Cloud consumers are primarily worried about security. If you are a cloud provider, or cloud broker, learn how to get improve your trustworthiness to your customers efficiently and scalable, by integrating governance, risk management and compliance.
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Scalable cloud governance, risk management and compliance
1. Scalable compliance in the eyes
of the customer
A brief roadmap for
cloud providers and cloud brokers
Peter HJ van Eijk & Michiel Steltman
We help IT businesses to quickly become
successful cloud providers
2. Trust is the number one
obstacle for cloud users
The key factor for overcoming the present inhibitors will be to gain
*cloud+ users’ trust on security and compliance (Deloitte 2009)
Cloud providers’
commercial tactics
Why these tactics don’t work
References and “Branding” Cloud consumers want proof, if only
because regulations and
accountability force them to
Price erosion Leads to a ‘race to the bottom’
React on customer inquiry Reacting takes time and effort
One-off and customer
specific audits
Not repeatable, not scalable
3. The business case for
repeatable and ‘continuous audit’
Cloud Consumers want to base their provider selection
on a priori verifiable compliance
Can the provider afford to have a separate audit for
every proposal or customer?
The cloud consumer itself has to deal with a more
frequent audit obligations
Demonstrating compliance has to be repeatable and
scalable
Successful cloud providers enable the consumers’ GRC
processes
3
4. The future of Cloud Governance, Risk
management and Compliance
• Collaborative effort between provider and
consumer
• Continuous audit
• As automated as possible
• Integrated GRC: risk management in the
widest sense of the word drives governance
– Compliance is a collateral benefit
– Maturity level of organization rises
4
5. How does professional risk
management work?
• Risk based: professional risk management
prioritizes the most important risks
– No superfluous or useless measures and controls
• Professional risk management incorporates audit
and compliance obligations
– Anchor in operational process, instead of running a
troublesome project for each audit
• Professional risk management is repeatable and
scalable
– Champagne? Really? Did you expect the audit to be a
one time effort?
5
6. Integrated governance, risk management
and compliance: the big picture
High level risk, scope and value assessment
Assets and value
proposition at risk
Legal and compliance
obligations
Risk mitigation plan
Security and control testing and review
Execution in operation
Continuous reports
Pick
framework
6
7. Example risks
Threat Consequence/Risk Control/measure
Disk full Denial of service (to customer)
Measure/monitor (implying a
defined Incident response)
Server saturated Denial of service (to customer)
Measure/monitor (implying a
defined Incident response)
No audit report available Loss of prospective customer Perform regular audits
Compliance: lack of a ‘control’ Loss of compliance Implement control
Capacity shortage for SLA Denial of service (to customer) Set up capacity planning
Monitoring system fails Loss of visibility Make monitoring system redundant
No DR (disaster recovery)
planned Loss of compliance Adapt architecture
No Auditing, Monitoring and
Alerting Loss of visibility Set up LMR system
All private cloud vulnerabilities
as per industry best practice … …
…
7
8. CCM (Cloud Control Matrix), CAIQ (Consensus Assessments Initiative Questionnaire),
Cloud Audit and CTP (Cloud Trust Protocol) are products maintained by CSA (Cloud
Security Alliance)
Cloud compliance in real-time
GRC stack
component
Example element
CCM CO-02: Independent reviews and assessments shall be
performed at least annually […]
CAIQ CO-02.3: Do you conduct regular application
penetration tests of your cloud infrastructure as
prescribed by industry best practices and guidance?
Cloud Audit http://mycloudprovider.com
/cloudaudit/org/cloudsecurityalliance/guidance/CO-02
CTP "It is 11 pm, do you know in which geography your
virtual machines are running?"
8
9. Want to know more?
Do you want to know more about effective and efficient
risk management and compliance in de cloud?
Join our webinar
“Cloud Computing under control”
“Control the risks in your cloud proposition
and transform them into benefits for customers”
Register at:
www.CloudComputingUnderControl.com
If you liked this roadmap, please
forward it to a colleague or friend!