2014 2nd me cloud conference trust in the cloud v01

Building trust in the cloud

2nd Middle East Cloud Computing and Big Data

Conference and Exhibition

November 2014

| Building trust in the cloud

Contents

Why: the need for a trusted

cloud environment

How: how to build “trust”

in the cloud

What: what kind of assurance

can be provided

Summary

1

2

3

Trust

Govern

The Cloud Framework

4


Why: the need for a trusted cloud environment


► There has been a dramatic increase in cloud

adoption over the last two years.

► Cloud is accelerating the digital transformation

currently underway.

► Users continue to bypass in-house IT when

adopting cloud solutions.

► Since cloud solutions have been mostly

implemented as point solutions, integrating

these is quickly becoming a priority.

► Organizations are beginning to understand that

the “hybrid cloud model” is the preferred

method of service delivery in many situations.

► However, a hybrid model introduces complexity

and risk if not assessed and fully understood.

► Companies are weighing the value, cost and

risk of cloud solutions rather than building new

environments in-house.

Does your organization currently

use cloud-based services?

Source: EY Global Information Security Survey (GISS) 2012

Cloud adoption is on the rise and is becoming more critical for business

Cloud adoption

has almost

doubled from

2010 to 2012.

30%44%

59%

2010

2011

2012

of respondents say they are

currently using or planned to use

cloud computing services








Some sectors are faster to adopt the cloud than others.

► Certain sectors have unique

challenges to cloud adoption.

► Privacy (and security) concerns and

migration costs present a barrier to

cloud adoption.

► Industries like media and education

are quick to embrace cloud because

it enables faster collaboration and

better content integration.

► Bottom line: know your industry

and the unique technology hurdles

to clear when starting your journey

to the cloud.

Source: Gartner (May 2012)

Industry Adopting Maturity

Banking Private cloud – SaaS and IaaS

Education Email, collaborative and back-office SaaS/IaaS

Energy

and

utilities

Not much happening; delivery model for consumption

data and billing or managing asset-related GIS data

Governme

ntPrivate cloud, email and some SaaS

Healthcar

e payersAdministration, care transformation

Healthcar

e

providers

Collaboration, imaging, medical records

InsuranceNoncore applications and limited SaaS for vertical

solutions

Media Content management, distribution and analytics

Manufactu

ringSaaS mostly

Retail IaaS, PaaS and SaaS

Advanced Heavy Moderate Measured Lagging


Fighting to close the “cloud control expectation gap”

► Companies have made significant

moves to cloud-based solutions.

► Adopters of cloud solutions expect

cloud service providers to deliver all

the necessary controls to address the

confidentiality, integrity and availability

of their data.

► However, we have seen a much

slower adoption of the controls

necessary to promote a secure,

trusted and audit-ready environment.

► As a result, the gap between what

cloud controls we think we have in

place and the controls we typically

implement in the cloud is widening.

► This exposes adopters of cloud

technologies to unmitigated risk.

Controls requiredto promote a secure,

trusted and audit-ready cloud environment

Controls typically implemented in the cloud

Cloud control

expectation gap


Does cloud create a better, stronger fortress or easier access to the crown jewels?

Our research indicates that cloud

solutions are more likely to be the

target of cyber attacks.

Financial

data

Pricing,

costing data

Trade

secrets

Customer

info

SSN, PHI,

PII data*

R&D data Legal

actions

Strategic

information

Proprietary

data/processesSuccessful attack

Failedattack

Cloud providers consistently invest in enhancing

the security controls of their solutions.* Social security number, personal health

information, personally identifiable information


Cloud environments should be secure, trusted and audit-ready (STAR) to close “the gap”

Secure

A secure cloud environment has the appropriate

controls to protect the confidentiality, availability and

integrity of the systems and data that reside in the

cloud. Appropriate procedural and technical protections

are in place to protect data at rest, in transit and in use.

Trusted

A trusted cloud environment is designed to stand the

test of time. It should demonstrably provide high

availability and resilience to adverse events.

Audit-ready

An audit-ready cloud environment has continuous

compliance is certified to meet specific industry

regulations and legislation. Appropriate procedural and

technical protection is in place and documented, and

compliance can be verified.

STAR


How: how to build trust in the cloud


There are many barriers and risks to achieving a STAR cloud environment

Loss of control

over data

Lack of information

isolation

Inadequate compliance

support

Lack of standards and

interoperability

Unclear legal support or

protection

Weak authentication/

authorization controls

Lack of recovery

strategyInability to provide

assurancesSTAR


Yes, but …

Cloud consumers must evaluate the maturity of their processes and controls relative to the cloud service provider (CSP)

Given the risks of venturing in the cloud, should I make the move?

In-house In the cloud

Risks

► Before moving to the cloud, we should weigh the risks of operating a technology environment ourselves versus governing a cloud vendor.

► If our requirements are so specific and narrow and our internal capabilities are already very mature, a cloud vendor may not be a viable or prudent solution.

► However, cloud vendors are in the business of IT and in many cases are more mature than operating in-house.

► Either way, the cloud “make or buy” decision should contemplate six key cloud control domains that define the EY Cloud Trust Model.


The type of services you implement changes the controls you need

Outsourced

On/off-premiseInfrastructure as a service

(IaaS)

Platform as a service

(PaaS)

Software as a service

(SaaS)

Te

ch

no

log

y C

om

po

nen

ts

The tradition approach of deploying and

using business software in-house by the

enterprise. System is developed and

installed, supporting infrastructure

hosted internally.

Combining executing operating systems,

storage, messaging, databases, load

balancing, networking, failover,

redundancy, etc., together so that the

customer buys a service rather than

having to architect and specify how such

infrastructure should be configured and

deployed.

Include security, authentication,

authorization, transaction management,

code execution, powerful domain

specific languages, and point-and-click

configuration that replaces traditional

software languages.

Provides the capability to the consumer

to use the provider's applications

running on a cloud infrastructure. The

applications are accessible from various

client devices through a thin client

interface such as a web browser.

Deployment model (public/private/hybrid/community cloud)

Applications

Data

Runtime

Middleware

Virtualization

Servers

Storage

Networking

O/S

Applications

Data

Runtime

Middleware

Virtualization

Servers

Storage

Networking

O/S

Applications

Data

Runtime

Middleware

Virtualization

Servers

Storage

Networking

O/S

Applications

Data

Runtime

Middleware

Virtualization

Servers

Storage

Networking

O/S

In-House

Consumer Cloud

Controlowner

Controlowner

Controlowner

Controlowner


The type of cloud you choose matters: it shifts the controls you need

Minimum accepted cloud controls

► Cloud service providers should have a bare minimum of baseline controls in place in order

for cloud consumers to feel comfortable moving to the cloud.

► Examples include logging, monitoring, user authentication and encryption.

Maximum allowable cloud controls

► Certain controls should not (or cannot) be executed by cloud service providers and should

be kept in-house.

► Examples include governance, risk acceptance, policies, standards, user approvals, segregation

of duties and other controls that require unique knowledge of the organization.

Cloud Consumer?

Control owner

Maximum allowable

cloud controls

Minimum accepted

cloud controls

Control ownership varies depending on agreements

between cloud and consumers


The Cloud Trust Model is composed of six cloud control domains to achieve a STAR environment

Secure

Trusted

Audit-ready

Tech

no

log

y

Data

Org

an

izatio

nal

Op

era

tion

al

Au

dit a

nd

co

mp

lian

ce

Go

vern

an

ce

Objectives

Cloud control

domains

We aspire to be …

By focusing on these …

EY Cloud Trust Model

1 2 3 4 5 6


The EY Cloud Trust Model aligns to the Cloud Security Alliance (CSA) Framework

Human resources

Audit assurance and compliance

Data security and information life cycle management

Governance and risk management

Security incident management, e-discovery and cloud forensics

Supply chain management, transparency and accountability

Business continuity management and operational resilience

Change control and configuration management

Datacenter security

Interoperability and portability

Encryption and key management

Identity and access management

Infrastructure and virtualization security

Mobile security

Threat and vulnerability management

Application and interface security

Organizational

Data

Technology

Operational

Audit and compliance

Governance

EY

Clo

ud

Tru

st

Mo

de

l

Cloud Security Alliance (CSA) Framework

1

2

3

4

5

6


What: what kind of assurance can be provided


EY’s Cloud Trust Services Framework enables a secure, trusted and audit-ready environment

EY Cloud Trust Services Framework

Certify and

comply

It aims to evaluate and

periodically examine clients’

current risk profile and help

them develop a plan to

address any key areas of

exposure.

It focus on guiding clients

through a maturity journey

to build trust by developing

new enhanced capabilities.

Its objective is to promote a

compliant and audit-ready

environment for clients via

certification, proactive audits and

agreed-upon procedures.


► How do I build/showcase my security and

compliance capabilities?

► How do I gauge my existing security and compliance

capabilities against my contractual obligations?

► What capabilities do I prioritize for investments

and enhancements?

► How can I adopt industry standards to

raise the maturity of security and

compliance capabilities?

► How does my risk profile change by moving to the

cloud?

► How do I meet my regulatory mandates after moving

to the cloud?

► What factors can help me evaluate a

trusted provider?

► What do I need to do to confirm my data is safe?

► How do I confirm my providers’ security standards

and policies are sufficient to build trust?

Cloud services are segmented into cloud service consumers and cloud service providers (CSP)

Key questions addressed for

cloud service consumers

Key questions addressed for

cloud service providers

Certify and

comply

Audit-ready


Summary


Trust is the foundation on which cloud environments should be built

Why? How? What?

Cloud computing became a mature IT Service Delivery

Model

The question arises, how it can be made trustworthy

Trust in the cloud equates to a secured, trusted and audit-

ready (STAR) environment

There are six key dimensions of cloud trust (Organization,

Technology, Data, Operations, Audit & compliance,

Governance

Cloud consumers as well as cloud service providers need

a reference model

The Cloud Trust Model (CTM) provides a modular

framework comprising “assess and monitor,” “improve and

enhance” and “certify and comply”


Name

Title

Cloud Computing – IT Transformation

Phone: +965 2295 5117

E-Mail: [email protected]

Thank you

2014 2nd me cloud conference trust in the cloud v01

Data & Analytics

cloud becauseit

cloudbased solutions

whenadopting cloud solutions

trusted cloud environmentpage

thatthe hybrid cloud

banking private cloud

building trust

point solutions