Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crown Jewels in the clouds: The Cloud Risk Assessment

Published byAbner Harrell Modified over 5 years ago

Similar presentations

Presentation on theme: "Crown Jewels in the clouds: The Cloud Risk Assessment"— Presentation transcript:

1 Crown Jewels in the clouds: The Cloud Risk Assessment
September 2017

2

3 Virtualized Hardware with no Operating System
Types of Clouds Infrastructure-as-a-Service (IaaS) Definition Delivers computer infrastructure, typically a platform virtualization environment, as a service. Service is typically billed on a utility-computing basis and amount of resources consumed. Customization Customization where technology being deployed requires minimal configuration Operational notes Easier to migrate applications User of cloud maintains a large portion of the technical staff (developer, system administrator, and database administrator) Platform-as-a-Service (PaaS) Definition Delivers a computing platform as a service. It facilitates deployment of applications while limiting or reducing the cost and complexity of buying and managing the underlying hardware and software layers Customization Moderate customization - build applications within the constraints of the platform Operational notes Applications may need to be re- written to meet the specifications of the vendor User of the cloud maintains a development staff Software-as-a-Service (SaaS) Definition Delivers software as a service over the Internet, avoiding the need to install and run the application on the customers’ computers and simplifying maintenance and support. Customization Limited customization – existing applications will not be able to migrate Operational notes Applications may require to be re- written to meet the specifications of the vendor User utilizes the vendor’s IT staff and has limited to no technical staff Virtualized Hardware with no Operating System You’re responsible for (almost) everything Virtualized Operating System with no Applications You’re responsible for everything above Operating System Virtualized Applications You’re responsible for (almost) nothing

4 Forecast: More clouds in our future!
2016 Forrester SaaS revenue growth expectations¹ 2020 Forecast SaaS will represent 66% share of all cloud service revenue by 2020 2015 Actual $236billion $69 billion ¹ “The Public Cloud Services Market Will Grow Rapidly To $236 Billion In 2020”, Forrester, September 7, 2016

5 There are risks and opportunities
Consumer/Shadow IT Business and consumers using cloud without awareness Concentrated Risk Bigger target = “that’s where the data is” Third-party Risk Dependent on cloud providers’ “good” controls Modern Attack Surface Complicated technology environment Controls Gap Tighter controls needed when many enterprises are barely keeping up

6 Of cloud services do not support encryption of data at rest*
Risk in the Clouds Asking the right question… WHO OWNS THE DATA? IS IT SECURE? WHERE IS IT STORED? 66.9% 89.9% 40.7% Of cloud services replicate data in geographically dispersed data centers* Of cloud services do not specify that the customer owns the data in their terms of service* Of cloud services do not support encryption of data at rest* Healthcare enterprises now have an average of 1,014 cloud services in use — and over 93% of those cloud services are not considered “enterprise-ready”* Ransomware next *Netskope 2017 Cloud Report

7 Data Exfiltration Example
Bob creates or receives PII Bob creates folder on approved cloud storage site and copies the PII PII is stored on an internal server Many users automatically become owners of folders they create Bob grants Ann’s personal webmail account (e.g. gmail) access to the folder Ann download the files and sells them on the DarkNet Corporate has NO idea because they can’t see the transaction until it’s too late Unauthorized Disclosure

8 Addressing Cloud Risk

9 Cybersecurity Governance
Cloud security is part of a comprehensive framework* Cybersecurity Governance Cybersecurity strategy Organizational model Steering committee structure Tone at the top Regulatory and legal landscape Program governance Secure Threat modeling and intelligence Penetration testing Vulnerability management Emerging threats (e.g., mobile devices) Threat and vulnerability management Software security Secure build and testing Secure coding guidelines Application role design/access Development lifecycle Patch Management Policies, standards, baselines, guidelines, and procedures Talent and Budget management Asset management Change management Program reporting Risk and compliance management Program management Security Log Management (SLM) Security Information and Event Management (SIEM) Cyber risk analytics Metrics and reporting Monitoring Data classification Data security strategy Information records management Enterprise content management Data quality management Data loss prevention Data protection Cloud security Cloud strategy Cloud risk identification Cloud provider inventory Minimum controls baseline Cloud controls compliance Evaluation and selection Contract and service initiation Ongoing monitoring Service termination Third-party management Account provisioning Privileged user management Access certification Access management and governance Generic account management Identity and access management Response planning Tabletop exercises War game exercises Incident response and forensics Crisis communication plan Third-party responsibilities Crisis management Business Impact Analysis (BIA) Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) Enterprise resiliency Hardening standards Security design/architecture Configuration management Network defense Security operations management Infrastructure security Physical security Phishing exercises Security training and awareness Workforce management Shield next Vigilant Resilient *The Deloitte Advisory cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.

10 Leveraging tools to better understand of risk
Cloud Access Security Broker (CASB) Log collection and upload to CASB tool to better understand cloud use and Shadow IT activity A CASB is a security control that is placed between cloud users and service API connection to sanctioned providers to enforce policy and controls

11 CLOUD THREATS CLOUD DATA NON-COMPLIANCE Three Risk Areas 1.
Malicious Sites 4. Unsanctioned Cloud Storage 7. Line of business applications 2. Compromised Credentials 5. Cloud application replication 3. Web Proxies/Anonymizers 8. Cloud program

12 The cloud risk assessment (CloudRA)
A first step in understanding cloud risk is to understand how much “cloud” is occurring within the organization. The CloudRA is a good way to begin, it typically only takes a few weeks. 9.35M Files Illustrative Private Files Internally Shared Externally Shared

13 CloudRA example outputs
Understanding cloud risk is important in making the right risk decision Sanctioned vs. unsanctioned cloud storage usage: Cloud Risk Governance LOW Overall usage HIGH External sharing Geographical usage Compromised credentials High risk apps MEDIUM Shared malware Illustrative NS = Non-sanctioned cloud provider

14 Understand where data is accessed
And if malware is being shared from the organization’s cloud storage location High-risk geographical areas accessing the organization’s data stored at provider “A” Malware discovered within cloud sanctioned provider and externally shared Illustrative Copyright © 2017 Deloitte Development LLC. All rights reserved.

15 Cloud is becoming more and more pervasive
In Summary Cloud is becoming more and more pervasive The Board and Audit Committee are more aware of Cloud risk Understand the risk Implement appropriate controls

16 Thank You! Glenn Wilson Deloitte & Touche LLP LinkedIn:

17 This presentation contains general information only and Deloitte Risk and Financial Advisory is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Risk and Financial Advisory shall not be responsible for any loss sustained by any person who relies on this presentation. As used in this document, “Deloitte Risk and Financial Advisory” means Deloitte & Touche LLP, which provides audit and risk advisory services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. These entities are separate subsidiaries of Deloitte LLP. Please see for a detailed description of our the legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright © 2017 Deloitte Development LLC. All rights reserved. 36 USC

Download ppt "Crown Jewels in the clouds: The Cloud Risk Assessment"

Similar presentations

General tax landscape.

General tax landscape.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Leveraging CPQ Cloud for Channel Enablement Self Service Quoting for One and Two Tier Networks.

Leveraging CPQ Cloud for Channel Enablement Self Service Quoting for One and Two Tier Networks.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
SaaS, PaaS & TaaS By: Raza Usmani

SaaS, PaaS & TaaS By: Raza Usmani
Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.

Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.
Trade Across the Americas: Bolstering Security and Efficiency Supply Chain Risk Analytics May 2015.

Trade Across the Americas: Bolstering Security and Efficiency Supply Chain Risk Analytics May 2015.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Concepts of Database Management Sixth Edition

Concepts of Database Management Sixth Edition
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Mike Wyatt, Director State Public Sector Cyber Risk Services

Mike Wyatt, Director State Public Sector Cyber Risk Services
Mehdi Ghayoumi Kent State University Computer Science Department Summer 2015 Exposition on Cyber Infrastructure and Big Data.

Mehdi Ghayoumi Kent State University Computer Science Department Summer 2015 Exposition on Cyber Infrastructure and Big Data.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Similar presentations

Ads by Google