Trust in Cloud

Esin Yılmaz

Alliance Lead - EY Turkey Advisory

Esin.Yilmaz@tr.ey.com

01

02

03

04

Intro to Cloud

Risks perspectives of using cloud

Solutions for trust in cloud

Wrapping up

Can you remain untouched with clouds services in your daily life?

13 May 2020Page 3

Individuals

Businesses

Then, your life has just been touched by Cloud Services.

But what is the cloud?

13 May 2020Page 4

Traditional on premise data center Cloud data center

There is no real physical or technological difference between a traditional data center and a cloud data center

What are the characteristics of cloud computing?

13 May 2020Page 5

Resource pooling

Rapid elasticity

Measured service

Broad networkaccess

On-demand self-provisioning

Economic of scale

Type of cloud delivery modelsExample Pizza-as-a-Service

13 May 2020Page 6

SE

RV

ICE

PR

OV

IDE

RC

LIE

NT

MA

NA

GE

D

Dining table

Drinks

Electricity

Oven

Fire

Cheese

Toppings

Tomato sauce

Pizza dough

Dining table

Drinks

Electricity

Oven

Fire

Cheese

Toppings

Tomato sauce

Pizza dough

Dining table

Drinks

Electricity

Oven

Fire

Cheese

Toppings

Tomato sauce

Pizza dough

Dining table

Drinks

Electricity

Oven

Fire

Cheese

Toppings

Tomato sauce

Pizza dough

CL

IEN

T M

AN

AG

ED

CL

IEN

T M

AN

AG

ED

SE

RV

ICE

PR

OV

IDE

R

SE

RV

ICE

PR

OV

IDE

R

Making your pizza from

scratch

Frozen pizza(as-a-service)

Pizza delivery(as-a-service)

Pizza restaurant(as-a-service)

Infrastructure-as-a-Service

(IaaS)

Platform-as-a-Service (PaaS)

Software-as-a-Service(SaaS)

On-premise

Type of cloud delivery modelsFor real

13 May 2020Page 7

Applications

Data

Runtime

Middleware

OS

Servers

Virtualization

Storage

Network

Applications

Data

Runtime

Middleware

OS

Servers

Virtualization

Storage

Network

Applications

Data

Runtime

Middleware

OS

Servers

Virtualization

Storage

Network

Infrastructure-as-a-Service

(IaaS)

Platform-as-a-Service (PaaS)

Software-as-a-Service(SaaS)

On-premise

SE

RV

ICE

PR

OV

IDE

RC

LIE

NT

MA

NA

GE

D

CL

IEN

T M

AN

AG

ED

CL

IEN

T M

AN

AG

ED

SE

RV

ICE

PR

OV

IDE

R

Applications

Data

Runtime

Middleware

OS

Servers

Virtualization

Storage

Network

SE

RV

ICE

PR

OV

IDE

R

Protecting cloud environments is a shared responsibility between the cloudservice provider and the cloud consumer

Page 8

Shared Responsibility Model

13 May 2020

How can the cloud be deployed?

13 May 2020Page 9

We distinguish between four variants of delivery models for cloud services Public Cloud Private Cloud

CloudCloud

Community Cloud

Cloud

Hybrid

When adopting cloud solutions the ownership differs from the cloud delivery model implemented

13 May 2020Page 10

We distinguish between four variants of delivery models for cloud services

Cloud service provider Cloud service consumer

Public cloud Private cloud

Community cloud Hybrid cloud

Cloud service provider

Cloud service consumer

Cloud service provider

Cloud service consumer

1

2

3

Cloud service consumer

Publiccloud

Community cloud

Cloud Consumer

Control owner

Cloud Consumer

Control owner

Cloud Consumer

Control owner

Cloud Consumer?

Control owner TBD

Like everything, there are pros and cons for moving into a cloud solution

13 May 2020Page 11

❖ Vulnerability to attacks

❖ Downtime

❖ Network connectivity dependency

❖ Vendor lock-in

❖ Limited control

❖ Inflexible Contracts

❖ No capital invested required

❖ Pooled IT resources

❖ Scalability

❖ High availability

❖ Global presence

❖ Let companies focus on their business, not IT

❖ Cost Efficiency

01

02

03

04

Intro to Cloud

Risk perspectives of using cloud

Our solutions for trust in cloud

Wrapping up

Top Threats – Cloud Security Alliance

Page 13 13 May 2020

Data Breaches

Misconfiguration and inadequate change control

Lack of cloud security

architecture and strategy

Insufficient identity,

credential, access and key management

Account hijacking

Insider threat

Insecure interfaces and

APIs

Typical risks that impacts clients to achieve a trusted cloud environment

13 May 2020Page 14

Loss of control over data

Lack of information isolation/ Segmented

usage

Regulatory and compliance risks

Lack of standards and interoperability

Shadow IT related risks

Weak authentication/ authorization controls

Lack of recovery strategy

Inability to provide assurances

Use of public infrastructure

Unclear legal support or protection

Inadequate data security

Vendor lock in

Downtime Segmented usage

01

02

03

04

Intro to Cloud

Risk perspectives of using cloud

Solutions for trust in cloud

Wrapping up

By 2023, total worldwide spending on cloud services will reach nearly $1 trillion.

• Adoption of public cloud services continues to grow rapidly, led by SaaS adoption and digital transformation

• Public cloud services is the engine of growth for the whole cloud market, with a CAGR of over 21.3% through 2023, reaching almost $500 billion.

• Hardware and software products and professional and managed services that enable cloud services deployment and adoption represents a rapidly expanding opportunity. Cloud service providers themselves as the biggest spenders in 2023.

13 May 2020 Trust In Cloud – NALC 2020Page 16

Source: IDC, Worldwide Whole Cloud Forecast, 2019-2023, published in 2019

Therefore Cloud computing is entering maturity phase where its adoption will dominate IT and become the new normal

13 May 2020Page 17

To get Trust in Cloud, the cloud environment should be secure, trusted and audit-ready (STAR)

EY cloud risk and security framework inputs:

• Industry frameworks (CSA/CCM, NIST/CSF, TOGAF)

• Regulatory (FFIEC, GLBA, PCI, NYDFS)

• EY/industry leading practices

Main area

Legend:

Governance, audit and compliance

Operational

Incident management

Policies, operational security baselines

Risk management

Cloud forensicsAwareness and training

Vendor/third-party risk

Technology

Encryption and key management

Mobile security

Identity and access management

Change & configuration management

Interoperability and portability

Business and service continuity, DR

Crisis management

Datacenter security

Sub-area

Infrastructure and virtualization security

Threat and vulnerability management

Application and interface security

13 May 2020

Cloud Compliance standards

CSACloud Security Alliance Controls

SOC 2Security, Availability, & Confidentiality Report

FIPSGovernment Security Standards

NISTNational Institute of Standards and Technology

HIPAAProtected Health Information

ISO 27017Cloud Specific Controls

MPAAProtected Media Content

PCI DSS Level 1Payment Card Standards

SOC 1Audit Controls Report

Page 19

ISACAControls and Assurance in the Cloud: Using COBIT 5

FedRAMPFederal Risk and Authorization Management Program

SIGStandardized Information Gathering

13 May 2020

Cloud Compliance : CSA - Cloud Control Matrix (example)

Page 20

CLOUD CONTROLS MATRIX VERSION 3.0.1

Phys Network Compute Storage App Data SaaS PaaS

Application &

Interface Security

Application Security

AIS-01 Applications and programming interfaces (APIs) shall be

designed, developed, deployed, and tested in accordance

with leading industry standards (e.g., OWASP for web

applications) and adhere to applicable legal, statutory, or

regulatory compliance obligations.

X X X X X X

Application &

Interface Security

Customer Access

Requirements

AIS-02 Prior to granting customers access to data, assets, and

information systems, identified security, contractual, and

regulatory requirements for customer access shall be

addressed.

X X X X X X X X X

Application &

Interface Security

Data Integrity

AIS-03 Data input and output integrity routines (i.e., reconciliation

and edit checks) shall be implemented for application

interfaces and databases to prevent manual or systematic

processing errors, corruption of data, or misuse.

X X X X X X X

Application &

Interface Security

Data Security /

Integrity

AIS-04 Policies and procedures shall be established and

maintained in support of data security to include

(confidentiality, integrity, and availability) across multiple

system interfaces, jurisdictions, and business functions to

prevent improper disclosure, alteration, or destruction.

X X X X X X X X

Control Domain

Cloud Service Delivery

Model Applicability

Corp Gov

Relevance

Architectural Relevance

CCM V3.0

Control IDUpdated Control Specification

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

13 May 2020

Market solutions : tools that can support EY in delivering in a project(Azure example)

13 May 2020Page 21

Azure Compliance Manager for Microsoft

Amazon Inspector

https://youtu.be/eSF39Oq8Xgshttps://youtu.be/xxvrmBPbNPs

Market solutions : examples

AWSAmazon DetectiveAutomatically begins distilling and organizing data from AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs into a graph model that summarizes resource behaviors and interactions observed across an AWS environment.

IAM Access AnalyzerAn identity and access management (IAM) tool designed to make it easier for security teams and administrators to audit resource policies for unintended access.

OracleOracle AuditProvides comprehensive visibility into your Oracle Cloud Infrastructure services. Access all public API over the past 365 days

IBMCloud Activity Tracker Provides a framework and functionality to view, manage, and audit IBM Cloud activity to comply with corporate policies and industry regulations.

13 May 2020Page 22

How can EY help clients to build Trust in Cloud?

13 May 2020Page 23

Cloud service

consumer

Cloud service

provider

Financial AuditsIT integration

Contractualcompliance

Internal controlcompliance

Certification and implementation services

Regulatory compliance

3rd party risk management

Control and risk assessments

Support in cloudmigrations

Cloud strategy

Cloud service procurement

Support in comunications withregulatory entities

Support clouddelivery strategy

Conduct 3rd party reports (ISAE3402)

Security monitoring

Contractualcompliance

Regulatory compliance

Control and risk assessments

Thank you!

Thank you! ☺