2014 2nd me cloud conference trust in the cloud v01
TRANSCRIPT
Building trust in the cloud
2nd Middle East Cloud Computing and Big Data
Conference and Exhibition
November 2014
Page 2 | Building trust in the cloud
Contents
Why: the need for a trusted
cloud environment
How: how to build “trust”
in the cloud
What: what kind of assurance
can be provided
Summary
1
2
3
Trust
Govern
The Cloud Framework
4
Page 3 | Building trust in the cloud
Why: the need for a trusted cloud environment
Page 4 | Building trust in the cloud
► There has been a dramatic increase in cloud
adoption over the last two years.
► Cloud is accelerating the digital transformation
currently underway.
► Users continue to bypass in-house IT when
adopting cloud solutions.
► Since cloud solutions have been mostly
implemented as point solutions, integrating
these is quickly becoming a priority.
► Organizations are beginning to understand that
the “hybrid cloud model” is the preferred
method of service delivery in many situations.
► However, a hybrid model introduces complexity
and risk if not assessed and fully understood.
► Companies are weighing the value, cost and
risk of cloud solutions rather than building new
environments in-house.
Does your organization currently
use cloud-based services?
Source: EY Global Information Security Survey (GISS) 2012
Cloud adoption is on the rise and is becoming more critical for business
Cloud adoption
has almost
doubled from
2010 to 2012.
30%44%
59%
2010
2011
2012
of respondents say they are
currently using or planned to use
cloud computing services
of respondents say they are
currently using or planned to use
cloud computing services
of respondents say they are
currently using or planned to use
cloud computing services
Page 5 | Building trust in the cloud
Some sectors are faster to adopt the cloud than others.
► Certain sectors have unique
challenges to cloud adoption.
► Privacy (and security) concerns and
migration costs present a barrier to
cloud adoption.
► Industries like media and education
are quick to embrace cloud because
it enables faster collaboration and
better content integration.
► Bottom line: know your industry
and the unique technology hurdles
to clear when starting your journey
to the cloud.
Source: Gartner (May 2012)
Industry Adopting Maturity
Banking Private cloud – SaaS and IaaS
Education Email, collaborative and back-office SaaS/IaaS
Energy
and
utilities
Not much happening; delivery model for consumption
data and billing or managing asset-related GIS data
Governme
ntPrivate cloud, email and some SaaS
Healthcar
e payersAdministration, care transformation
Healthcar
e
providers
Collaboration, imaging, medical records
InsuranceNoncore applications and limited SaaS for vertical
solutions
Media Content management, distribution and analytics
Manufactu
ringSaaS mostly
Retail IaaS, PaaS and SaaS
Advanced Heavy Moderate Measured Lagging
Page 6 | Building trust in the cloud
Fighting to close the “cloud control expectation gap”
► Companies have made significant
moves to cloud-based solutions.
► Adopters of cloud solutions expect
cloud service providers to deliver all
the necessary controls to address the
confidentiality, integrity and availability
of their data.
► However, we have seen a much
slower adoption of the controls
necessary to promote a secure,
trusted and audit-ready environment.
► As a result, the gap between what
cloud controls we think we have in
place and the controls we typically
implement in the cloud is widening.
► This exposes adopters of cloud
technologies to unmitigated risk.
Controls requiredto promote a secure,
trusted and audit-ready cloud environment
Controls typically implemented in the cloud
Cloud control
expectation gap
Page 7 | Building trust in the cloud
Does cloud create a better, stronger fortress or easier access to the crown jewels?
Our research indicates that cloud
solutions are more likely to be the
target of cyber attacks.
Financial
data
Pricing,
costing data
Trade
secrets
Customer
info
SSN, PHI,
PII data*
R&D data Legal
actions
Strategic
information
Proprietary
data/processesSuccessful attack
Failedattack
Cloud providers consistently invest in enhancing
the security controls of their solutions.* Social security number, personal health
information, personally identifiable information
Page 8 | Building trust in the cloud
Cloud environments should be secure, trusted and audit-ready (STAR) to close “the gap”
Secure
A secure cloud environment has the appropriate
controls to protect the confidentiality, availability and
integrity of the systems and data that reside in the
cloud. Appropriate procedural and technical protections
are in place to protect data at rest, in transit and in use.
Trusted
A trusted cloud environment is designed to stand the
test of time. It should demonstrably provide high
availability and resilience to adverse events.
Audit-ready
An audit-ready cloud environment has continuous
compliance is certified to meet specific industry
regulations and legislation. Appropriate procedural and
technical protection is in place and documented, and
compliance can be verified.
STAR
Page 9 | Building trust in the cloud
How: how to build trust in the cloud
Page 10 | Building trust in the cloud
There are many barriers and risks to achieving a STAR cloud environment
Loss of control
over data
Lack of information
isolation
Inadequate compliance
support
Lack of standards and
interoperability
Unclear legal support or
protection
Weak authentication/
authorization controls
Lack of recovery
strategyInability to provide
assurancesSTAR
Page 11 | Building trust in the cloud
Yes, but …
Cloud consumers must evaluate the maturity of their processes and controls relative to the cloud service provider (CSP)
Given the risks of venturing in the cloud, should I make the move?
In-house In the cloud
Risks
► Before moving to the cloud, we should weigh the risks of operating a technology environment ourselves versus governing a cloud vendor.
► If our requirements are so specific and narrow and our internal capabilities are already very mature, a cloud vendor may not be a viable or prudent solution.
► However, cloud vendors are in the business of IT and in many cases are more mature than operating in-house.
► Either way, the cloud “make or buy” decision should contemplate six key cloud control domains that define the EY Cloud Trust Model.
Page 12 | Building trust in the cloud
The type of services you implement changes the controls you need
Outsourced
On/off-premiseInfrastructure as a service
(IaaS)
Platform as a service
(PaaS)
Software as a service
(SaaS)
Te
ch
no
log
y C
om
po
nen
ts
The tradition approach of deploying and
using business software in-house by the
enterprise. System is developed and
installed, supporting infrastructure
hosted internally.
Combining executing operating systems,
storage, messaging, databases, load
balancing, networking, failover,
redundancy, etc., together so that the
customer buys a service rather than
having to architect and specify how such
infrastructure should be configured and
deployed.
Include security, authentication,
authorization, transaction management,
code execution, powerful domain
specific languages, and point-and-click
configuration that replaces traditional
software languages.
Provides the capability to the consumer
to use the provider's applications
running on a cloud infrastructure. The
applications are accessible from various
client devices through a thin client
interface such as a web browser.
Deployment model (public/private/hybrid/community cloud)
Applications
Data
Runtime
Middleware
Virtualization
Servers
Storage
Networking
O/S
Applications
Data
Runtime
Middleware
Virtualization
Servers
Storage
Networking
O/S
Applications
Data
Runtime
Middleware
Virtualization
Servers
Storage
Networking
O/S
Applications
Data
Runtime
Middleware
Virtualization
Servers
Storage
Networking
O/S
In-House
Consumer Cloud
Controlowner
Controlowner
Controlowner
Controlowner
Page 13 | Building trust in the cloud
The type of cloud you choose matters: it shifts the controls you need
Minimum accepted cloud controls
► Cloud service providers should have a bare minimum of baseline controls in place in order
for cloud consumers to feel comfortable moving to the cloud.
► Examples include logging, monitoring, user authentication and encryption.
Maximum allowable cloud controls
► Certain controls should not (or cannot) be executed by cloud service providers and should
be kept in-house.
► Examples include governance, risk acceptance, policies, standards, user approvals, segregation
of duties and other controls that require unique knowledge of the organization.
Cloud Consumer?
Control owner
Maximum allowable
cloud controls
Minimum accepted
cloud controls
Control ownership varies depending on agreements
between cloud and consumers
Page 14 | Building trust in the cloud
The Cloud Trust Model is composed of six cloud control domains to achieve a STAR environment
Secure
Trusted
Audit-ready
Tech
no
log
y
Data
Org
an
izatio
nal
Op
era
tion
al
Au
dit a
nd
co
mp
lian
ce
Go
vern
an
ce
Objectives
Cloud control
domains
We aspire to be …
By focusing on these …
EY Cloud Trust Model
1 2 3 4 5 6
Page 15 | Building trust in the cloud
The EY Cloud Trust Model aligns to the Cloud Security Alliance (CSA) Framework
Human resources
Audit assurance and compliance
Data security and information life cycle management
Governance and risk management
Security incident management, e-discovery and cloud forensics
Supply chain management, transparency and accountability
Business continuity management and operational resilience
Change control and configuration management
Datacenter security
Interoperability and portability
Encryption and key management
Identity and access management
Infrastructure and virtualization security
Mobile security
Threat and vulnerability management
Application and interface security
Organizational
Data
Technology
Operational
Audit and compliance
Governance
EY
Clo
ud
Tru
st
Mo
de
l
Cloud Security Alliance (CSA) Framework
1
2
3
4
5
6
Page 16 | Building trust in the cloud
What: what kind of assurance can be provided
Page 17 | Building trust in the cloud
EY’s Cloud Trust Services Framework enables a secure, trusted and audit-ready environment
EY Cloud Trust Services Framework
Certify and
comply
It aims to evaluate and
periodically examine clients’
current risk profile and help
them develop a plan to
address any key areas of
exposure.
It focus on guiding clients
through a maturity journey
to build trust by developing
new enhanced capabilities.
Its objective is to promote a
compliant and audit-ready
environment for clients via
certification, proactive audits and
agreed-upon procedures.
Page 18 | Building trust in the cloud
► How do I build/showcase my security and
compliance capabilities?
► How do I gauge my existing security and compliance
capabilities against my contractual obligations?
► What capabilities do I prioritize for investments
and enhancements?
► How can I adopt industry standards to
raise the maturity of security and
compliance capabilities?
► How does my risk profile change by moving to the
cloud?
► How do I meet my regulatory mandates after moving
to the cloud?
► What factors can help me evaluate a
trusted provider?
► What do I need to do to confirm my data is safe?
► How do I confirm my providers’ security standards
and policies are sufficient to build trust?
Cloud services are segmented into cloud service consumers and cloud service providers (CSP)
Key questions addressed for
cloud service consumers
Key questions addressed for
cloud service providers
Certify and
comply
Audit-ready
Page 19 | Building trust in the cloud
Summary
Page 20 | Building trust in the cloud
Trust is the foundation on which cloud environments should be built
Why? How? What?
Cloud computing became a mature IT Service Delivery
Model
The question arises, how it can be made trustworthy
Trust in the cloud equates to a secured, trusted and audit-
ready (STAR) environment
There are six key dimensions of cloud trust (Organization,
Technology, Data, Operations, Audit & compliance,
Governance
Cloud consumers as well as cloud service providers need
a reference model
The Cloud Trust Model (CTM) provides a modular
framework comprising “assess and monitor,” “improve and
enhance” and “certify and comply”
Page 21 | Building trust in the cloud
Name
Title
Cloud Computing – IT Transformation
Phone: +965 2295 5117
E-Mail: [email protected]
Thank you