Security: Enabling the Journey to the Cloud

1Copyright © 2016 Capgemini and Sogeti – Internal use only. All Rights Reserved.
Security: Enabling the
Journey to the Cloud
Andy Powell
VP UK Cybersecurity - Capgemini
Doug Davidson
UK CTO for Cybersecurity- Capgemini

2Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.
Securing the Journey to the Cloud | #CWIN16 Sept 2016
Agenda
 Cloud Security Overview
 Cloud Security Challenges
 Cloud Security Transformation
 Lessons and takeaways
 Q&A

Countering the Threat – ‘a truly Medieval Approach’
…with Cloud Services, where’s the perimeter now?
Once we knew where the Enterprise boundary was...

Adopting cloud requires an organization to rethink security to effectively safeguard assets and data
 Leasing computing power in the cloud, sharing the
security responsibility with CSPs
 Utilising an ecosystem of cloud security solution
providers
 No customization of solutions, shift to informed
selection upfront
 Control moved to the business users (end-point
devices) and partners (servers)
 Identity and Access Management in the Cloud
(IDaaS) as key control and business enabler for
organisations
 Focus on Shared Responsibility and holistic risk
management to prioritise mitigation actions
 Cloud aligned policies and procedures aligned with
the shared responsibility model
Traditional Enterprise IT Cloud
 Building and maintaining IT and Security
capabilities in-house
 Working with a selective group IT and Security
suppliers
 In house developed systems or far reaching
customisation of commercial packages
 IT having direct control on all assets, data and
devices
 Identity and Access Management as one of the
control elements in the Security Managers toolkit
 Focus on vulnerability and patch management
from a product perspective
 Policies and procedures tailored to an in-house IT
landscape
Hybridised Enterprise/Cloud services will be here for some time to come..

CloudSupplierManages
CustomerManages
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
Applications
Data
Virtualization
Runtime
Middleware
O/S
Servers
Storage
Networking
On-Premises
Infrastructure
(as a Service)
Platform
(as a Service)
Software
(as a Service)
Information and Data Protection
Identity & Access Management
Governance Risk & Compliance
CustomerManages
CustomerManages
CustomerManages
Shared Responsibility – The New Paradigm
Governance, Risk and Compliance, Identity & Access Management and Information & Data Protection will always be
the responsibility of the data owner

With Cloud Services, Identity is literally the Key…
Identity Management is always the responsibility of the data
owner. This is never shared or outsourced
An IDAM Strategy must be in place to reduce potential Cloud
Identity security issues
Enterprise Identity management reviews and remediation
should be undertaken prior to adopting Cloud Services
Federation or replication of existing Enterprise Identity’s into
the Cloud can introduce a significant risk
Many organisations already have extensive issues within their
existing Enterprise Identity Management systems

Data and Information Protection
Data assets and Information Protection are always the
responsibility of the data owner. This is never shared or
outsourced
Robust automated Security tools and controls must be used
to control, monitor and alert over data access, usage, release
and destruction
Staff Education and Awareness and ongoing guidance is
critical to support new ways of secure working
The organisations data types, use cases and security risk
management approaches must be published in an agreed Data
Handling Model (DHM).
Organisations must create a Cloud Security Strategy and align
their existing IT Security Strategy to this
Data
Sensitivity
Create Store
Use
ShareArchive
Destroy
Assure information assets
throughout the data Lifecycle

Currently this is a Layered Cake approach...
• Still an emergent area in Cloud Services
• Demonstrating Cloud Service Provider compliance is still a
challenge for regulated industries
• SOC, SIEM, GRC Integration is challenging
• Poor Platform integration (generic API’s etc)
• Cloud Service Provider Logs and reports
• Generally individually tailored
Governance, Risk & Compliance
Governance Risk and Compliance is always the
responsibility of the data owner. This is never shared or
outsourced.
Additional security controls and services may be required to
demonstrate assurance over and above that supplied by the
Cloud Service Provider

Enforcing Security across the Enterprise and Cloud
Design security in from the outset:
• AD remediation prior to Migration/Federation
• Network design and connectivity
• Secure Apps design and Testing
• Managed Platform and Tennant Configurations
• Virtual Firewalls, Micro-Segmentation, IRM, DLP, etc
• No Loss Encryption, HSM’s, Tokenisation, etc
• Cloud Access Security Brokers (CASB)
• API monitoring, regulation and control
• Shadow IT & Cloud Discovery
Enterprises have Gateway security Services … Cloud based
services don’t..
Automated Security tools and controls must be used to
protect, control and alert on data usage
Business Use Cases - design supportive security around
current and projected business needs
Cloud Access Security
Broker
Cloud Apps
Protected
Cloud traffic
Cloud traffic logs
Cloud
Discovery
App
connectors
Your organization from any location
Firewalls
Proxies
API

Cloud Security Transformation

Cloud Security Transformation Lifecycle
ProcurePrepare
Operate & Monitor
Transform &
Recycle
Implement
& Orchestrate
CCSRMCSRM
• Oversight and Management
• Service Management
• Supplier Management
• High Level Architecture
• Low Level Architecture
• Technical Implementation
• Testing & Integration
• Contract Review
• Technology Gap
Analysis
• SLA negotiation
• Scaling Plan
• Cloud Security
Reference Model
• Security Strategy
• Risk Assessment
• Control Framework
• Technology Roadmap
•Whitespot Analysis
•Framing & Vendor
Selection
•Value Prototype
Cloud Security Transformation to the Cloud is the same for every company but with different starting points
and ambition levels

The Cloud Security Reference Model (CSRM)
Our CSRM identifies 14 key information security control domains that are
Essential to ensuring that cloud services are consumed and managed in a secure manner.
Company Security
BaselineCloud Service Provider Security
Baseline
Cloud Security Baseline
Responsive
Security
Management
Secure Application
Development
Threat & Vulnerability Management
Information & Data Protection
Security Monitoring Services
Cloud Supplier Management
Change
Management
Secure
Development
Security Testing
IR & Crisis
Management
Disaster Recovery &
BCM
Legal & Electronic
Discovery
Training & Awareness

Prepare
Define Customer
Security Baseline
Define CSP
Security Baseline
Define new Cloud
Security Baseline
for the service(s)
 Review:
 Security strategy
 Information Protection
requirements
 Current compliance regime
 Create:
 Revised Cloud Security
Strategy
 Data classification and asset
inventory
 High Level Target
Architecture
 Risk Register and align
Control frameworks
 Security Capabilities
Catalogue
 Review:
 CSP Platform Infrastructure security
 Physical and environmental security
 Security incident procedures & plans :
Contingency planning and disaster
recovery policies and procedures, etc
 Security of data storage, transmission,
residency and audit controls
 Gap Assessment
 CSP v’s Customer Baseline
 Create New:
 Security Reference Model
 Cloud Security Strategy
 Risk Assessment model
 Control Framework
 Data Handling Model
 Cloud Security Target
Operating Model
 Technology Roadmap

14
Securing the Journey to the Cloud | 2016
Copyright © 2016 Capgemini and Sogeti. All Rights Reserved
Procure
Depth of analysis and alignment to enable Leadership decisions
White Spot Analysis IT
driven research
 Identifies and evaluates
leading security solutions
 Long-list to shortlist
 Output: IT target
application
recommendation.
Framing
 Vendor driven functional
demonstrations
 Engages business
stakeholders to assess
solution fit
 Develops initial view of roll
out options & value
 3 short-listed solutions
 Output: Aligned business
and IT recommendation
Value Prototyping
 Business driven validation
 Based on Business, IT and
program proof points
 Involves a working prototype
showcasing real customer
scenarios and data
 Confirms program strategy
and business case
 1 solution
 Output: Aligned business and
IT decision with Executive
sign off

15
Implement & Orchestrate
 Identify Shadow IT cloud services
 Evaluate and select cloud services that meet security and
compliance requirements using a registry of cloud services and
their security controls
 Protect enterprise data in the cloud by preventing certain types
of sensitive data from being uploaded, and encrypting and
tokenizing data
 Identify threats, malware, viruses and potential misuse of cloud
services
 Enforce and monitor Enterprise GRC policies and practices in
cloud services
 Enforce differing levels of data access, Apps utilisation and cloud
service functionality based on the user, the user’s device,
location, and operating system
Enterprise
SaaS
IaaSManaged
Security
Provider (MSP)
Ensuring
visibility
Data Security
Regulatory & policy
compliance
Threat
protection

16
Operate & Monitor
 A centralised view of all cloud services is best practice, providing a
single pane of glass to manage and monitor service delivery against
business need and defined security requirements
 Visibility is key to deal with evolving threats and maintaining control
 Enterprise wide security must be kept, irrespective of Cloud provider,
service or application
 The security operation and monitoring aspects must also be flexible
enough to adapt in an agile and extensible way to support business
need.
 e.g. use of pre-defined “templated” cloud security controls that
can be implemented at short notice to respond to recognised or
potential business use-cases
Operating in the Cloud brings the need to control and monitor
the various Cloud service providers and applications:

17
Transform & Recycle
 Sun setting of end-of-life applications which are unsecure or no
longer meet the business needs
 Sun setting of security applications or services which do not meet
security objectives or do not deliver sufficient protection
 Identification of next generation solutions which will improve cloud
security
 Update and reuse of effective standards and practices
 Compliance with legal data retention requirements – both in current
and successor cloud offerings
 Secure migration of services to new cloud offerings
 Secure migration/deletion/archiving of data retained in existing or
legacy cloud services
 Update, reuse and integration of effective supporting security
services (e.g. CASB)
Transformation and migration to new applications and platforms
requires:

18
Lessons Learned
Understand the changed risks landscape1
Rethink your existing Security Strategy to address this
and shared responsibility model with the Cloud Security
Provider (CSP)
2
Align disparate security initiatives under one uniform
Information Security Strategy3
Align the revised Information Security Strategy with the
overall Cloud Strategy of the organization4
Build the Cloud Security Target Operating Model5
Plan for change with a Cloud Security Transformation
Roadmap6
Procure and implement appropriate technical controls7
Monitor, Manage, Revise and maintain…8

19
Cloud Services Security is Possible!
Any
Questions?

Contact information
Andy
Powell
Head of Cybersecurity BD/Sales UK
andy.powell@capgemini.com
Doug
Davidson
Head of Cloud Security Offers
& UK Cyber Security CTO
doug.davidson@capgemini.com
Partnership House
Hollingswood road
Central park
Telford
TF29TZ
Insert contact
picture
Insert contact
picture

Security: Enabling the Journey to the Cloud

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Security: Enabling the Journey to the Cloud (20)

More from Capgemini (20)

Recently uploaded (20)

Security: Enabling the Journey to the Cloud