�
�
�
�
�
�
�
� Are my current security processes and controls sufficient if we were
to adopt the cloud?
� Should we adopt a security framework? If so, when and how?
� How do we know if cloud vendors will comply with our regulatory
requirements?
� Perform a controls assessment to identify controls
gaps which may expose your organization to
additional risks.
� Evaluate compliance requirements and determine if
they are being addressed adequately by the cloud
vendor and the company.
� Provide education to audit committee on risks
associated with the cloud.
� What environment is right for my company – private, public, hybrid?
� Which vendors are players in this space? Will they be in business a
year from now?
� Do we have any requirements prohibiting our company data from
being stored in certain jurisdictions?
� Evaluate implementation activities for adherence to
the company’s SDLC, project management, and
change management methodologies.
� How do we stay secure and ensure expected controls are operating
if someone else is running/managing our computers and software?
� How will the cloud vendors control access to our data? How do we
know they will not abuse that access?
� Can we perform audits of the vendor’s environment?
� Assess vendor internal controls so they meet your
needs – review policies, vulnerability and pen test
results, and SSAE16s.
� Understand where your data is physically stored.
� Assist with “right to audit” contract requirements.
�
�
�
Service Models
Infrastructure as a Service (IaaS) involves the vendor providing physical computer hardware including CPU processing,
memory, data storage, and network connectivity.
Platform as a Service (PaaS) This model involves the vendor providing Infrastructure as a Service plus operating systems and server applications such as web servers.
Software as a Service (SaaS) This model involves the vendor using their cloud infrastructure and cloud platforms to provide customers with software applications.
Deployment Models
Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Private Cloud The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party and may exist on-premises or off-premises.
Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.
Hybrid CloudThe cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
�
�
�
�
�
�
�
�
�
�
�
Background�
�
� https://cloudsecurityalliance.org/
Affiliate Members�
�
�
Corporate Members
�
�
�
�
�
Control Domains
�
�
�
�
�
�
�
�
�
�
�
�
�
� Datacenter Security� Governance and Risk Management� Threat and Vulnerability Management
Framework Comparison ISO (27000 Series) NIST Cybersecurity Framework (CSF)
Framework background
� Provides a broad information security framework that can be applied to all types and sizes of organizations and across industries.
� Broken up into different sub-standards based on the content.
� Regulatory agency of the United States Department of Commerce.� Initially intended for U.S. companies that are considered part of critical
infrastructure.� http://www.nist.gov/cyberframework/upload/cybersecurity-framework-
021214.pdf
� Yes � No
� Yes � Yes
Methodology on how to implement cybersecurity in organization
� Yes� Yes
� No � Yes
Applicable to all industries � Yes � Yes
� Yes � No
Framework consisted of domains
� Yes � Yes
Implementation complexity High Medium
Number of controls 114 98
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�