Cloud Security Alliance UK presentation for Cloud World Forum 2015 in London. What companies should do to make correct decision when considering cloud solutions.
1. @CSAUKResearch
Cloud Security
Alliance, UK chapter https://cloudsecurityalliance.org.uk
Everyone is in Cloud,
shouldn't we be too?”
Tools C-level can use to make informed decisions
Cloud World Forum 2015, 25 June 2015
Vladimir Jirasek, CSA UK Research
3. @CSAUKResearch
Cloud Security
Alliance, UK chapter https://cloudsecurityalliance.org.uk
Your organisation stakeholders and Cloud
Customers Business
managers,
CEO/CFO
CIO Legal Security
Is my data safe
and available?
Happiness 😀
Customer
satisfaction,
ROI, EBITDA
ROI, System
architecture,
Migrations
Legality of data
processing and
locations,
Privacy
Security
architecture,
Cyber threats,
Monitoring
4. @CSAUKResearch
Cloud Security
Alliance, UK chapter https://cloudsecurityalliance.org.uk
Prepare your organisation
for Cloud deployments
People
training &
awareness
Processes &
Governance
Technology
architecture
& controls
5. @CSAUKResearch
Cloud Security
Alliance, UK chapter https://cloudsecurityalliance.org.uk
Does you organisation have a Cloud policy?
Generic requirements
• Requirement 1: Discover Cloud services being used in
organisation
• Requirement 2: Alignment of organisation enterprise and
security architectures with the Cloud
Before a Cloud service procurement
• Requirement 3: Comply with organisation data classification
requirements
• Requirement 4: Encrypt all sensitive data processed in the
Cloud
• Requirement 5: Link the Cloud service into the organisation
Identity and Access architecture and monitoring of activities
of users
During a Cloud service procurement
• Requirement 6: Perform due diligence activities before the
contract is signed
During a Cloud service procurement (contd)
• Requirement 7: Require “Right to audit” clause in the contract
• Requirement 8: Know locations of personal identifiable information in
the cloud
• Requirement 9: Assess the availability of the Cloud services
• Requirement 10: Assess the cloud provider’s security
arrangements
• Requirement 11: Assess the Cloud provider’s ability to comply with the
organisation forensic investigations
Running a Cloud service
• Requirement 12: Limit the use of live data for testing and development
purposes
• Requirement 13: Monitor Cloud providers security arrangements
Decommissioning a Cloud service
• Requirement 14: Destroy sensitive information when not required
7. @CSAUKResearch
Cloud Security
Alliance, UK chapter https://cloudsecurityalliance.org.uk
Get involved! Share knowledge and push
towards transparency and standards
Call for contributors for a new version of CSA Cloud Guidance,
opened on Monday, June 8, for 6 weeks
https://cloudsecurityalliance.org/media/news/call-for-volunteers-
security-guidance-for-critical-areas-of-focus-in-cloud-computing/
Editor's Notes
Business need to have customer data in a new app and presented to customers
IT quoted 6-9 months and £500k
Business hired 3rd party to develop app and host it as well – 2 months and £50k cost to develop
Hosted in small hosting provider, no security audit, separate employee login, no AIM connect, no data encryption
Year later migration to an internal system
Who is at fault?