Upload
puneet-kukreja
View
269
Download
0
Embed Size (px)
Citation preview
#CLOUDSEC
Th
e c
lou
d lan
dsca
pe
Source: https://steveblank.files.wordpress.com/2011/02/bessemercloudscape.jpg
#CLOUDSEC
Clo
ud
op
po
rtun
itie
sFlexibility
On-demand Services
Rapid Deployment
AutomationScalability
Availability
Lower TCO
#CLOUDSEC
Clo
ud
ch
alle
nge
sTalent & Expertise
Security
Managing Multiple Services
ComplianceCost
Management
Governance and Control
Integration
#CLOUDSEC
Th
e c
lassic
co
ntr
actsRequirements
Evaluations
Selection
DeploymentAdoption
Optimisation
Renewal
#CLOUDSEC
Standalone services
SLA based services
model
Business workflow
integration
Legacy infrastructure
integration
Data protection and
management
Source: https://www.simple-talk.com/iwritefor/articlefiles/cloud/2011/11/cloud-service-model.png
#CLOUDSEC
Organisational implications• Clarity around scope and the primary motivation of moving to the cloud
• Changes to governance models and decision making
• Knowledge of cloud architecture, virtualization, multiple technology platforms
• Challenge of standardised processes supporting seamless integration across multiple systems
• Changing skillset from technology management to vendor management
• Upskilling on effective cloud-based systems management
#CLOUDSEC
Controls and Questions
295 Supporting Questions
133 Control Areas
16 Control
Domains
• Model for enabling active governance
• Enables cloud architecture discussions for business outputs
• Moves cloud decisions from audit assessment to a risk based outcomes
#CLOUDSEC
Three cloud projects
• IaaS contracts• PaaS contracts• SaaS Contracts
• Finance • HR Services• Collaboration• CRM• Business Intelligence
Global Bank Healthcare Provider Government Department
Complete Set
295 Questions133 Areas16 Domains
295 Questions
133 Areas16 Domains
• IaaS contracts• PaaS contracts• SaaS Contracts
• Finance • HR Services• Collaboration• Document Mgmt.• CRM
• GovCloud• SaaS Contracts
• Document Mgmt.• Collaboration• CRM
#CLOUDSEC
Th
e T
we
lve
Data Breaches
Access Management
Account Hijacking
System Vulnerabilities
Insufficient Due Diligence
Insecure Interface
Malicious Insider
Advanced Persistent
Threat
Tech Vulnerabilities
Data Loss
Services Abuse
Denial of Service