Trust in Cloud · 2020. 5. 20. · CCM V3.0 Control ID Updated Control Specification The Cloud...
Transcript of Trust in Cloud · 2020. 5. 20. · CCM V3.0 Control ID Updated Control Specification The Cloud...
-
Trust in Cloud
Esin Yılmaz
Alliance Lead - EY Turkey Advisory
-
01
02
03
04
Intro to Cloud
Risks perspectives of using cloud
Solutions for trust in cloud
Wrapping up
-
Can you remain untouched with clouds services in your daily life?
13 May 2020Page 3
Individuals
Businesses
Then, your life has just been touched by Cloud Services.
-
But what is the cloud?
13 May 2020Page 4
Traditional on premise data center Cloud data center
There is no real physical or technological difference between a traditional data center and a cloud data center
-
What are the characteristics of cloud computing?
13 May 2020Page 5
Resource pooling
Rapid elasticity
Measured service
Broad networkaccess
On-demand self-provisioning
Economic of scale
-
Type of cloud delivery modelsExample Pizza-as-a-Service
13 May 2020Page 6
SE
RV
ICE
PR
OV
IDE
RC
LIE
NT
MA
NA
GE
D
Dining table
Drinks
Electricity
Oven
Fire
Cheese
Toppings
Tomato sauce
Pizza dough
Dining table
Drinks
Electricity
Oven
Fire
Cheese
Toppings
Tomato sauce
Pizza dough
Dining table
Drinks
Electricity
Oven
Fire
Cheese
Toppings
Tomato sauce
Pizza dough
Dining table
Drinks
Electricity
Oven
Fire
Cheese
Toppings
Tomato sauce
Pizza dough
CL
IEN
T M
AN
AG
ED
CL
IEN
T M
AN
AG
ED
SE
RV
ICE
PR
OV
IDE
R
SE
RV
ICE
PR
OV
IDE
R
Making your pizza from
scratch
Frozen pizza(as-a-service)
Pizza delivery(as-a-service)
Pizza restaurant(as-a-service)
Infrastructure-as-a-Service
(IaaS)
Platform-as-a-Service (PaaS)
Software-as-a-Service(SaaS)
On-premise
-
Type of cloud delivery modelsFor real
13 May 2020Page 7
Applications
Data
Runtime
Middleware
OS
Servers
Virtualization
Storage
Network
Applications
Data
Runtime
Middleware
OS
Servers
Virtualization
Storage
Network
Applications
Data
Runtime
Middleware
OS
Servers
Virtualization
Storage
Network
Infrastructure-as-a-Service
(IaaS)
Platform-as-a-Service (PaaS)
Software-as-a-Service(SaaS)
On-premise
SE
RV
ICE
PR
OV
IDE
RC
LIE
NT
MA
NA
GE
D
CL
IEN
T M
AN
AG
ED
CL
IEN
T M
AN
AG
ED
SE
RV
ICE
PR
OV
IDE
R
Applications
Data
Runtime
Middleware
OS
Servers
Virtualization
Storage
Network
SE
RV
ICE
PR
OV
IDE
R
-
Protecting cloud environments is a shared responsibility between the cloudservice provider and the cloud consumer
Page 8
Shared Responsibility Model
13 May 2020
-
How can the cloud be deployed?
13 May 2020Page 9
We distinguish between four variants of delivery models for cloud services Public Cloud Private Cloud
CloudCloud
Community Cloud
Cloud
Hybrid
-
When adopting cloud solutions the ownership differs from the cloud delivery model implemented
13 May 2020Page 10
We distinguish between four variants of delivery models for cloud services
Cloud service provider Cloud service consumer
Public cloud Private cloud
Community cloud Hybrid cloud
Cloud service provider
Cloud service consumer
Cloud service provider
Cloud service consumer
1
2
3
Cloud service consumer
Publiccloud
Community cloud
Cloud Consumer
Control owner
Cloud Consumer
Control owner
Cloud Consumer
Control owner
Cloud Consumer?
Control owner TBD
-
Like everything, there are pros and cons for moving into a cloud solution
13 May 2020Page 11
❖ Vulnerability to attacks
❖ Downtime
❖ Network connectivity dependency
❖ Vendor lock-in
❖ Limited control
❖ Inflexible Contracts
❖ No capital invested required
❖ Pooled IT resources
❖ Scalability
❖ High availability
❖ Global presence
❖ Let companies focus on their business, not IT
❖ Cost Efficiency
-
01
02
03
04
Intro to Cloud
Risk perspectives of using cloud
Our solutions for trust in cloud
Wrapping up
-
Top Threats – Cloud Security Alliance
Page 13 13 May 2020
Data Breaches
Misconfiguration and inadequate change control
Lack of cloud security
architecture and strategy
Insufficient identity,
credential, access and key management
Account hijacking
Insider threat
Insecure interfaces and
APIs
-
Typical risks that impacts clients to achieve a trusted cloud environment
13 May 2020Page 14
Loss of control over data
Lack of information isolation/ Segmented
usage
Regulatory and compliance risks
Lack of standards and interoperability
Shadow IT related risks
Weak authentication/ authorization controls
Lack of recovery strategy
Inability to provide assurances
Use of public infrastructure
Unclear legal support or protection
Inadequate data security
Vendor lock in
Downtime Segmented usage
-
01
02
03
04
Intro to Cloud
Risk perspectives of using cloud
Solutions for trust in cloud
Wrapping up
-
By 2023, total worldwide spending on cloud services will reach nearly $1 trillion.
• Adoption of public cloud services continues to grow rapidly, led by SaaS adoption and digital transformation
• Public cloud services is the engine of growth for the whole cloud market, with a CAGR of over 21.3% through 2023, reaching almost $500 billion.
• Hardware and software products and professional and managed services that enable cloud services deployment and adoption represents a rapidly expanding opportunity. Cloud service providers themselves as the biggest spenders in 2023.
13 May 2020 Trust In Cloud – NALC 2020Page 16
Source: IDC, Worldwide Whole Cloud Forecast, 2019-2023, published in 2019
-
Therefore Cloud computing is entering maturity phase where its adoption will dominate IT and become the new normal
13 May 2020Page 17
-
To get Trust in Cloud, the cloud environment should be secure, trusted and audit-ready (STAR)
EY cloud risk and security framework inputs:
• Industry frameworks (CSA/CCM, NIST/CSF, TOGAF)
• Regulatory (FFIEC, GLBA, PCI, NYDFS)
• EY/industry leading practices
Main area
Legend:
Governance, audit and compliance
Operational
Incident management
Policies, operational security baselines
Risk management
Cloud forensicsAwareness and training
Vendor/third-party risk
Technology
Encryption and key management
Mobile security
Identity and access management
Change & configuration management
Interoperability and portability
Business and service continuity, DR
Crisis management
Datacenter security
Sub-area
Infrastructure and virtualization security
Threat and vulnerability management
Application and interface security
13 May 2020
-
Cloud Compliance standards
CSACloud Security Alliance Controls
SOC 2Security, Availability, & Confidentiality Report
FIPSGovernment Security Standards
NISTNational Institute of Standards and Technology
HIPAAProtected Health Information
ISO 27017Cloud Specific Controls
MPAAProtected Media Content
PCI DSS Level 1Payment Card Standards
SOC 1Audit Controls Report
Page 19
ISACAControls and Assurance in the Cloud: Using COBIT 5
FedRAMPFederal Risk and Authorization Management Program
SIGStandardized Information Gathering
13 May 2020
-
Cloud Compliance : CSA - Cloud Control Matrix (example)
Page 20
CLOUD CONTROLS MATRIX VERSION 3.0.1
Phys Network Compute Storage App Data SaaS PaaS
Application &
Interface Security
Application Security
AIS-01 Applications and programming interfaces (APIs) shall be
designed, developed, deployed, and tested in accordance
with leading industry standards (e.g., OWASP for web
applications) and adhere to applicable legal, statutory, or
regulatory compliance obligations.
X X X X X X
Application &
Interface Security
Customer Access
Requirements
AIS-02 Prior to granting customers access to data, assets, and
information systems, identified security, contractual, and
regulatory requirements for customer access shall be
addressed.
X X X X X X X X X
Application &
Interface Security
Data Integrity
AIS-03 Data input and output integrity routines (i.e., reconciliation
and edit checks) shall be implemented for application
interfaces and databases to prevent manual or systematic
processing errors, corruption of data, or misuse.
X X X X X X X
Application &
Interface Security
Data Security /
Integrity
AIS-04 Policies and procedures shall be established and
maintained in support of data security to include
(confidentiality, integrity, and availability) across multiple
system interfaces, jurisdictions, and business functions to
prevent improper disclosure, alteration, or destruction.
X X X X X X X X
Control Domain
Cloud Service Delivery
Model Applicability
Corp Gov
Relevance
Architectural Relevance
CCM V3.0
Control IDUpdated Control Specification
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
13 May 2020
-
Market solutions : tools that can support EY in delivering in a project(Azure example)
13 May 2020Page 21
Azure Compliance Manager for Microsoft
Amazon Inspector
https://youtu.be/eSF39Oq8Xgshttps://youtu.be/xxvrmBPbNPs
-
Market solutions : examples
AWSAmazon DetectiveAutomatically begins distilling and organizing data from AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs into a graph model that summarizes resource behaviors and interactions observed across an AWS environment.
IAM Access AnalyzerAn identity and access management (IAM) tool designed to make it easier for security teams and administrators to audit resource policies for unintended access.
OracleOracle AuditProvides comprehensive visibility into your Oracle Cloud Infrastructure services. Access all public API over the past 365 days
IBMCloud Activity Tracker Provides a framework and functionality to view, manage, and audit IBM Cloud activity to comply with corporate policies and industry regulations.
13 May 2020Page 22
-
How can EY help clients to build Trust in Cloud?
13 May 2020Page 23
Cloud service
consumer
Cloud service
provider
Financial AuditsIT integration
Contractualcompliance
Internal controlcompliance
Certification and implementation services
Regulatory compliance
3rd party risk management
Control and risk assessments
Support in cloudmigrations
Cloud strategy
Cloud service procurement
Support in comunications withregulatory entities
Support clouddelivery strategy
Conduct 3rd party reports (ISAE3402)
Security monitoring
Contractualcompliance
Regulatory compliance
Control and risk assessments
-
Thank you!
Thank you! ☺