Security: Enabling the Journey to the Cloud

1Copyright © 2016 Capgemini and Sogeti – Internal use only. All Rights Reserved.

Security: Enabling theJourney to the Cloud

Andy Powell VP UK Cybersecurity - Capgemini

Doug Davidson UK CTO for Cybersecurity- Capgemini

2Copyright © 2016 Capgemini and Sogeti. All Rights Reserved.

Securing the Journey to the Cloud | #CWIN16 Sept 2016

Agenda

Cloud Security Overview Cloud Security Challenges Cloud Security Transformation Lessons and takeaways

Q&A



Countering the Threat – ‘a truly Medieval Approach’

…with Cloud Services, where’s the perimeter now?

Once we knew where the Enterprise boundary was...



Adopting cloud requires an organization to rethink security to effectively safeguard assets and data

Leasing computing power in the cloud, sharing the security responsibility with CSPs

Utilising an ecosystem of cloud security solution providers

No customization of solutions, shift to informed selection upfront

Control moved to the business users (end-point devices) and partners (servers)

Identity and Access Management in the Cloud (IDaaS) as key control and business enabler for organisations

Focus on Shared Responsibility and holistic risk management to prioritise mitigation actions

Cloud aligned policies and procedures aligned with the shared responsibility model

Traditional Enterprise IT Cloud

Building and maintaining IT and Security capabilities in-house

Working with a selective group IT and Security suppliers

In house developed systems or far reaching customisation of commercial packages

IT having direct control on all assets, data and devices

Identity and Access Management as one of the control elements in the Security Managers toolkit

Focus on vulnerability and patch management from a product perspective

Policies and procedures tailored to an in-house IT landscape

Hybridised Enterprise/Cloud services will be here for some time to come..



Cloud S

upplier Manages

Cus

tom

er

Man

ages

Applications

Data

Virtualization

Runtime

Middleware

O/S

Servers

Storage

Networking

Applications

Data

Virtualization

Runtime

Middleware

O/S

Servers

Storage

Networking

Applications

Data

Virtualization

Runtime

Middleware

O/S

Servers

Storage

Networking

Applications

Data

Virtualization

Runtime

Middleware

O/S

Servers

Storage

Networking

On-PremisesInfrastructure(as a Service)

Platform(as a Service)

Software(as a Service)

Information and Data Protection

Identity & Access Management

Governance Risk & Compliance










Cloud S

upplier Manages

Cloud S

upplier Manages

Cus

tom

er

Man

ages

Cus

tom

er

Man

ages

Cus

tom

er

Man

ages

Shared Responsibility – The New Paradigm

Governance, Risk and Compliance, Identity & Access Management and Information & Data Protection will always be the responsibility of the data owner



With Cloud Services, Identity is literally the Key…

Identity Management is always the responsibility of the data owner. This is never shared or outsourced

An IDAM Strategy must be in place to reduce potential Cloud Identity security issues

Enterprise Identity management reviews and remediation should be undertaken prior to adopting Cloud Services

Federation or replication of existing Enterprise Identity’s into the Cloud can introduce a significant risk

Many organisations already have extensive issues within their existing Enterprise Identity Management systems



Data and Information Protection

Data assets and Information Protection are always the responsibility of the data owner. This is never shared or outsourced

Robust automated Security tools and controls must be used to control, monitor and alert over data access, usage, release and destruction

Staff Education and Awareness and ongoing guidance is critical to support new ways of secure working

The organisations data types, use cases and security risk management approaches must be published in an agreed Data Handling Model (DHM).

Organisations must create a Cloud Security Strategy and align their existing IT Security Strategy to this

DataSensitivity

Create Store

Use

ShareArchive

Destroy

Assure information assets throughout the data Lifecycle



Currently this is a Layered Cake approach...•Still an emergent area in Cloud Services•Demonstrating Cloud Service Provider compliance is still a challenge for regulated industries•SOC, SIEM, GRC Integration is challenging•Poor Platform integration (generic API’s etc) •Cloud Service Provider Logs and reports•Generally individually tailored

Governance, Risk & Compliance

Governance Risk and Compliance is always the responsibility of the data owner. This is never shared or outsourced.

Additional security controls and services may be required to demonstrate assurance over and above that supplied by the Cloud Service Provider



Enforcing Security across the Enterprise and Cloud

Design security in from the outset:• AD remediation prior to Migration/Federation• Network design and connectivity• Secure Apps design and Testing• Managed Platform and Tennant Configurations• Virtual Firewalls, Micro-Segmentation, IRM, DLP, etc• No Loss Encryption, HSM’s, Tokenisation, etc• Cloud Access Security Brokers (CASB)• API monitoring, regulation and control• Shadow IT & Cloud Discovery

Enterprises have Gateway security Services … Cloud based services don’t..

Automated Security tools and controls must be used to protect, control and alert on data usage

Business Use Cases - design supportive security around current and projected business needs

Cloud Access Security Broker

Cloud Apps

Protected

Cloud traffic

Cloud traffic logs

CloudDiscovery

Appconnectors

Your organization from any location

Firewalls

Proxies

API



Cloud Security Transformation



Cloud Security Transformation Lifecycle

ProcurePrepare

Operate & Monitor

Transform & Recycle

Implement & OrchestrateCCSRMCSRM

• Oversight and Management • Service Management• Supplier Management

• High Level Architecture• Low Level Architecture• Technical Implementation• Testing & Integration

• Contract Review• Technology Gap

Analysis• SLA negotiation• Scaling Plan

• Cloud Security Reference Model

• Security Strategy• Risk Assessment• Control Framework• Technology Roadmap

•Whitespot Analysis•Framing & Vendor Selection•Value Prototype

Cloud Security Transformation to the Cloud is the same for every company but with different starting points and ambition levels



The Cloud Security Reference Model (CSRM)

Our CSRM identifies 14 key information security control domains that are Essential to ensuring that cloud services are consumed and managed in a secure manner.


Company Security BaselineCloud Service Provider Security

BaselineCloud Security Baseline

Responsive Security

Management

Secure Application Development


Threat & Vulnerability Management

Information & Data Protection

Security Monitoring Services

Cloud Supplier Management

Change Management

Secure Development

Security Testing

IR & Crisis Management

Disaster Recovery & BCM

Legal & Electronic Discovery

Training & Awareness



Prepare

Define Customer Security Baseline

Define CSP Security Baseline

Define new Cloud Security Baseline for the service(s)

Review: Security strategy Information Protection

requirements Current compliance regime

Create: Revised Cloud Security

Strategy Data classification and asset

inventory High Level Target

Architecture Risk Register and align

Control frameworks Security Capabilities

Catalogue

Review: CSP Platform Infrastructure security Physical and environmental security Security incident procedures & plans :

Contingency planning and disaster recovery policies and procedures, etc

Security of data storage, transmission, residency and audit controls

Gap Assessment CSP v’s Customer Baseline

Create New: Security Reference Model Cloud Security Strategy Risk Assessment model Control Framework Data Handling Model Cloud Security Target

Operating Model Technology Roadmap

14

Securing the Journey to the Cloud | 2016

Copyright © 2016 Capgemini and Sogeti. All Rights Reserved

Procure

Depth of analysis and alignment to enable Leadership decisions

White Spot Analysis IT driven research Identifies and evaluates

leading security solutions Long-list to shortlist Output: IT target

application recommendation.

Framing Vendor driven functional

demonstrations Engages business

stakeholders to assess solution fit

Develops initial view of roll out options & value

3 short-listed solutions Output: Aligned business

and IT recommendation

Value Prototyping Business driven validation Based on Business, IT and

program proof points Involves a working prototype

showcasing real customer scenarios and data

Confirms program strategy and business case

1 solution Output: Aligned business and

IT decision with Executive sign off

15



Implement & Orchestrate

Identify Shadow IT cloud services Evaluate and select cloud services that meet security and

compliance requirements using a registry of cloud services and their security controls

Protect enterprise data in the cloud by preventing certain types of sensitive data from being uploaded, and encrypting and tokenizing data

Identify threats, malware, viruses and potential misuse of cloud services

Enforce and monitor Enterprise GRC policies and practices in cloud services

Enforce differing levels of data access, Apps utilisation and cloud service functionality based on the user, the user’s device, location, and operating system

Enterprise

SaaSIaaSManaged Security

Provider (MSP)

Ensuring visibility

Data Security

Regulatory & policy compliance

Threatprotection

16



Operate & Monitor

A centralised view of all cloud services is best practice, providing a single pane of glass to manage and monitor service delivery against business need and defined security requirements

Visibility is key to deal with evolving threats and maintaining control Enterprise wide security must be kept, irrespective of Cloud provider,

service or application The security operation and monitoring aspects must also be flexible

enough to adapt in an agile and extensible way to support business need.

e.g. use of pre-defined “templated” cloud security controls that can be implemented at short notice to respond to recognised or potential business use-cases

Operating in the Cloud brings the need to control and monitor the various Cloud service providers and applications:

17



Transform & Recycle

Sun setting of end-of-life applications which are unsecure or no longer meet the business needs

Sun setting of security applications or services which do not meet security objectives or do not deliver sufficient protection

Identification of next generation solutions which will improve cloud security

Update and reuse of effective standards and practices Compliance with legal data retention requirements – both in current

and successor cloud offerings Secure migration of services to new cloud offerings Secure migration/deletion/archiving of data retained in existing or

legacy cloud services Update, reuse and integration of effective supporting security

services (e.g. CASB)

Transformation and migration to new applications and platforms requires:

18



Lessons Learned

Understand the changed risks landscape1

Rethink your existing Security Strategy to address this and shared responsibility model with the Cloud Security Provider (CSP)

2

Align disparate security initiatives under one uniform Information Security Strategy 3

Align the revised Information Security Strategy with the overall Cloud Strategy of the organization4

Build the Cloud Security Target Operating Model5

Plan for change with a Cloud Security Transformation Roadmap 6

Procure and implement appropriate technical controls7

Monitor, Manage, Revise and maintain…8

19



Cloud Services Security is Possible!

AnyQuestions?



Contact information

Andy PowellHead of Cybersecurity BD/Sales [email protected]

Doug DavidsonHead of Cloud Security Offers & UK Cyber Security CTO [email protected]

Partnership HouseHollingswood roadCentral parkTelfordTF29TZ

Insert contact picture

Insert contact picture

mailto:[email protected]

mailto:[email protected]

Presentations & Public Speaking

Security: Enabling the Journey to the Cloud