Upload
capgemini
View
1.082
Download
1
Embed Size (px)
Citation preview
1Copyright © 2016 Capgemini and Sogeti – Internal use only. All Rights Reserved.
Security: Enabling theJourney to the Cloud
Andy Powell VP UK Cybersecurity - Capgemini
Doug Davidson UK CTO for Cybersecurity- Capgemini
2Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Agenda
Cloud Security Overview Cloud Security Challenges Cloud Security Transformation Lessons and takeaways
Q&A
3Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Countering the Threat – ‘a truly Medieval Approach’
…with Cloud Services, where’s the perimeter now?
Once we knew where the Enterprise boundary was...
4Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Adopting cloud requires an organization to rethink security to effectively safeguard assets and data
Leasing computing power in the cloud, sharing the security responsibility with CSPs
Utilising an ecosystem of cloud security solution providers
No customization of solutions, shift to informed selection upfront
Control moved to the business users (end-point devices) and partners (servers)
Identity and Access Management in the Cloud (IDaaS) as key control and business enabler for organisations
Focus on Shared Responsibility and holistic risk management to prioritise mitigation actions
Cloud aligned policies and procedures aligned with the shared responsibility model
Traditional Enterprise IT Cloud
Building and maintaining IT and Security capabilities in-house
Working with a selective group IT and Security suppliers
In house developed systems or far reaching customisation of commercial packages
IT having direct control on all assets, data and devices
Identity and Access Management as one of the control elements in the Security Managers toolkit
Focus on vulnerability and patch management from a product perspective
Policies and procedures tailored to an in-house IT landscape
Hybridised Enterprise/Cloud services will be here for some time to come..
5Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Cloud S
upplier Manages
Cus
tom
er
Man
ages
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
On-PremisesInfrastructure(as a Service)
Platform(as a Service)
Software(as a Service)
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
Cloud S
upplier Manages
Cloud S
upplier Manages
Cus
tom
er
Man
ages
Cus
tom
er
Man
ages
Cus
tom
er
Man
ages
Shared Responsibility – The New Paradigm
Governance, Risk and Compliance, Identity & Access Management and Information & Data Protection will always be the responsibility of the data owner
6Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
With Cloud Services, Identity is literally the Key…
Identity Management is always the responsibility of the data owner. This is never shared or outsourced
An IDAM Strategy must be in place to reduce potential Cloud Identity security issues
Enterprise Identity management reviews and remediation should be undertaken prior to adopting Cloud Services
Federation or replication of existing Enterprise Identity’s into the Cloud can introduce a significant risk
Many organisations already have extensive issues within their existing Enterprise Identity Management systems
7Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Data and Information Protection
Data assets and Information Protection are always the responsibility of the data owner. This is never shared or outsourced
Robust automated Security tools and controls must be used to control, monitor and alert over data access, usage, release and destruction
Staff Education and Awareness and ongoing guidance is critical to support new ways of secure working
The organisations data types, use cases and security risk management approaches must be published in an agreed Data Handling Model (DHM).
Organisations must create a Cloud Security Strategy and align their existing IT Security Strategy to this
DataSensitivity
Create Store
Use
ShareArchive
Destroy
Assure information assets throughout the data Lifecycle
8Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Currently this is a Layered Cake approach...•Still an emergent area in Cloud Services•Demonstrating Cloud Service Provider compliance is still a challenge for regulated industries•SOC, SIEM, GRC Integration is challenging•Poor Platform integration (generic API’s etc) •Cloud Service Provider Logs and reports•Generally individually tailored
Governance, Risk & Compliance
Governance Risk and Compliance is always the responsibility of the data owner. This is never shared or outsourced.
Additional security controls and services may be required to demonstrate assurance over and above that supplied by the Cloud Service Provider
9Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Enforcing Security across the Enterprise and Cloud
Design security in from the outset:• AD remediation prior to Migration/Federation• Network design and connectivity• Secure Apps design and Testing• Managed Platform and Tennant Configurations• Virtual Firewalls, Micro-Segmentation, IRM, DLP, etc• No Loss Encryption, HSM’s, Tokenisation, etc• Cloud Access Security Brokers (CASB)• API monitoring, regulation and control• Shadow IT & Cloud Discovery
Enterprises have Gateway security Services … Cloud based services don’t..
Automated Security tools and controls must be used to protect, control and alert on data usage
Business Use Cases - design supportive security around current and projected business needs
Cloud Access Security Broker
Cloud Apps
Protected
Cloud traffic
Cloud traffic logs
CloudDiscovery
Appconnectors
Your organization from any location
Firewalls
Proxies
API
10Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Cloud Security Transformation
11Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Cloud Security Transformation Lifecycle
ProcurePrepare
Operate & Monitor
Transform & Recycle
Implement & OrchestrateCCSRMCSRM
• Oversight and Management • Service Management• Supplier Management
• High Level Architecture• Low Level Architecture• Technical Implementation• Testing & Integration
• Contract Review• Technology Gap
Analysis• SLA negotiation• Scaling Plan
• Cloud Security Reference Model
• Security Strategy• Risk Assessment• Control Framework• Technology Roadmap
•Whitespot Analysis•Framing & Vendor Selection•Value Prototype
Cloud Security Transformation to the Cloud is the same for every company but with different starting points and ambition levels
12Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
The Cloud Security Reference Model (CSRM)
Our CSRM identifies 14 key information security control domains that are Essential to ensuring that cloud services are consumed and managed in a secure manner.
Governance Risk & Compliance
Company Security BaselineCloud Service Provider Security
BaselineCloud Security Baseline
Responsive Security
Management
Secure Application Development
Identity & Access Management
Threat & Vulnerability Management
Information & Data Protection
Security Monitoring Services
Cloud Supplier Management
Change Management
Secure Development
Security Testing
IR & Crisis Management
Disaster Recovery & BCM
Legal & Electronic Discovery
Training & Awareness
13Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Prepare
Define Customer Security Baseline
Define CSP Security Baseline
Define new Cloud Security Baseline for the service(s)
Review: Security strategy Information Protection
requirements Current compliance regime
Create: Revised Cloud Security
Strategy Data classification and asset
inventory High Level Target
Architecture Risk Register and align
Control frameworks Security Capabilities
Catalogue
Review: CSP Platform Infrastructure security Physical and environmental security Security incident procedures & plans :
Contingency planning and disaster recovery policies and procedures, etc
Security of data storage, transmission, residency and audit controls
Gap Assessment CSP v’s Customer Baseline
Create New: Security Reference Model Cloud Security Strategy Risk Assessment model Control Framework Data Handling Model Cloud Security Target
Operating Model Technology Roadmap
14
Securing the Journey to the Cloud | 2016
Copyright © 2016 Capgemini and Sogeti. All Rights Reserved
Procure
Depth of analysis and alignment to enable Leadership decisions
White Spot Analysis IT driven research Identifies and evaluates
leading security solutions Long-list to shortlist Output: IT target
application recommendation.
Framing Vendor driven functional
demonstrations Engages business
stakeholders to assess solution fit
Develops initial view of roll out options & value
3 short-listed solutions Output: Aligned business
and IT recommendation
Value Prototyping Business driven validation Based on Business, IT and
program proof points Involves a working prototype
showcasing real customer scenarios and data
Confirms program strategy and business case
1 solution Output: Aligned business and
IT decision with Executive sign off
15
Securing the Journey to the Cloud | 2016
Copyright © 2016 Capgemini and Sogeti. All Rights Reserved
Implement & Orchestrate
Identify Shadow IT cloud services Evaluate and select cloud services that meet security and
compliance requirements using a registry of cloud services and their security controls
Protect enterprise data in the cloud by preventing certain types of sensitive data from being uploaded, and encrypting and tokenizing data
Identify threats, malware, viruses and potential misuse of cloud services
Enforce and monitor Enterprise GRC policies and practices in cloud services
Enforce differing levels of data access, Apps utilisation and cloud service functionality based on the user, the user’s device, location, and operating system
Enterprise
SaaSIaaSManaged Security
Provider (MSP)
Ensuring visibility
Data Security
Regulatory & policy compliance
Threatprotection
16
Securing the Journey to the Cloud | 2016
Copyright © 2016 Capgemini and Sogeti. All Rights Reserved
Operate & Monitor
A centralised view of all cloud services is best practice, providing a single pane of glass to manage and monitor service delivery against business need and defined security requirements
Visibility is key to deal with evolving threats and maintaining control Enterprise wide security must be kept, irrespective of Cloud provider,
service or application The security operation and monitoring aspects must also be flexible
enough to adapt in an agile and extensible way to support business need.
e.g. use of pre-defined “templated” cloud security controls that can be implemented at short notice to respond to recognised or potential business use-cases
Operating in the Cloud brings the need to control and monitor the various Cloud service providers and applications:
17
Securing the Journey to the Cloud | 2016
Copyright © 2016 Capgemini and Sogeti. All Rights Reserved
Transform & Recycle
Sun setting of end-of-life applications which are unsecure or no longer meet the business needs
Sun setting of security applications or services which do not meet security objectives or do not deliver sufficient protection
Identification of next generation solutions which will improve cloud security
Update and reuse of effective standards and practices Compliance with legal data retention requirements – both in current
and successor cloud offerings Secure migration of services to new cloud offerings Secure migration/deletion/archiving of data retained in existing or
legacy cloud services Update, reuse and integration of effective supporting security
services (e.g. CASB)
Transformation and migration to new applications and platforms requires:
18
Securing the Journey to the Cloud | 2016
Copyright © 2016 Capgemini and Sogeti. All Rights Reserved
Lessons Learned
Understand the changed risks landscape1
Rethink your existing Security Strategy to address this and shared responsibility model with the Cloud Security Provider (CSP)
2
Align disparate security initiatives under one uniform Information Security Strategy 3
Align the revised Information Security Strategy with the overall Cloud Strategy of the organization4
Build the Cloud Security Target Operating Model5
Plan for change with a Cloud Security Transformation Roadmap 6
Procure and implement appropriate technical controls7
Monitor, Manage, Revise and maintain…8
19
Securing the Journey to the Cloud | 2016
Copyright © 2016 Capgemini and Sogeti. All Rights Reserved
Cloud Services Security is Possible!
AnyQuestions?
20Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Contact information
Andy PowellHead of Cybersecurity BD/Sales [email protected]
Doug DavidsonHead of Cloud Security Offers & UK Cyber Security CTO [email protected]
Partnership HouseHollingswood roadCentral parkTelfordTF29TZ
Insert contact picture
Insert contact picture