Click here to load reader
Upload
mike-c
View
2.092
Download
1
Embed Size (px)
DESCRIPTION
KPMG's cloud security poster - print it on A3 format or bigger and use it as a handy checklist
Citation preview
Business challenges
in the cloud
Security&
Privacy
Governance
Operations
Finance&
Tax
Vendors
Assurance
Customer organisation
Third party (cloud) vendor
Cloud service provider
Data centre
Mobile useOnline identities
Cloud services ecosystem• Arethereanythirdpartyvendorsinvolvedwhichcould
potentiallyimpactthelevelofsecurity?• Whatlevelofassurancedothirdpartiesoffertheprimarycloud
serviceproviderconcerningsecurityandprivacy?• Whatsecuritymeasuresaretakenbetweenvariouscloud
platforms?• Whatdegreeoftransparencyisoffered?• Whatisthereputation/track-recordofthecloudservice
providerswithintheecosystemconcerningsecurityandprivacy?
• Howistheentirecloudecosystemgovernedbythecustomer?
External data processing and storage• Howdoestheproviderisolateandsegregatecustomer’sdata?• Whatmeasuresaretakentosecurethedatainrestandin
transit?• Whattypeofencryptionissupportedandwhomanagesthe
encryptionkeys?• Whatmeasuresaretakentoensuretheavailabilityofdata?• Whatjurisdictionappliestotheproviderandthecustomer’s
data;doesthisconflictwithlocallawsanddirectives?• Whatdatadeletion/destructionpoliciesarefollowed?• Howarethecloudservicesbeensecuredphysically?
Outsourced control• Howdoestheproviderisolateandsegregatethecustomer’s
ITservices?• What(real-time)monitoringandloggingfunctionalitiesareinplace?• Howissecurityembeddedintheprovider’sorganisation
(securedevelopment,securitytesting,securitymonitoring)?• Whataretheprovider’ssecurityincidentresponsemechanisms?• Towhatstandardshastheservicebeencertified
(e.g.ISO27001)?• Howdoestheprovidersupportforensicanalysisby
independentresearchers?• Arecloudservicesby-passinginternalsecuritycontrols?
Identity & Access Management• Whatidentitystores(directories/repositories)areinuse;
whatpartiesaremanagingtheseidentitystores?• Howdoesthecustomerorganisationmaintainsinglesign-on?• Isstrong(multifactor)authenticationprovidedinthecloud;
whichprotocolsaresupported?• HowcantheinternalIAMbeintegratedwithmultiplecloud
services;canuseraccountsandpermissionsbe(de)provisionedproperly?
• Whohasaccesstothecustomer’sdata;whatmitigationsareinplacetopreventmisusebysystemadministrators?
Proliferation of mobile devices• Whatmobiledevicesareusedtoaccessandprocessbusiness
data?• Whatisthedegreeofcontrolofthesedevices(BYODto
enterpriseowneddevices)?• Whatsecuritymechanismsareinplaceincaseoftheft/loss?• Whatsecuritymechanismsareappliedtothe(mobile)
network(s)?• Arebusinessusersadequatelyeducated/informedonthe
secureuseofmobiledevicesincludingtheuseofmobileapps?• Howistheaccesstobusinessapplicationsfromuncontrolled
end-pointssecured?
Regulatory pressure
• Dataprivacydirective• Basel• Solvency• SOx• PCIDSS
Licence to operate• Which(local,international)laws,rulesanddirectives
applytothecustomerorganisation?• WhichITservicesareinscopeofregulatorycompliance;
whatistheroleofinformationsecurity?• Whatdataissubjecttoprivacylawsandrules?• Whatlevelof(public)disclosureofincidentsisrequired
bylaw?• Whatisthecurrentlevelofcompliance?• Whatistheimpactofoutsourcingtoexternalproviders
inparticularwithregardtopubliccloudcomputing?
Readiness for the cloud• Whatisthecriticalityofthebusinessdata(intellectual
property,privacysensitivedata)?• Whatcontrolsaredefinedandhowarethesecontrols
implemented?• Whataretheorganisation’spoliciesregardingoutsourcing
ingeneralandpubliccloudcomputinginparticular?• Whatservicesare/willbemovedtothecloud?• IstheITdepartmentincontrolofpurchasingcloud
servicesbythebusiness?• Doesthecostofsecurityandprivacyjustifyamoveto
thecloud?
Cyber arms race• Whatisthecurrentthreatlandscape;howisthisbeing
monitored?• Whattypesofthreatsareapplicable;whataretheattack
trends?• Whichdata/servicesarepronetoattacks?• Whatarethecurrent/near-futurevulnerabilities?• Whataretheweaknesseswithinthesupplychain?• Hastherelevantuse-casesbeenidentifiedincludingidentity
theftandsocialengineering?• Doestheexistingmeasurestakerelevantthreatsintoaccount?• Whatin-depthexpertiseisrequiredwithregardtothecloud?
Threats
• Organisedcybercrime• Onlineespionage• Internalcomputerfraud• Hactivism• State-backedcyberattacks
Key contacts
JohnHermans|PartnerT:+31651366389E:[email protected]
MikeChung|SeniorManagerT:+31614559916E:[email protected]
Areas of importance and key questions
Orchestrating the Cloud: Security & Privacy
Network