Reference projects

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

Contact usFor more information on our cloud security services, please contact one of our professionals or visit us at kpmg.com/nl/cybersecurity

Ben KrutzenPartnerT +31 20 656 7137E krutzen.ben@kpmg.nl

Edwin SturrusManagerT +31 20 656 7248E sturrus.edwin@kpmg.nl

Olga KulikovaSenior ConsultantT +31 20 656 8776E kulikova.olga@kpmg.nl

PROJECT 1Cloud discovery

PROJECT 2Cloud risk assessment

PROJECT 3Risk management platform

A large multinational suspected that its employees made use of a variety of cloud services, which were not adopted through the regular processes and, as such, not know by the IT organisation. The client requested our support to identity these ‘shadow’ cloud services, and the corresponding risks of using them.

The results of this assessment demonstrated that a number of high-risk services were used by employees with large volumes of data being uploaded to those services. KPMG also identified that employees were using different cloud solutions for the same purposes, for which the organisation could steer them to one trustworthy cloud solution instead.

As a result, the client was able to gain visibility in the overall scope of cloud services in use, take proactive measures to reduce the amount of high-risk cloud services, improve their current policies and reinforcing their strategy regarding the use of cloud services to steer employees towards enterprise-ready solutions. In addition, our assessment was used to support a Cloud Access Security Broker (CASB) business case.

A client in the financial sector developed a strategy for transferring to cloud-based email, storage and collaboration services, for cost reduction and increased efficiency purposes. Their shareholders and business partners expressed their concerns regarding the security of storing and processing critical business and personal information in the cloud. The client requested our support to ensure that their cloud provider of choice should meet all business, legal, and technical security requirements and the risks regarding the use of cloud services would be adequately managed.

KPMG performed a risk assessment by using their own framework mapped to cloud standards and best practices, such as ENISA, NIST, ISO, CSA. A number of high risks were identified that required proactive treatment prior to adopting the cloud service. As a result of the risk assessment, the client received tailored recommendations for mitigating the identified risks. This also helped to increase the client’s overall understanding of the risks associated with adoption of new cloud services.

For an oil & gas client, KPMG is performing a large remediation programme where we help the company manage their cloud-based shadow IT services, which process organisational data and which the business has purchased or developed circumventing control of internal IT. The volume of shadow IT today is such, that manual interventions by IT or Risk departments were considered to be not reasonable compared to the risk reduction achieved, and simplification and automation of processes was required.

KPMG proposed a solution for full automation of the shadow IT identification with the help of secure web gateways and cloud access security brokers, further supplemented by the KPMG SOFY Digital Risk Platform. The platform is delivered as a service, enables automatic risk analysis and remediation activities to be performed by the business, with executive and operational dashboards available to track the cloud adoption processes.

Why KPMG?KPMG can support your organisation in adopting cloud services with appropriate levels of security and governance, and address the full cloud journey, starting with cloud services identification and risk assessments, towards cloud governance, security & compliance through automation.

Our cyber security approach has been lauded by many clients varying from major international organisations to recognised local brands, in industries ranging from financial services and telecom providers to government and healthcare. Our team of experts has experience solving mobile technology problems on technical and organisational levels, at dozens of recognised clients. Partnering with KPMG ensures that you will get the KPMG quality with understandable presentations and reports, and effective assistance, helping your enterprise to become future proof.

Cloud Security & ComplianceImproving your cyber security maturity while moving to the cloud

Project 1

Project 2

Project 3

Cloud Security Journey

1

2

3

4

5

2 DefineCloud does not require complex governance, but it does require clear rules: Do your employees know when they can use cloud services for personal purposes, or what they should be aware of when storing business data in cloud solutions? Does your IT staff understands how to connect the cloud to their on-premise systems and how to enable secure access management?

Continue by adapting your existing IT policies and end-user code of conduct to make them cloud ready.

KPMG SERVICE: CLOUD GOVERNANCE FRAMEWORK

3 AssessCloud services come in greater numbers than your traditional IT suppliers. This requires assessing whether existing or planned use of the cloud fits in with your organisation’s risk appetite.

Continue by assessing the identified or planned cloud services against your policies and define the required actions.

KPMG SERVICE: CLOUD RISK ASSESSMENT & VENDOR COMPARISON

4 DeployThe issues identified during the assessment stage must be addressed. This includes actions to improve protection measures, such as access control, but also actions to ensure effective detection & response integration with the cloud provider.

Continue by deploying your remediation actions to implement a secure cloud architecture.

KPMG SERVICE: CLOUD SECURITY ARCHITECTURE

Cloud adoption processes lend themselves well to automation. This increases process performance and compliance, while reducing costs.

Finish your journey by locking in the benefits through automation.

KPMG SERVICE: CLOUD ADOPTION TOOLKIT & RISK MANAGEMENT PLATFORM

Start

Finish

Start

Heavy clouds;no controlCloud solutions have been around for years. Many organisations are now accelerating their shift to the cloud as part of a Cloud-First strategy.

The successful rise of cloud in the consumer domain (Microsoft Office 365, Dropbox, Google G Suite) has created a new level of user expectations in terms of ease of use and agility.

Many IT organisations, even if they have a Cloud-First strategy, are still struggling to keep up with these new expectations, and are often citing security reasons to delay or even stop shifting workloads to the cloud.

In fact, when properly adopted and used, the modern set-up of cloud services, with the latest software and with the large-scale automation of administrative tasks, has many security and compliance benefits.

To illustrate this, we have sketched the stages of an agile cloud adoption journey that enables the business to benefit from cloud services, without losing control, or increasing risks to the organisation.

Finish

Clear sky; increased

securityThe evolving landscape of cloud services is a promising development for organisations that seek to digitise their processes. If IT and security staff do not proactively enable the organisation to benefit from these developments, we see the amount of shadow IT growing and the associated risks increasing.

The good news is that the use of cloud services can actually help organisations to become more secure and to better comply with regulations, as long as the adoption of cloud follows an orderly path, as depicted on the left.

The ultimate stage of the cloud journey involves automation of the cloud adoption processes, to stay in control of the quickly changing IT landscape, providing maximum transparency with minimal manual effort.

Whether you are at the start of the cloud journey, or approaching the ultimate stages, KPMG is ready to help you to take the next step in a practical and effective manner, to increase your organization’s security by using cloud services.

1 DiscoverYou can’t manage what you can’t see. With that in mind, you first need to know whether your employees or contractors are already using cloud services with or without your consent.

Start by identifying all cloud services in use by your employees and contractors.

KPMG SERVICE: CLOUD DISCOVERY

5 Automate

© 2017 KPMG Advisory N.V.

Reference projects

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

Contact usFor more information on our cloud security services, please contact one of our professionals or visit us at kpmg.com/nl/cybersecurity

Ben KrutzenPartnerT +31 20 656 7137E krutzen.ben@kpmg.nl

Edwin SturrusManagerT +31 20 656 7248E sturrus.edwin@kpmg.nl

Olga KulikovaSenior ConsultantT +31 20 656 8776E kulikova.olga@kpmg.nl

PROJECT 1Cloud discovery

PROJECT 2Cloud risk assessment

PROJECT 3Risk management platform

A large multinational suspected that its employees made use of a variety of cloud services, which were not adopted through the regular processes and, as such, not know by the IT organisation. The client requested our support to identity these ‘shadow’ cloud services, and the corresponding risks of using them.

The results of this assessment demonstrated that a number of high-risk services were used by employees with large volumes of data being uploaded to those services. KPMG also identified that employees were using different cloud solutions for the same purposes, for which the organisation could steer them to one trustworthy cloud solution instead.

As a result, the client was able to gain visibility in the overall scope of cloud services in use, take proactive measures to reduce the amount of high-risk cloud services, improve their current policies and reinforcing their strategy regarding the use of cloud services to steer employees towards enterprise-ready solutions. In addition, our assessment was used to support a Cloud Access Security Broker (CASB) business case.

A client in the financial sector developed a strategy for transferring to cloud-based email, storage and collaboration services, for cost reduction and increased efficiency purposes. Their shareholders and business partners expressed their concerns regarding the security of storing and processing critical business and personal information in the cloud. The client requested our support to ensure that their cloud provider of choice should meet all business, legal, and technical security requirements and the risks regarding the use of cloud services would be adequately managed.

KPMG performed a risk assessment by using their own framework mapped to cloud standards and best practices, such as ENISA, NIST, ISO, CSA. A number of high risks were identified that required proactive treatment prior to adopting the cloud service. As a result of the risk assessment, the client received tailored recommendations for mitigating the identified risks. This also helped to increase the client’s overall understanding of the risks associated with adoption of new cloud services.

For an oil & gas client, KPMG is performing a large remediation programme where we help the company manage their cloud-based shadow IT services, which process organisational data and which the business has purchased or developed circumventing control of internal IT. The volume of shadow IT today is such, that manual interventions by IT or Risk departments were considered to be not reasonable compared to the risk reduction achieved, and simplification and automation of processes was required.

KPMG proposed a solution for full automation of the shadow IT identification with the help of secure web gateways and cloud access security brokers, further supplemented by the KPMG SOFY Digital Risk Platform. The platform is delivered as a service, enables automatic risk analysis and remediation activities to be performed by the business, with executive and operational dashboards available to track the cloud adoption processes.

Why KPMG?KPMG can support your organisation in adopting cloud services with appropriate levels of security and governance, and address the full cloud journey, starting with cloud services identification and risk assessments, towards cloud governance, security & compliance through automation.

Our cyber security approach has been lauded by many clients varying from major international organisations to recognised local brands, in industries ranging from financial services and telecom providers to government and healthcare. Our team of experts has experience solving mobile technology problems on technical and organisational levels, at dozens of recognised clients. Partnering with KPMG ensures that you will get the KPMG quality with understandable presentations and reports, and effective assistance, helping your enterprise to become future proof.

Cloud Security & ComplianceImproving your cyber security maturity while moving to the cloud

Project 1

Project 2

Project 3