cloud governance at kbc · bio roel wouters kbc group nv 4 education - msc, applied biological...
TRANSCRIPT
Cloud Governance at KBCCyber Security Coalition
27 May 2020
Roel WoutersGroup Cloud Risk ManagerKBC Group NV
KBC Group NV
Public
KBC Group NV 2
1. Introduction
2. Wave 1: Office 365
3. Cloud Governance
4. Cloud Strategy
5. Wave 2: contained cases
6. Challenges
1
KBC Group NV 3
Introduction
Public
Bio Roel Wouters
KBC Group NV 4
▪ Education
- MSc, Applied Biological Sciences cell & gene biotechnology (1993-1998)
- Post-academic ICT System Management (2000-2001)
- Certified Business Continuity Manager, AMBCI (2012)
▪ Experience
- Ghent University, Teaching Assistant (1998-2001)
- KBC
▪ Information Security Officer (2001-2008)
▪ Functional Analyst EAI (2008-2011)
▪ Operational Risk Advisor (2011-2018)
▪ Group Cloud Risk Manager (2018-…)
Public
KBC, a European Bank & Insurance Group
5KBC Group NV
KBC group - our area of operationKBC is an integrated bank-insurance group, catering mainly for retail,private banking, SME and mid-cap clients. Our core markets are Belgium, the Czech Republic, Slovakia, Hungary, Bulgaria and Ireland. Also present, to a limited extent, in other countries to support corporate clients from our core markets.
KBC group - clients, staff and networkCustomers: 12 millionStaff: 41 000 Network: ca. 1 300 bank branches, insurance sales via own agents and other channels, various electronic channels.
KBC Belgium is a Belgian bank-insurer with 15 000 employees at various locations, each with their own dynamics.
Customers: 3,5 millionStaff: 15 000Bank Branches: 518Insurance Agencies: 355
ww
w.k
bc.
com
Welcome to KBC
As a bank-insurer, our purpose is tohelp all ourstakeholders realise theirdreams and protectthem.
ww
w.k
bc.
be
Public
KBC offers 3 Application Hosting Platforms
6KBC Group NV
Wave 1:2
7KBC Group NV
Public
Like many companies
KBC Group NV 8
we had a mix of applications and tools for collaboration and information…
Personal drive
Calendar
Tasks
Presenceawareness
Chat
drive dienst
CCS net
drive DIR
Connections
Project drive
QuickrProject
Confluence
Bnet
Quickr
ADlog
HR4U
ICT net
Kennisbank
Pearl community
Mijn community
LN community
Pitch
Youtube
Sametime/lync
Video call Lync
callSoftphone
We were facingseveral challenges:
❑ High complexity❑ Old technology❑ High ICT cost❑ Huge amount of
information❑ Bumpy road to
explore, find andshare the right info.
Physical
meeting
Phone
Conference
call
Mobile
Video
Conference
360 Video
Conference
KBC Group NV 9
Our business case: why O365 in the cloud?
▪ Lowering TCO by a factor of 3
▪ Improve operational stability
▪ Enable New Way of Working
▪ Enable Innovation & Digital Company
▪ Find adequate tools for delivering data security in a user friendly way
Much more than just
moving email into
the cloud…
Public
O365 regulatory approach
KBC Group NV 10
▪
▪ Open & transparent relationships
▪ Acknowledge the ‘learning process’
▪ 3-way interaction MS – Supervisors – KBC
▪ Focus on specific “cloud services sensitive” compliance, legal and security related topics … in a forward-looking manner
▪ Baseline:
Public
11KBC Group NV
Cloud3
12KBC Group NV
Public
Looking back in time
▪ Several cloud initiatives on (and under) the radar
▪ Business seeks, finds and starts using tools (SaaS)
▪ Related to Office 365 and the contacts with NBB/ECB: all data needs to be handled in a secure way
▪ Audit requirements in (group wide) cloud related cases
▪ In short: there was a gap that called for action!
13KBC Group NV
Public
KBC’s answer: Cloud Enablement Forum
▪ Cloud Enablement Forum (CEF) has a business & IT mandate for each cloud case of BU BE or where IT BE is involved
▪ Mandatory decision body for each new cloud initiative or important change in scope of an existing cloud initiative
▪ Expert group that evaluates and authorizes each cloud case (PoC – PRO)
14KBC Group NV
Business
IT Information Security Officer
Legal
Data Protection
OfficerArchitecture
Procurement
Business Information
Security Officer
IT Operations & Development
Public
Scope Cloud Governance in BE / CEF
▪ “KBC Cloud Services” meet the following 3 criteria
1. Service is delivered over the Internet, and
2. Service is delivered by a 3rd party external to KBC, and
3. KBC-information stored or processed outside of KBC
▪ From cradle to grave, the full-life cycle of a cloud case
▪ Remark: EBA states all cloud is ‘outsourcing’, only a subset is ‘critical or important outsourcing’
15KBC Group NV
Public
Goal Cloud Enablement Forum
Make sure we help our internal customer
▪ One place for all cloud-related questions
▪ Easy process / low threshold (post your question in the discussion forum)
▪ Template that assists take-in
▪ Quick response (weekly meeting via Skype), binding decision
➔ GO / GO with blocking conditions / NO GO
▪ Also preparatory body towards other decision levels when further approvals are needed
▪ Ensures the delivery of necessary (regulatory) output documents
16KBC Group NV
Public
Critical or important cases
▪ Output documentation requirements
• Case summary: High-level description of the purpose
• High-level architectural overview: providing a quick conceptual overview of how the environment was set up, also showing the integrations with other on premise environments
• DPIA
• Legal summary
• E2E risk assessment of the Cloud provider
• E2E risk assessment of the implementation
• Exit strategy
17KBC Group NV
Public
Full life-cycle of a cloud service
▪ Cloud Service Provider re-assessment period
- For ‘critical or important’ cases: by default every year
- For non-’critical or important’ cases: by default every 2 years
▪ The (B)ISO can decide to shorten or expand this period
• Maximum period for re-assessment is 5 years
• When certificates/attestations expire or when there is a significant change in the setup of the service it should trigger a re-assessment
▪ Outsourcing register is updated with new and/or terminated cloud cases
18KBC Group NV
Public
Appreciation
▪ Cloud Enablement Forum is well-known and appreciated within Belgium and misses almost no cloud cases
▪ Also other KBC entities are more and more looking at cloud solutions and are launching cloud initiatives
▪ Belgium’s CEF approach is being copied by all KBC group entities
19KBC Group NV
Cloud4
20KBC Group NV
KBC Group NV 21
Overall: Reuse before buy before build
▪ New functionality or heavy upgrade?
➔ look for cloud alternatives
▪ Evolution to SaaS (SaaS before PaaS)
Bought applications
‘Cloud First’ Assessment
KBC Group NV 22
▪ New functionality with less or no integration with mainframe?
➔ Cloud Native Development
▪ Unlock public cloud PaaS services for integration in innovative applications
Own development
‘Cloud First’ Assessment
Public
Cloud enabled security & integration
23KBC Group NV
Bought applications
Infrastructure
▪ Access▪ Security▪ Storage▪ Integration
Own development
‘Cloud First’ Assessment
Wave 2: Contained Cases5
24KBC Group NV
Public
25
Identify the business drivers
Determine the stakeholders
Assess the organization’s assets
Select service and deployment modelIdentify existing business controls
Design the new environment
Identify Control Gaps
Select a Cloud Service Provider
Negotiate SLAs
Build as required
Implement controls to fill the gaps
Launch
Monitor
Account
CSAVerify solution to fill control gaps
Assess the Cloud Service Providers Controls
Respond to incidents
KBC Group NV
Enlarged scope : CSA repeatable cloud first deployment model
KBC Group NV 26
▪ Mix of
- cloud services (SaaS, PaaS)
- business – IT
- CSP
▪ Deliver value for the contained cases
▪ Using benefits of the cloud (Agility, Availability, Elasticity)
▪ View on cost drivers – financial point of view: case by case
▪ Pave the regulator way
Contained cases: what?
Learn and be ready
for the next wave
cases
Public
Contained cases public cloud
Implementing our strategyLaying the foundations for the future
IT F
ocussed
Busin
ess F
ocussed
Business transformation
IT platform transformation
• K’Ching
• MS Dynamics
• Storage/archiving
• Dynatrace/ELK
• POC Testlab on cloud
• Milleman: IFRS17 calculations
• APP Your Service
• AWS landing zone
• Co-development environment
• Security: CASB
Remark : Cloud Enablement Forum (CEF) is mandatory for every case.
Most of the cases are in the upper right quadrant – Software as a Service)
…
Public
Arranging your time off
Assisting you when you’re feeling ill
Helping you work elsewhere
Informing you of your KBC Contact Points
Providing you with the latest KBC News
Bringing DOCK! closer to you
Listening to your suggestions
Giving you a safe KBC QR scanner
Let us guide you through your day
Telling you how KBC is doing
Challenges6
29KBC Group NV
Public
Challenges today
▪ Cloud is everywhere and business is directly approached by SaaS vendors: “immediate solution”
▪ Time to market requires a fast and flexible response also from risk management, Legal & Compliance
▪ Contract negotiations with CSPs (can) take a very long time
▪ Regulators: good cooperation is important
▪ SaaS vendors add/remove features at their own speed
▪ Cloud usage requires new skills: cloud engineers
▪ Battle for talent is still going on in IT – skills are ageing fast
30KBC Group NV
Public
31KBC Group NV
Questions?
32KBC Group NV