simplifying security for cloud adoption - defining your game plan
TRANSCRIPT
SIMPLIFYING SECURITY FOR CLOUD ADOPTION -DEFINING YOUR GAME PLANWith Mandeep Obhrai (CEO)
WHO WE ARE
THE EXPERT SECURITY ADVISORS
WWW.IACS-LLP.COM
WHO ARE IACS?WE ARE SECURITY EXPERTS THAT UNDERSTAND AND ENHANCE BUSINESSES.
WE WORK WITH UK GOV AND COMMERICAL ORGS ON THEIR CLOUD ADOPTION AND SECURITY INITIATIVES.
WE SUPPORT THE CSA EMEATEAM AND BOARD. WE ARE CSA CCSK AND STAR CERTIFIED.
CLOUD SECURITY
CYBER SECURITY
SECURITY and COMPLIANCE
THREAT and VULNERABILITY
SERVICES
WHO WE ARE
THE EXPERT SECURITY ADVISORS
WWW.IACS-LLP.COM
CHALLENGE AND RESPONSECHALLENGE• Lots of guidance, advice, horror stories, reasons to move
to the cloud and reasons not to move to the cloud!• Organisations get hung-up on myths, perception and
other organisations’ stories, albeit good or bad.RESPONSE• Simple guidance to help you define YOUR ‘Game’ plan
that fits your organisation to move to the cloud.• 10 simple and practical steps to ensure that you don’t
overcomplicate the initiative.
WHO WE ARE
THE EXPERT SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
01Scope
02Why?
03Why Not?
04Review
05Assess
Criticality
0680 / 20
Principle
07Threat
Modelling
08Define
Requirements
09Choose
Solutions
10Engage and
Demand
WHO WE ARE
THE EXPERT SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
Your game plan for secure cloud adoptionMigrating to the cloud securely needn’t be complicated. By following ten simple steps before engaging cloud service providers (CSPs) you can take a clear-headed approach to migration and avoid becoming bogged down in detail.
Next month at CSA Congress EMEA 2015, I’ll be explaining how to develop a winning cloud adoption game plan in detail and the checklist below highlights the key points forming the basis of my presentation.
These ten steps will help you define your adoption strategy, highlight key require-ments and make the right decisions about processes and business and technical controls. Read on to discover if your organisation is match-fit for cloud adoption.
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
Information AssuranceConsulting Services
ScopeStart by determining the scope of the task ahead. Identify the sys-tems and applications you want to migrate to the cloud and the practical implications of doing so. This will form the basis of your strategy and help you focus on priorities.
01Why?Ask yourself why you’re migrating your chosen ap-plication or systems to the cloud and stop to sense-check your decisions. We recommend a maximum of five key objectives.
02
Why not? List your top five concerns in relation to the objectives you’ve chosen. It’s likely these will be predominately security-related, but also consider factors such as availability, cost of migration, and additional resource needed.
03ReviewReview steps 1 to 3 and ensure the objectives and concerns you’ve examined are directly relevant to the project scope. This will help you retain focus on what’s critical to your organisation.
04
Your game plan for secure cloud adoptionMigrating to the cloud securely needn’t be complicated. By following ten simple steps before engaging cloud service providers (CSPs) you can take a clear-headed approach to migration and avoid becoming bogged down in detail.
Next month at CSA Congress EMEA 2015, I’ll be explaining how to develop a winning cloud adoption game plan in detail and the checklist below highlights the key points forming the basis of my presentation.
These ten steps will help you define your adoption strategy, highlight key require-ments and make the right decisions about processes and business and technical controls. Read on to discover if your organisation is match-fit for cloud adoption.
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
Information AssuranceConsulting Services
ScopeStart by determining the scope of the task ahead. Identify the sys-tems and applications you want to migrate to the cloud and the practical implications of doing so. This will form the basis of your strategy and help you focus on priorities.
01Why?Ask yourself why you’re migrating your chosen ap-plication or systems to the cloud and stop to sense-check your decisions. We recommend a maximum of five key objectives.
02
Why not? List your top five concerns in relation to the objectives you’ve chosen. It’s likely these will be predominately security-related, but also consider factors such as availability, cost of migration, and additional resource needed.
03ReviewReview steps 1 to 3 and ensure the objectives and concerns you’ve examined are directly relevant to the project scope. This will help you retain focus on what’s critical to your organisation.
04
Your game plan for secure cloud adoptionMigrating to the cloud securely needn’t be complicated. By following ten simple steps before engaging cloud service providers (CSPs) you can take a clear-headed approach to migration and avoid becoming bogged down in detail.
Next month at CSA Congress EMEA 2015, I’ll be explaining how to develop a winning cloud adoption game plan in detail and the checklist below highlights the key points forming the basis of my presentation.
These ten steps will help you define your adoption strategy, highlight key require-ments and make the right decisions about processes and business and technical controls. Read on to discover if your organisation is match-fit for cloud adoption.
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
Information AssuranceConsulting Services
ScopeStart by determining the scope of the task ahead. Identify the sys-tems and applications you want to migrate to the cloud and the practical implications of doing so. This will form the basis of your strategy and help you focus on priorities.
01Why?Ask yourself why you’re migrating your chosen ap-plication or systems to the cloud and stop to sense-check your decisions. We recommend a maximum of five key objectives.
02
Why not? List your top five concerns in relation to the objectives you’ve chosen. It’s likely these will be predominately security-related, but also consider factors such as availability, cost of migration, and additional resource needed.
03ReviewReview steps 1 to 3 and ensure the objectives and concerns you’ve examined are directly relevant to the project scope. This will help you retain focus on what’s critical to your organisation.
04
Your game plan for secure cloud adoptionMigrating to the cloud securely needn’t be complicated. By following ten simple steps before engaging cloud service providers (CSPs) you can take a clear-headed approach to migration and avoid becoming bogged down in detail.
Next month at CSA Congress EMEA 2015, I’ll be explaining how to develop a winning cloud adoption game plan in detail and the checklist below highlights the key points forming the basis of my presentation.
These ten steps will help you define your adoption strategy, highlight key require-ments and make the right decisions about processes and business and technical controls. Read on to discover if your organisation is match-fit for cloud adoption.
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
Information AssuranceConsulting Services
ScopeStart by determining the scope of the task ahead. Identify the sys-tems and applications you want to migrate to the cloud and the practical implications of doing so. This will form the basis of your strategy and help you focus on priorities.
01Why?Ask yourself why you’re migrating your chosen ap-plication or systems to the cloud and stop to sense-check your decisions. We recommend a maximum of five key objectives.
02
Why not? List your top five concerns in relation to the objectives you’ve chosen. It’s likely these will be predominately security-related, but also consider factors such as availability, cost of migration, and additional resource needed.
03ReviewReview steps 1 to 3 and ensure the objectives and concerns you’ve examined are directly relevant to the project scope. This will help you retain focus on what’s critical to your organisation.
04
WHO WE ARE
THE EXPERT SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS SUMMARY - Don’t assess criticality in detail. Understand at a high level the different levels of data within the scope. Take the whole application environment and apply the same criticality to estate. Save time, money and reduce complexity in design, implementation and operations.Assess
criticalityNext, assess the criticality of your assets. We recom-mend implementing a 1 to 3 score based on low, medium or high criticality, then assigning it at an ap-plication estate level. This will enable you to cate-gorise assets in batches. For example, a market analysis application estate might include fifteen individual assets, all of which can be covered by assigning them the same level of criticality.
05
Engage and demandNow you’ve got a game plan, you’re ready to kick-off your cloud migra-tion. Equipped with the knowledge gained over the course of this process, you’re prepared to engage cloud service providers and demand the technical and process controls that are right for your organisation.
10Choose solutionsNext, match specific controls to your requirement. Not all of these will be technical and you may be able to overcome challenges with existing or new processes. Equally, new hires may be necessary. Before investing in people or technology, ensure these will enable you to deliver the spe-cific benefits identified within the scope of your project.
09Define requirements Define your key security requirements based on the output of the threat modelling you’ve conducted. Firstly, ensure you can mitigate the 80% of generic security risks, but concentrate time and re-sources on guarding against the 20% of cloud-specific threats.
08
06Apply the 80 / 20 PrincipleIt’s likely that 80% of your risk is generic across your estate and therefore, as all assets have the same criticality, they should be treated similarly. The remaining 20% is specific and bespoke to your cloud migration and requires more time and effort. By segmenting your assets into these two groups and applying the same level of security to each, you can safeguard all of your assets efficient-ly and cost-effectively.
07Threat modelling By identifying the specific threats other organisations in your sector or industry have faced, you can define the right type of counter measures to protect your organisation. The Cloud Security Alliance, PwC and Verizon all publish reliable, industry-specific research on a regular basis, providing you with a robust starting point for threat modelling.
Your game plan for secure cloud adoption.
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
Learn how to implement these steps effectively by attending my presentation at CSA Congress EMEA 2015 on 17 November. I’ll be speaking at 14:00 duringTrack 2: Strategies, Governance, Risk Management.
• Understand your application dataAssess what data resides in your application environment based on Confidentiality, Integrity and Availability ratings. Use a scoring system which will aid this analysis.
• Understand your selected criticality levelAggregate the ratings (ratings equal L, M or H) to an overall average rating and ensure that you understand why you have come to the overall rating. Review this to ensure that you are comfortable with this.
• Assign an application wide criticalityOnce you have an overall criticality rating you need to assign the whole application this criticality rating. For example, if the overall rating is high then you will be designing, implementing and operating this application to a high level of security.
WHO WE ARE
THE EXPERT SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
TEN SIMPLE STEPS
SUMMARY - The 80 / 20 principle (from the BSI-IT Grundschutz) is about accepting that 80% of your risks and/or threats are generic across the company and in most cases across industries. The 20% is specific to your organisation and/or application. So instead of spending money performing a detailed risk assessment across your environment, implement the generic controls that cover 80% of your risk.
Assess criticalityNext, assess the criticality of your assets. We recom-mend implementing a 1 to 3 score based on low, medium or high criticality, then assigning it at an ap-plication estate level. This will enable you to cate-gorise assets in batches. For example, a market analysis application estate might include fifteen individual assets, all of which can be covered by assigning them the same level of criticality.
05
Engage and demandNow you’ve got a game plan, you’re ready to kick-off your cloud migra-tion. Equipped with the knowledge gained over the course of this process, you’re prepared to engage cloud service providers and demand the technical and process controls that are right for your organisation.
10Choose solutionsNext, match specific controls to your requirement. Not all of these will be technical and you may be able to overcome challenges with existing or new processes. Equally, new hires may be necessary. Before investing in people or technology, ensure these will enable you to deliver the spe-cific benefits identified within the scope of your project.
09Define requirements Define your key security requirements based on the output of the threat modelling you’ve conducted. Firstly, ensure you can mitigate the 80% of generic security risks, but concentrate time and re-sources on guarding against the 20% of cloud-specific threats.
08
06Apply the 80 / 20 PrincipleIt’s likely that 80% of your risk is generic across your estate and therefore, as all assets have the same criticality, they should be treated similarly. The remaining 20% is specific and bespoke to your cloud migration and requires more time and effort. By segmenting your assets into these two groups and applying the same level of security to each, you can safeguard all of your assets efficient-ly and cost-effectively.
07Threat modelling By identifying the specific threats other organisations in your sector or industry have faced, you can define the right type of counter measures to protect your organisation. The Cloud Security Alliance, PwC and Verizon all publish reliable, industry-specific research on a regular basis, providing you with a robust starting point for threat modelling.
Your game plan for secure cloud adoption.
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
Learn how to implement these steps effectively by attending my presentation at CSA Congress EMEA 2015 on 17 November. I’ll be speaking at 14:00 duringTrack 2: Strategies, Governance, Risk Management.
• Group your assets by typeGrouping your assets by type (i.e., Windows servers group and Unix server group, etc) enables you to generically review these assets saving time and effort.
• Determine the generic threats that are applicableGenerically determine the threats that your assets may be exposed to. This should be based on a standard threat/risk framework (Use BSI IT Grundschutz / CSA CCM).
• Identify the generic controls that are applicableGenerically identify the controls that must be applied based on a standard control framework (Use BSI IT Grundschutz / CSA CCM).
WHO WE ARE
THE EXPERT SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
TEN SIMPLE STEPS
SUMMARY – You have identified the generic threats and now need to focus on the assets that you identified as specific. These are the assets that you believe are different or core that you wish to protect further. Carry out a risk assessment from these assets to ensure that the threats and necessary control measures are appropriate. Doing a small risk assessment instead of a large one has again reduced complexity, time and cost.
• Identify the specific assets that need more protectionIdentify the assets that you believe are different and are not generic. They may be normal assets that you believe are core to your business and need further protection.
• Determine the specific threats through a risk assessmentCarry out a risk assessment to identify the additional threats / risks that you believe that these assets may be exposed to. This risk assessment is focused on a smaller scope, therefore reducing the cost, time and complexity us such an assessment.
• Identify the specific controls requiredIdentify the additional controls that are appropriate from the control framework such as CSA CCM, a regulatory or industry standard framework.
Assess criticalityNext, assess the criticality of your assets. We recom-mend implementing a 1 to 3 score based on low, medium or high criticality, then assigning it at an ap-plication estate level. This will enable you to cate-gorise assets in batches. For example, a market analysis application estate might include fifteen individual assets, all of which can be covered by assigning them the same level of criticality.
05
Engage and demandNow you’ve got a game plan, you’re ready to kick-off your cloud migra-tion. Equipped with the knowledge gained over the course of this process, you’re prepared to engage cloud service providers and demand the technical and process controls that are right for your organisation.
10Choose solutionsNext, match specific controls to your requirement. Not all of these will be technical and you may be able to overcome challenges with existing or new processes. Equally, new hires may be necessary. Before investing in people or technology, ensure these will enable you to deliver the spe-cific benefits identified within the scope of your project.
09Define requirements Define your key security requirements based on the output of the threat modelling you’ve conducted. Firstly, ensure you can mitigate the 80% of generic security risks, but concentrate time and re-sources on guarding against the 20% of cloud-specific threats.
08
06Apply the 80 / 20 PrincipleIt’s likely that 80% of your risk is generic across your estate and therefore, as all assets have the same criticality, they should be treated similarly. The remaining 20% is specific and bespoke to your cloud migration and requires more time and effort. By segmenting your assets into these two groups and applying the same level of security to each, you can safeguard all of your assets efficient-ly and cost-effectively.
07Threat modelling By identifying the specific threats other organisations in your sector or industry have faced, you can define the right type of counter measures to protect your organisation. The Cloud Security Alliance, PwC and Verizon all publish reliable, industry-specific research on a regular basis, providing you with a robust starting point for threat modelling.
Your game plan for secure cloud adoption.
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
Learn how to implement these steps effectively by attending my presentation at CSA Congress EMEA 2015 on 17 November. I’ll be speaking at 14:00 duringTrack 2: Strategies, Governance, Risk Management.
WHO WE ARE
THE EXPERT SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
Assess criticalityNext, assess the criticality of your assets. We recom-mend implementing a 1 to 3 score based on low, medium or high criticality, then assigning it at an ap-plication estate level. This will enable you to cate-gorise assets in batches. For example, a market analysis application estate might include fifteen individual assets, all of which can be covered by assigning them the same level of criticality.
05
Engage and demandNow you’ve got a game plan, you’re ready to kick-off your cloud migra-tion. Equipped with the knowledge gained over the course of this process, you’re prepared to engage cloud service providers and demand the technical and process controls that are right for your organisation.
10Choose solutionsNext, match specific controls to your requirement. Not all of these will be technical and you may be able to overcome challenges with existing or new processes. Equally, new hires may be necessary. Before investing in people or technology, ensure these will enable you to deliver the spe-cific benefits identified within the scope of your project.
09Define requirements Define your key security requirements based on the output of the threat modelling you’ve conducted. Firstly, ensure you can mitigate the 80% of generic security risks, but concentrate time and re-sources on guarding against the 20% of cloud-specific threats.
08
06Apply the 80 / 20 PrincipleIt’s likely that 80% of your risk is generic across your estate and therefore, as all assets have the same criticality, they should be treated similarly. The remaining 20% is specific and bespoke to your cloud migration and requires more time and effort. By segmenting your assets into these two groups and applying the same level of security to each, you can safeguard all of your assets efficient-ly and cost-effectively.
07Threat modelling By identifying the specific threats other organisations in your sector or industry have faced, you can define the right type of counter measures to protect your organisation. The Cloud Security Alliance, PwC and Verizon all publish reliable, industry-specific research on a regular basis, providing you with a robust starting point for threat modelling.
Your game plan for secure cloud adoption.
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
Learn how to implement these steps effectively by attending my presentation at CSA Congress EMEA 2015 on 17 November. I’ll be speaking at 14:00 duringTrack 2: Strategies, Governance, Risk Management.
QUESTIONS?WWW.IACS-LLP.COM