Grab n’ Go, Deloitte Denmark
Brave New Cloud: How to get there
Welcome!
Jay is a Partner and the Cyber Strategy lead for Deloitte Denmark. Over 13+ years, Jay has worked across multiple sectors and geographies spanning from the UK, Europe and in Asia
Klaus is a Partner and Cloud Engineering lead for Deloitte Denmark. has 20+ years experience with consulting of which the past 10+ years have been focused on Financial Services across the Nordic region.
Our agenda for the next 90 minutes
Welcome
Introduction
Navigating security & compliance
Paving the way
Before moving to the cloud
Q&A
Agenda
Copyright © 2018 Deloitte Development LLC. All rights reserved. | 4
Challenges in adopting cloud
Cyber Security &
Privacy
Operating Model
Vendor Maturity
Business Case
Talent
Compliance
What’s on your mind?
Source: EY Danish Cloud Maturity Survey 2018
Our agenda for the next 90 minutes
Welcome
Introduction
Navigating security & compliance
Paving the way
Before moving to the cloud
Q&A
Agenda
“50% of the CISOs indicate cloud adoption as the tech trend that will have the biggestimpact on the IT security of their organization the next 5 years.”
Not all security and compliance controls are inherited or “automatic”
Cloud security is everyone’s responsibility
Consumer/Shadow IT
Business and consumers using
cloud with or without cyber
controls.
Third-party Risk
Enterprises are dependent on cloud
providers’ controls.
Concentrated data exposure
Cloud providers are a bigger target
because “that’s where the data is”.
New attack surface
The walled enterprise is
replaced by a hybrid, more
complicated technology
environment
Cyber talent
New cloud (security) skills are
required by staff to effectively
manage new, complex architectures.
CSPs are in the “business of IT”
…with better hygiene.
CSP’s provide updated, fully
patched Windows AMIs within 5
business days of Microsoft’s Patch
Tuesday(4).
Cloud enables enterprises to focus
on what matters to the business.
By outsourcing commodity IT services,
IT staff can focus more on expanding
cyber risk capabilities.
Cloud providers are better equipped for the fight.
“Microsoft fends off 7 trillion cyber threats per day and allocates over $1 billion each year to cybersecurity.”(5)
Not all security and compliance controls are inherited or “automatic”
Cloud security is everyone’s responsibility
Data
Applications
Databases
Operating System
Virtualization
Physical Servers
Network & Storage
Data Center
TraditionalOn-Premises
IT
Self-Supplied, -Managed
Provider-Supplied, -Managed
Data
Applications
Databases
Operating System
Virtualization + CMP
Physical Servers
Network & Storage
Data Center
Infrastructureas a Service
(IaaS)
Data
Applications
Databases
Operating System
Virtualization
Physical Servers
Network & Storage
Data Center
Platformas a Service
(PaaS)
Data
Applications
Databases
Operating System
Virtualization
Physical Servers
Network & Storage
Data Center
Softwareas a Service
(SaaS)
High level security responsibilities based on the attributes
▪ Traditional on-premise IT – Physical security, hardware security, patch management, Identities and Access, Encryption, Incident management
▪ Infrastructure as a service - Vulnerability / patch management, configurations, Identities and Access, Application security, Encryption, Incident management and
monitoring
▪ Platform as a Service - Identity and Access, Application security, Encryption, Incident Management and security monitoring
▪ Software as a Service - Security monitoring (user actions), Incident management, Encryption and Identity Management
Visibility &
Monitoring
Data
protection
Identity
Management
(IAM)
Visibility &
Monitoring
Data
protection
Identity
Management
(IAM)
Visibility &
Monitoring
Threat
detection &
response
Audit &
Compliance
Data
protection
Identity
Management
(IAM)
Audit &
Compliance
Key | Security Challenges
Cloud adoption means agility, speed of execution and keeping up with the innovation for majority customers. However, the
context of security has changed. A perceived loss of control, lack of clarity responsibilities and labilities and difficulty in
achieving accountability across the value chain are some of the key obstacles for the organizations.
Accountability and data risk
Who is accountable for what and is my data protected
even if we change providers? How do we manage keys?“
Non-production environment exposure
How are the environments segregated and are those public
facing?“
Incidence analysis and forensics
How should I monitor workload and threats in cloud? Will the
provider share details in the event of an incident?“
Infrastructure security
How do I implement similar rigor and depth of controls in cloud
infrastructure? Do we have the skills?“
Multi-tenancy and physical security
How do I ensure CSP has implemented security controls to
mitigate third-party risks?“
Service and data integration
Is the communication between our environment and cloud
vendor secure and integration is mostly one way?“
Business continuity and resiliency
Can we trust the cloud vendor’s SLA and what happens if we
decide to move back?“
User privacy and secondary data usage
How do I enforce GDPR / privacy policies & acceptable usage,
consent and secondary usage?“
Regulatory compliance
Which regulatory requirements are applicable to our
business?“
User identity federation
How do we transfer existing identity lifecycle to the cloud?
We do not have visibility in our user action in the cloud !“
10
Sustainable Cloud capability ecosystem – a holistic review of risk management
Cloud Security POV
Where do you start?
Deployment modelRoles and responsibilities, contractual obligations and the liabilities all vary according to different deployment model
02
01ComplianceControls mapping that covers vendor, privacy and regulatory risks that will help to understand potential gaps and remediation for Cloud adoption04
0305
06
Workload sensitivityUnderstand which workloads / volume of processes that will likely to go in Cloud
Security policy rebaselineUpdate key security policies such as identity and access management, security operations centre, encryption and playbooks (that contains roles and responsibilities) to identify what needs to be updated and if still within the overall risk appetite
Cloud due diligenceVendor due diligence on key Cloud service providers to understand the baseline of security on Cloud native and the ‘default’ terms and conditions on areas like ‘right to audit’ or penetration testing
Architecture and integrationOutline the target security architecture based on the revision of the policy above. Also understand if there are existing controls that be spread into the Cloud environmentConduct container security review if Cloud is already / partially deployed
Cloud security centric framework
Application
Network
Account
Infrastructure
User Data
Cloud
Architecture
• User identity management
• Roles and permissions management
• Monitoring and Access logs
• Application Security
• Application Vulnerability Assessment
• Penetration testing
• Data encryption in transit
• Data encryption at rest
• Key Management Systems
• Obfuscation and Anonymisation
• Data Loss Prevention
• Data Governance and Privacy
• Virtual Private Cloud Architecture
• Subnets, Route Tables, Internet Gateways
• Firewalls, Security Groups, Network Access Control
Lists
• Web Application Firewalls
• DDoS Protection
• Remote Access
• Identity and Access Management (IAM)
• Privileged User Access Management (PUAM)
• Directory Services
• Single Sign On and Federated Identity Management
• Security Log Configuration and SIEM
• Configuration and Rule Management
• Physical and Environmental Security
• Business Continuity Management
• Disaster Recovery
• Security Monitoring
• Incident Response
So what about regulations?
Cloud infrastructure is designed and managed in alignment with relevant security best practices
So what about regulations? Key themes
Not lower security / protectionRoles and responsibilities, contractual obligations and the liabilities all vary according to different deployment model
02
01Incident responseAbility to respond with capability to conduct investigation with root cause analysisAbility to inform the relevant parties04
0305
06
Roles and responsibilities to be clearly definedContract it inManage it don’t do it at all!
Policy / organisational measuresInclude the importance of data leakage and to have governance / metrics around to monitor
TransparencyRisk analysisData residency and border transferAudit / right to audit
Continual improvement and risk managementContinued audit and improvement have to be a demonstrable option
Our agenda for the next 90 minutes
Welcome
Introduction
Navigating security & compliance
Paving the way
Before moving to the cloud
Q&A
Agenda
Take action beforesomeone else does.
by transforming your capabilities.
Our assessment can also determine the best plan for full optimization – including recommendations for any number of cloud enhancements, upgrades or implementations.
Deloitte’s Approach
Building Blocks for Successful Cloud Adoption
What are you struggling with?
Key questions to drive a sound implementation
Direction
▪ Cloud Vision
▪ Business & Technology
Strategy Alignment
▪ Business Case
Solution
▪ Workloads & Use cases
▪ Services (IaaS, PaaS,
SaaS)
▪ Vendors, 3rd party
providers
▪ Application Landscape
▪ Architecture
Oversight
▪ Governance Model
▪ Regulatory Compliance
▪ Security & Risk
Management
Organization
Evolution
▪ Capabilities & Processes
▪ Stakeholder
Engagement/Interactions
▪ Roadmap & roll out
Cloud Adoption is a Journey
OPTIMIZATION PHASEPREPARATION PHASE MIGRATION PHASE
ESTABLISH
PREREQUISITES
Gain executive
sponsorship
Create cloud
core team
Define guiding
principles
Define IT
criteria
Setup program
governance
ASSESS FINANCIALS
Assess applications
Perform financial
analysis (IaaS, SaaS)
Explore cloud
layers
Migrate
network
Integrate
applications
Build PoC
Secure cloud
implementations
Create
forecast
Build exit strategy
Engage business, application,
infrastructure, and security
owners
Outline
roadmap
Develop DR
capabilities
Develop reference
architecture
Target application
architecture
Plan migration
Pilot
Migrate execution
architecture
Order cloud
services
INTEGRATE
Setup target
infrastructure
Move apps
to cloud
Follow change
management
process
Integrate infrastructure
Integrate
operations
Benchmark current
environment
DEVELOP CLOUD
STRATEGY
DESIGN NEW
ENVIRONMENT
BUILD
FOUNDATION
OPTIMIZE
MIGRATE RUN
Implement cloud
analytics tools
Optimize cloud
workloads
Revalidate cloud partners
Monitor and
optimize expenses
Maintain and support
applications
Monitor performance
Test and validate
migrated workload
Obtain BU
acceptance
TEST
Design security
architecture
Examples of cloud maturity across major FSI players
Category Global bank, European Heritage Global payments company Diversified manufacturing business Global top 5 universal bank Global top 5 universal bank
Cloud & platform strategy
AWS centric, pivoting to Azure; open source, containerization
GCP centric, all dev/test on cloud; mature proprietary containers/PaaS
AWS-centric, greenfield digital business; enterprise moving now, all net new dev
Focus on private, AWS, MS. Initially with AWS, building consistent Dev
experience
Shifted focus from private cloud to accelerate AWS, MS public clouds, and
PCF
Cloud execution strategy / approach
• Federated cloud adoption program, driven by LoBs
• Induction of senior leaders from TMT driving culture
• Cloud to accelerate move to agile / DevOps
• No separate / central funding pool
• Central IT catching up
• Centrally run program to move dev/test
• Central funding and business case
• Heavily agile / DevOps centric product teams
• Hosting play, starting to leverage native services
• Centralized team to enable cloud
• Federated teams in the BU’s adopting at their pace
• New product development / innovation on cloud
• Heavily leveraging cloud native services
• Centrally run (pvt) cloud program, reshaped newly formed cloud group –Strategy / Arch
• Pilots underway, driven by business units
• Senior executives from out of industry
• Looking to drive 30% volume by 2020
• Central cloud services group supporting / enabling business units
• Business units hold use cases / budgets
• Some central funding to reduce barriers to entry, others direct pass through
• Strong risk / info sec / regulatory team
Use cases (deployed / in flight)
• Risk management
• Regulatory Reporting / CAT / Forensics / FI Grid
• Credit / Market Risk Grids
• Digital experience
• Capability sourcing / partner led optimization
• Risk simulation
• All test and dev
• Customer analytics
• Edge network services
• Digital experience
• Digital business
• Customer analytics
• New product innovation
• IoT / sensor based apps
• Performance analytics
• Engineering and maintenance ops
• Digital applications
• Databases and appliance data
• Credit and market risk grid applications
• Trade forensics
• Digital applications
• CAT / Forensics
• Credit and market risk grid
• Customer analytics
• AML / KYC
• Contact Center
• Appliance Data / workloads
Enterprise
Tech
Public
Cloud
Private
Cloud
Enterprise
Tech
Public
Cloud
Private
CloudEnterprise
Tech
Public
Cloud
Private
Cloud
Private
Cloud
Public
Cloud
Enterprise
TechEnterprise
Tech
Public
Cloud
Private
Cloud
CloudThank You!
Jay ChoiPartner and the Cyber Strategy lead+45 30 93 41 92 [email protected]
Klaus Koefoed Eriksen Partner and Cloud Engineering lead+45 30 93 44 89 [email protected]