securing the cloud: developing a new approach to managing third party risks
DESCRIPTION
Raj Samani presents at the CIO Event. For more information Click here http://bit.ly/oR262iTRANSCRIPT
Securing the cloud: Developing a new approach to managing third party risks
Raj SamaniEMEA Strategy Advisor Cloud Security Alliance
• Cloud Service Providers (CSPs) need an efficient and scalable approach to assure customers
• End user organisations need an efficient approach to address the risks such services represent
• Data subjects must feel confident that their data controllers are securing their data
ITS NOT ABOUT SECURITY
We Need a Fundamental Change in Our Approach to Fully Maximise the Benefits of Cloud Computing
*Based on Subjective Responses from Industry
Who?• Cloud Service Providers• Physical Access• VPN access• Extranet partners• Traditional Outsourcers
How?• Review of ISMS (Information Security Management
System)• Technical Assessment
Annual Cost for Assurance
What About the Other 11 Months?
Estimate the Assurance Costs Against 1000 Third Parties
TOTAL 1000
ESTIMATE 5 DAYS
$1000+
$1M25 YEARS
• Third party access on the up • Acronym soup• Contractual challenges• Leverage existing investments• Resource constraints• Best endeavours
The Challenge in Addressing Risks When Working With Third Parties
The Common Assurance Maturity Model (CAMM) is a global, collaborative effort made up of
security professionals working across industry in an effort to meet the security challenges of the
21st century.
CAMM—NEW BUSINESS ASSURANCE BAROMETER
BUSINESS ASSURANCE
Provides a genuine Unique Selling Proposition to organisations that have
higher levels of information risk maturity
Measures maturity against defined controls areas, with particular focus on
key controls
CAMM is built on existing standards, so no need for massive re-investment
Risk management maturity is open for stakeholders to view, using appropriate language and detail
A business benefit that creates consumer trust that is both
meaningful and understandable
• Simple to understand—customers do not need professional certifications to understand the difference between a level 2 and level 3.
• Analogous to other rating systems—Already used in tourism, banking, and other sectors.
• Develops (a level of) trust with one small icon—Cloud providers can develop trust with simple scorecard
Company AService A
Company AService B
Company AService C
Company AService D
Company AService E
Company AService F
1. Simpler comparison—Allows the CIO to perform a simpler comparison between internal vs external provision, not only relying on cost comparisons.
2. Cost comparison—Once risk appetite is defined, allows the CIO to compare the cost of different residual risk scenarios.
3. Apples for Apples—Judges services on a set of applicable criteria through use of applicable modules.
InternallyProvisioned
Cost£x
Cost£y
Cost£z
DECISION
Company AService A
Company BService C
InternallyProvisioned
Cost£x
Cost£y
Cost£z
DECISION
Risk Appetite
Business sets level of risk they are willing to tolerate (number of levels depending on the data). Maturity will include CAMM plus possible bespoke modules.
Maturity
Level of risk management maturity is communicated to business partners (and possible partners)
Maturity
Maturity
Leverage existing expenditure and remove need for duplicate verification (note: May remove audit requirement altogether)
Third Party Requesting Access
Cloud Provider
Internal Hosting Provider
Evidence of compliance may be uploaded to central repository that can be used by numerous customers
1 2 4
Third Party Assurance Centre
3
www.common-assurance.com
Twitter @Raj_Samani
Twitter @Commonassurance
End User Organisations
Security Associations
Cloud Providers
Consultancies
Independent consultants
Over 40 Organisations Already Involved, Including…• PCI
• ISACA
• CSA
• ENISA
• BITS
• ISF