Grab n’ Go, Deloitte Denmark

Brave New Cloud: How to get there

Welcome!

Jay is a Partner and the Cyber Strategy lead for Deloitte Denmark. Over 13+ years, Jay has worked across multiple sectors and geographies spanning from the UK, Europe and in Asia

Klaus is a Partner and Cloud Engineering lead for Deloitte Denmark. has 20+ years experience with consulting of which the past 10+ years have been focused on Financial Services across the Nordic region.

Our agenda for the next 90 minutes

Welcome

Introduction

Navigating security & compliance

Paving the way

Before moving to the cloud

Q&A

Agenda

Copyright © 2018 Deloitte Development LLC. All rights reserved. | 4

Challenges in adopting cloud

Cyber Security &

Privacy

Operating Model

Vendor Maturity

Business Case

Talent

Compliance

What’s on your mind?

Source: EY Danish Cloud Maturity Survey 2018

Our agenda for the next 90 minutes

Welcome

Introduction

Navigating security & compliance

Paving the way

Before moving to the cloud

Q&A

Agenda

“50% of the CISOs indicate cloud adoption as the tech trend that will have the biggestimpact on the IT security of their organization the next 5 years.”

Not all security and compliance controls are inherited or “automatic”

Cloud security is everyone’s responsibility

Consumer/Shadow IT

Business and consumers using

cloud with or without cyber

controls.

Third-party Risk

Enterprises are dependent on cloud

providers’ controls.

Concentrated data exposure

Cloud providers are a bigger target

because “that’s where the data is”.

New attack surface

The walled enterprise is

replaced by a hybrid, more

complicated technology

environment

Cyber talent

New cloud (security) skills are

required by staff to effectively

manage new, complex architectures.

CSPs are in the “business of IT”

…with better hygiene.

CSP’s provide updated, fully

patched Windows AMIs within 5

business days of Microsoft’s Patch

Tuesday(4).

Cloud enables enterprises to focus

on what matters to the business.

By outsourcing commodity IT services,

IT staff can focus more on expanding

cyber risk capabilities.

Cloud providers are better equipped for the fight.

“Microsoft fends off 7 trillion cyber threats per day and allocates over $1 billion each year to cybersecurity.”(5)

Not all security and compliance controls are inherited or “automatic”

Cloud security is everyone’s responsibility

Data

Applications

Databases

Operating System

Virtualization

Physical Servers

Network & Storage

Data Center

TraditionalOn-Premises

IT

Self-Supplied, -Managed

Provider-Supplied, -Managed

Data

Applications

Databases

Operating System

Virtualization + CMP

Physical Servers

Network & Storage

Data Center

Infrastructureas a Service

(IaaS)

Data

Applications

Databases

Operating System

Virtualization

Physical Servers

Network & Storage

Data Center

Platformas a Service

(PaaS)

Data

Applications

Databases

Operating System

Virtualization

Physical Servers

Network & Storage

Data Center

Softwareas a Service

(SaaS)

High level security responsibilities based on the attributes

▪ Traditional on-premise IT – Physical security, hardware security, patch management, Identities and Access, Encryption, Incident management

▪ Infrastructure as a service - Vulnerability / patch management, configurations, Identities and Access, Application security, Encryption, Incident management and

monitoring

▪ Platform as a Service - Identity and Access, Application security, Encryption, Incident Management and security monitoring

▪ Software as a Service - Security monitoring (user actions), Incident management, Encryption and Identity Management

Visibility &

Monitoring

Data

protection

Identity

Management

(IAM)

Visibility &

Monitoring

Data

protection

Identity

Management

(IAM)

Visibility &

Monitoring

Threat

detection &

response

Audit &

Compliance

Data

protection

Identity

Management

(IAM)

Audit &

Compliance

Key | Security Challenges

Cloud adoption means agility, speed of execution and keeping up with the innovation for majority customers. However, the

context of security has changed. A perceived loss of control, lack of clarity responsibilities and labilities and difficulty in

achieving accountability across the value chain are some of the key obstacles for the organizations.

Accountability and data risk

Who is accountable for what and is my data protected

even if we change providers? How do we manage keys?“

Non-production environment exposure

How are the environments segregated and are those public

facing?“

Incidence analysis and forensics

How should I monitor workload and threats in cloud? Will the

provider share details in the event of an incident?“

Infrastructure security

How do I implement similar rigor and depth of controls in cloud

infrastructure? Do we have the skills?“

Multi-tenancy and physical security

How do I ensure CSP has implemented security controls to

mitigate third-party risks?“

Service and data integration

Is the communication between our environment and cloud

vendor secure and integration is mostly one way?“

Business continuity and resiliency

Can we trust the cloud vendor’s SLA and what happens if we

decide to move back?“

User privacy and secondary data usage

How do I enforce GDPR / privacy policies & acceptable usage,

consent and secondary usage?“

Regulatory compliance

Which regulatory requirements are applicable to our

business?“

User identity federation

How do we transfer existing identity lifecycle to the cloud?

We do not have visibility in our user action in the cloud !“

10

Sustainable Cloud capability ecosystem – a holistic review of risk management

Cloud Security POV

Where do you start?

Deployment modelRoles and responsibilities, contractual obligations and the liabilities all vary according to different deployment model

02

01ComplianceControls mapping that covers vendor, privacy and regulatory risks that will help to understand potential gaps and remediation for Cloud adoption04

0305

06

Workload sensitivityUnderstand which workloads / volume of processes that will likely to go in Cloud

Security policy rebaselineUpdate key security policies such as identity and access management, security operations centre, encryption and playbooks (that contains roles and responsibilities) to identify what needs to be updated and if still within the overall risk appetite

Cloud due diligenceVendor due diligence on key Cloud service providers to understand the baseline of security on Cloud native and the ‘default’ terms and conditions on areas like ‘right to audit’ or penetration testing

Architecture and integrationOutline the target security architecture based on the revision of the policy above. Also understand if there are existing controls that be spread into the Cloud environmentConduct container security review if Cloud is already / partially deployed

Cloud security centric framework

Application

Network

Account

Infrastructure

User Data

Cloud

Architecture

• User identity management

• Roles and permissions management

• Monitoring and Access logs

• Application Security

• Application Vulnerability Assessment

• Penetration testing

• Data encryption in transit

• Data encryption at rest

• Key Management Systems

• Obfuscation and Anonymisation

• Data Loss Prevention

• Data Governance and Privacy

• Virtual Private Cloud Architecture

• Subnets, Route Tables, Internet Gateways

• Firewalls, Security Groups, Network Access Control

Lists

• Web Application Firewalls

• DDoS Protection

• Remote Access

• Identity and Access Management (IAM)

• Privileged User Access Management (PUAM)

• Directory Services

• Single Sign On and Federated Identity Management

• Security Log Configuration and SIEM

• Configuration and Rule Management

• Physical and Environmental Security

• Business Continuity Management

• Disaster Recovery

• Security Monitoring

• Incident Response

So what about regulations?

Cloud infrastructure is designed and managed in alignment with relevant security best practices

So what about regulations? Key themes

Not lower security / protectionRoles and responsibilities, contractual obligations and the liabilities all vary according to different deployment model

02

01Incident responseAbility to respond with capability to conduct investigation with root cause analysisAbility to inform the relevant parties04

0305

06

Roles and responsibilities to be clearly definedContract it inManage it don’t do it at all!

Policy / organisational measuresInclude the importance of data leakage and to have governance / metrics around to monitor

TransparencyRisk analysisData residency and border transferAudit / right to audit

Continual improvement and risk managementContinued audit and improvement have to be a demonstrable option

Our agenda for the next 90 minutes

Welcome

Introduction

Navigating security & compliance

Paving the way

Before moving to the cloud

Q&A

Agenda

Take action beforesomeone else does.

by transforming your capabilities.

Our assessment can also determine the best plan for full optimization – including recommendations for any number of cloud enhancements, upgrades or implementations.

Deloitte’s Approach

Building Blocks for Successful Cloud Adoption

What are you struggling with?

Key questions to drive a sound implementation

Direction

▪ Cloud Vision

▪ Business & Technology

Strategy Alignment

▪ Business Case

Solution

▪ Workloads & Use cases

▪ Services (IaaS, PaaS,

SaaS)

▪ Vendors, 3rd party

providers

▪ Application Landscape

▪ Architecture

Oversight

▪ Governance Model

▪ Regulatory Compliance

▪ Security & Risk

Management

Organization

Evolution

▪ Capabilities & Processes

▪ Stakeholder

Engagement/Interactions

▪ Roadmap & roll out

Cloud Adoption is a Journey

OPTIMIZATION PHASEPREPARATION PHASE MIGRATION PHASE

ESTABLISH

PREREQUISITES

Gain executive

sponsorship

Create cloud

core team

Define guiding

principles

Define IT

criteria

Setup program

governance

ASSESS FINANCIALS

Assess applications

Perform financial

analysis (IaaS, SaaS)

Explore cloud

layers

Migrate

network

Integrate

applications

Build PoC

Secure cloud

implementations

Create

forecast

Build exit strategy

Engage business, application,

infrastructure, and security

owners

Outline

roadmap

Develop DR

capabilities

Develop reference

architecture

Target application

architecture

Plan migration

Pilot

Migrate execution

architecture

Order cloud

services

INTEGRATE

Setup target

infrastructure

Move apps

to cloud

Follow change

management

process

Integrate infrastructure

Integrate

operations

Benchmark current

environment

DEVELOP CLOUD

STRATEGY

DESIGN NEW

ENVIRONMENT

BUILD

FOUNDATION

OPTIMIZE

MIGRATE RUN

Implement cloud

analytics tools

Optimize cloud

workloads

Revalidate cloud partners

Monitor and

optimize expenses

Maintain and support

applications

Monitor performance

Test and validate

migrated workload

Obtain BU

acceptance

TEST

Design security

architecture

Examples of cloud maturity across major FSI players

Category Global bank, European Heritage Global payments company Diversified manufacturing business Global top 5 universal bank Global top 5 universal bank

Cloud & platform strategy

AWS centric, pivoting to Azure; open source, containerization

GCP centric, all dev/test on cloud; mature proprietary containers/PaaS

AWS-centric, greenfield digital business; enterprise moving now, all net new dev

Focus on private, AWS, MS. Initially with AWS, building consistent Dev

experience

Shifted focus from private cloud to accelerate AWS, MS public clouds, and

PCF

Cloud execution strategy / approach

• Federated cloud adoption program, driven by LoBs

• Induction of senior leaders from TMT driving culture

• Cloud to accelerate move to agile / DevOps

• No separate / central funding pool

• Central IT catching up

• Centrally run program to move dev/test

• Central funding and business case

• Heavily agile / DevOps centric product teams

• Hosting play, starting to leverage native services

• Centralized team to enable cloud

• Federated teams in the BU’s adopting at their pace

• New product development / innovation on cloud

• Heavily leveraging cloud native services

• Centrally run (pvt) cloud program, reshaped newly formed cloud group –Strategy / Arch

• Pilots underway, driven by business units

• Senior executives from out of industry

• Looking to drive 30% volume by 2020

• Central cloud services group supporting / enabling business units

• Business units hold use cases / budgets

• Some central funding to reduce barriers to entry, others direct pass through

• Strong risk / info sec / regulatory team

Use cases (deployed / in flight)

• Risk management

• Regulatory Reporting / CAT / Forensics / FI Grid

• Credit / Market Risk Grids

• Digital experience

• Capability sourcing / partner led optimization

• Risk simulation

• All test and dev

• Customer analytics

• Edge network services

• Digital experience

• Digital business

• Customer analytics

• New product innovation

• IoT / sensor based apps

• Performance analytics

• Engineering and maintenance ops

• Digital applications

• Databases and appliance data

• Credit and market risk grid applications

• Trade forensics

• Digital applications

• CAT / Forensics

• Credit and market risk grid

• Customer analytics

• AML / KYC

• Contact Center

• Appliance Data / workloads

Enterprise

Tech

Public

Cloud

Private

Cloud

Enterprise

Tech

Public

Cloud

Private

CloudEnterprise

Tech

Public

Cloud

Private

Cloud

Private

Cloud

Public

Cloud

Enterprise

TechEnterprise

Tech

Public

Cloud

Private

Cloud

CloudThank You!

Jay ChoiPartner and the Cyber Strategy lead+45 30 93 41 92 jaychoi@deloitte.dk

Klaus Koefoed Eriksen Partner and Cloud Engineering lead+45 30 93 44 89 klkoefoed@deloitte.dk