaps

Assess the Cloud Service Providers Controls

Respond to incidents

KBC Group NV

Enlarged scope : CSA repeatable cloud first deployment model

KBC Group NV 26

▪ Mix of

- cloud services (SaaS, PaaS)

- business – IT

- CSP

▪ Deliver value for the contained cases

▪ Using benefits of the cloud (Agility, Availability, Elasticity)

▪ View on cost drivers – financial point of view: case by case

▪ Pave the regulator way

Contained cases: what?

Learn and be ready

for the next wave

cases

Public

Contained cases public cloud

Implementing our strategyLaying the foundations for the future

IT F

ocussed

Busin

ess F

ocussed

Business transformation

IT platform transformation

• K’Ching

• MS Dynamics

• Storage/archiving

• Dynatrace/ELK

• POC Testlab on cloud

• Milleman: IFRS17 calculations

• APP Your Service

• AWS landing zone

• Co-development environment

• Security: CASB

Remark : Cloud Enablement Forum (CEF) is mandatory for every case.

Most of the cases are in the upper right quadrant – Software as a Service)

…

Public

Arranging your time off

Assisting you when you’re feeling ill

Helping you work elsewhere

Informing you of your KBC Contact Points

Providing you with the latest KBC News

Bringing DOCK! closer to you

Listening to your suggestions

Giving you a safe KBC QR scanner

Let us guide you through your day

Telling you how KBC is doing

Challenges6

29KBC Group NV

Public

Challenges today

▪ Cloud is everywhere and business is directly approached by SaaS vendors: “immediate solution”

▪ Time to market requires a fast and flexible response also from risk management, Legal & Compliance

▪ Contract negotiations with CSPs (can) take a very long time

▪ Regulators: good cooperation is important

▪ SaaS vendors add/remove features at their own speed

▪ Cloud usage requires new skills: cloud engineers

▪ Battle for talent is still going on in IT – skills are ageing fast

30KBC Group NV

Public

31KBC Group NV

Questions?

32KBC Group NV