www.cloudsec.com | #CLOUDSEC

Enabling Cloud Security

– It’s more than just ticking a box

#CLOUDSEC

The c

loud landscape

Source: https://steveblank.files.wordpress.com/2011/02/bessemercloudscape.jpg

Side Activities at Venue

“Opportunities and Challenges”

#CLOUDSEC

Clo

ud

op

po

rtun

itie

s Flexibility

On-demand Services

Rapid Deployment

Automation Scalability

Availability

Lower TCO

#CLOUDSEC

C

lou

d c

halle

nges

Talent & Expertise

Security

Managing Multiple Services

Compliance Cost

Management

Governance and Control

Integration

“Why cloud hurts”

#CLOUDSEC

Th

e c

lassic

co

ntr

acts

Requirements

Evaluations

Selection

Deployment Adoption

Optimisation

Renewal

#CLOUDSEC

Standalone services

SLA based services

model

Business workflow

integration

Legacy infrastructure

integration

Data protection and

management

Source: https://www.simple-talk.com/iwritefor/articlefiles/cloud/2011/11/cloud-service-model.png

#CLOUDSEC

CSA shared responsibility model

#CLOUDSEC

Organisational implications • Clarity around scope and the primary motivation of moving to the cloud

• Changes to governance models and decision making

• Knowledge of cloud architecture, virtualization, multiple technology

platforms

• Challenge of standardised processes supporting seamless integration across multiple systems

• Changing skillset from technology management to vendor management

• Upskilling on effective cloud-based systems management

#CLOUDSEC

http://cloudacademy.com/blog/wp-content/uploads/2014/07/CMS-in-VPC.jpg

#CLOUDSEC

Controls and Questions

295 Supporting Questions

133 Control Areas

16 Control

Domains

• Model for enabling active governance

• Enables cloud architecture discussions for business outputs

• Moves cloud decisions from audit assessment to a risk based outcomes

“A tale of three instances”

#CLOUDSEC

Three cloud projects

• IaaS contracts • PaaS contracts • SaaS Contracts

• Finance • HR Services • Collaboration • CRM • Business Intelligence

Global Bank Healthcare Provider Government Department

Complete Set

295 Questions

133 Areas

16 Domains

295 Questions

133 Areas

16 Domains

• IaaS contracts • PaaS contracts • SaaS Contracts

• Finance • HR Services • Collaboration • Document Mgmt. • CRM

• GovCloud • SaaS Contracts

• Document Mgmt. • Collaboration • CRM

#CLOUDSEC

T

he T

we

lve

Data

Breaches

Access Management

Account Hijacking

System Vulnerabilities

Insufficient Due Diligence

Insecure Interface

Malicious Insider

Advanced Persistent

Threat

Tech Vulnerabilities

Data Loss

Services Abuse

Denial of Service

Puneet Kukreja

Partner, Cyber Advisory

Deloitte, Australia

@iPuneetKukreja