Moshe Ferber, profile picture
Uploaded byMoshe Ferber
271 views

What the auditor need to know about cloud computing

The document discusses cloud security and the roles of various stakeholders in ensuring safe cloud computing practices. It emphasizes the importance of understanding the shared responsibility model, evaluating cloud service providers, and implementing proper governance, data classification, and security measures. Additionally, it outlines the need for continuous monitoring and auditing of cloud services to maintain compliance and security.

Technology
Related topics:
Cloud Security Insights
In this document
Powered by AI

Introduces the speaker, Moshe Ferber, and outlines his credentials and experience in cloud security.

Defines cloud computing and highlights its key characteristics that distinguish it from traditional computing.

Explains different cloud service models (SaaS, PaaS, IaaS) and discusses the shared responsibility model between provider and consumer.

Outlines the major challenges faced by Chief Information Security Officers in evaluating cloud providers and ensuring best practices.

Details steps for creating a cloud strategy, including data migration guidelines and stakeholder identification.

Discusses the need for balancing cloud policies with laws, regulations, standards, and the importance of data classification.

Importance of identifying stakeholders' roles and their responsibilities related to cloud security and risk management.

Focus on evaluating cloud service providers, including required audits, trust, accountability, and ongoing monitoring.

Explains the security foundations necessary for SaaS and IaaS, including encryption, identity management, and security assessments.

Discusses contract management elements and the implications of data privacy laws on cloud services.

Summarizes key takeaways from the presentation about cloud security and provides contact information for further learning.

Embed presentation

Cloud Security For auditors Moshe Ferber, CCSK, CCSP, CCAK Onlinecloudsec.com When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
#About  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)  Co-hosting the Silverlining podcast – lean about security engineering  Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
So, what is cloud computing?
Actually, cloud does have a definition…
Cloud characteristics: • Cloud computing characteristics distinguish cloud from other forms of compute (i.e. hosting, outsourcing , static virtualization) • Mostly relevant for certain regulations
‫מזה‬ ‫זה‬ ‫שונים‬ ‫מאוד‬ ‫הענן‬ ‫שירותי‬ .... SaaS PaaS IaaS Private Hybrid Public
The Share responsibility model Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
The CISO Challenge SaaS PaaS IaaS Gain the expertise for building secure applications Evaluate providers correctly Very hard to provide best practices
Governance tools Cloud policy Cloud audit Contract
Cloud security Policy
Building a cloud strategy: relevant steps Guidelines for which data/app can migrate Threats & Risks to consider Identifying key Stakeholders Evaluating the provider maturity and security controls. Additional controls that should be implemented in the service.
Cloud Policy: Balancing the requirements Laws (i.e. Privacy laws) Regulations (sector specific) Standards (PCI, ISO) Contracts
Data classification is mandatory Data that can be migrated Data that can not be migrated Data that can only migrate to certain providers Data that can only migrated to certain jurisdiction Data that can only migrated if encrypted / anonymized UK gov data classification: • Official • Secret • Top secret Official is allowed at public cloud
Dealing with risk and threats
Identifying key stakeholders Internal stakeholder • IT department • Business owners • R&D department • Legal Department • GRC Department • Procurement department External Stakeholder • Integration & Implementation partners • Brokers • Software development companies • Auditors • Security consultant Often internal stakeholder will form sort of Cloud Computing Center of Excellence
Stakeholder responsibilities •Monitor Shadow IT •Authorized providers list •Budget management - IaaS/PaaS •SaaS license management Procurement •Building cloud architecture •Integrating new tools •Vision and roadmap Architecture •Guidelines for compliance program •Provider screening process •Specific controls GRC/CRO •Automation •Monitoring •Security (secdevops) Operations/devops
Specific controls examples Cloud migration committee Mandatory provider certifications MFA usage Data encryption at rest Security assessments
Evaluating providers (cloud assessments)
Hi diversity in the market (specially in SaaS) • Could you do an audit? • Should you do an audit? In many cases you must settle for 3rd party attestation. Cloud provider A Cloud provider B
Provider evaluation Is the service adequate? How mature is the provider? Are the provider responsibilities clear? Are customer responsibilities clear? Are there gaps?
Provider evaluation – what do I really looking for? Trust Accountability Is the provider accountable for his responsibilities? Transparency Is the information I am receiving accurate and actionable? Assurance Wil the provider perform as planned?
Provider evaluation (mostly on SaaS) Reviewing security policy Evaluating the provider Evaluating the service Evaluating the supply chain Analyzing gaps Setting special requirements Contract signing Ongoing monitoring
Tools for provider evaluation https://cloudsecurityalliance.org/star/registry/
SaaS services – security foundation Encryption • Encrypting data at the cloud provider (who has the keys)? Identity Management • Who control the user store? • Who is responsible for authentication? Governance & Audit • Who does what? • Suspicious events detection
IaaS/PaaS – performing security testing Security assessment • Usually assessing the cloud infrastructure • Require knowledge in the cloud platform • Usually made against a checklist • Evaluating the security posture of the environment Penetration testing • Usually cover the application layer • Mostly black box • Require coordination with the provider • Assessing the application resilience
Assessing with a security framework Security framework (non cloud specific) • ISO27001 • SOC 2/3 • COBIT • EU-Sec Security framework (cloud specific) • ISO27017 / 27018 (Cloud Security & privacy) • CSA STAR • BSI C5 • NIST 800-53 • PCI DSS cloud guidelines • CIS benchmark Considuration: Cloud Native vs. Migrated to the cloud
Contract management Usually made from 3 parts: • Agreement • SLA • ToS Usually not negotiable Must address the shared responsibility model Must address sub- processors Cloud specific • Location of services • Conflict resolution • Breach notification Must address end-of- service and migration
Privacy considerations Data privacy laws are turning the world into privacy islands Important topics: • Data residency • Processor vs. controller roles • Data subject's rights • Breach notifications Check put the CSA Privacy Level Agreement: https://cloudsecurityalliance.org/research/working-groups/privacy-level-agreement/
Summary  The word cloud describes many different types of services, with different security considerations.  Pick your battles – • Large mature IaaS/PaaS providers – focus on customer maturity • SaaS services – Choose your partners wisely • Practical cloud policy is the place to begin, everything else will follow Cloud Security Course Schedule can be found at: ty Course http://www.onlinecloudsec.com/course-schedule
KEEP IN TOUCH Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
Questions?

More Related Content

PDF
ISO 27001 2002 Update Webinar.pdf
byControlCase
 
PDF
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Iso27001vs iso27003
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PDF
ISO27001: Implementation & Certification Process Overview
byShankar Subramaniyan
 
PDF
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
 
PPTX
Identity & access management
byVandana Verma
 
PDF
ML_DT.pdf
byAmirMohamedNabilSale
 
PDF
Essentials of enterprise architecture tools
byiasaglobal
 
ISO 27001 2002 Update Webinar.pdf
byControlCase
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso27001vs iso27003
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
ISO27001: Implementation & Certification Process Overview
byShankar Subramaniyan
 
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
 
Identity & access management
byVandana Verma
 
ML_DT.pdf
byAmirMohamedNabilSale
 
Essentials of enterprise architecture tools
byiasaglobal
 

What's hot

PDF
Complete open source IAM solution
byRadovan Semancik
 
PDF
EA Report.pdf
byDrShekharTankhiwale
 
PDF
How to test an AI application
byKari Kakkonen
 
PPTX
Azure security and Compliance
byKarina Matos
 
PPTX
Azure Fundamentals || AZ-900
bythisiswali
 
PDF
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
NQA ISO 27001 Implementation Guide
byNQA
 
PDF
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
PDF
Steps to iso 27001 implementation
byRalf Braga
 
PPTX
Azure role based access control (rbac)
bySrikanth Kappagantula
 
PDF
What is ISO20000
byBen Kalland
 
PDF
Spring Boot Tutorial | Microservices Spring Boot | Microservices Architecture...
byEdureka!
 
PPTX
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
byiFour Consultancy
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPTX
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
byVMware Tanzu
 
PDF
Itil v4-mindmap
byIsmail aboulezz
 
PDF
Best Practices in Disaster Recovery Planning and Testing
byAxcient
 
PPTX
Health monitoring and dependency injection - CNUG November 2019
byAlex Thissen
 
PDF
How can the ISO 27701 help to design, implement, operate and improve a privac...
byHernan Huwyler, MBA CPA
 
PPTX
Security of IOT,OT And IT.pptx
byMohanPandey31
 
Complete open source IAM solution
byRadovan Semancik
 
EA Report.pdf
byDrShekharTankhiwale
 
How to test an AI application
byKari Kakkonen
 
Azure security and Compliance
byKarina Matos
 
Azure Fundamentals || AZ-900
bythisiswali
 
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NQA ISO 27001 Implementation Guide
byNQA
 
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
Steps to iso 27001 implementation
byRalf Braga
 
Azure role based access control (rbac)
bySrikanth Kappagantula
 
What is ISO20000
byBen Kalland
 
Spring Boot Tutorial | Microservices Spring Boot | Microservices Architecture...
byEdureka!
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
byiFour Consultancy
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
byVMware Tanzu
 
Itil v4-mindmap
byIsmail aboulezz
 
Best Practices in Disaster Recovery Planning and Testing
byAxcient
 
Health monitoring and dependency injection - CNUG November 2019
byAlex Thissen
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
byHernan Huwyler, MBA CPA
 
Security of IOT,OT And IT.pptx
byMohanPandey31
 

Similar to What the auditor need to know about cloud computing

PPTX
Cloud security for banks - the central bank of Israel regulations for cloud s...
byMoshe Ferber
 
PPTX
Cloud security for financial services
byMoshe Ferber
 
PPTX
Transforming cloud security into an advantage
byMoshe Ferber
 
PPT
Effectively and Securely Using the Cloud Computing Paradigm
byfanc1985
 
PPT
Cloud computing-security-issues
byAleem Mohammed
 
PPTX
The Cloud & I, The CISO challenges with Cloud Computing
byMoshe Ferber
 
PPT
4831586.ppt
byahmad21315
 
PDF
Best Practices in Cloud Security Standards.pptx.pdf
byapurvar399
 
PPTX
What is Cloud Security, and Can I Have Some?
byJohn Kinsella
 
PPTX
Cloud Computing Security Essentials for beginners
byssuser1e89a0
 
PPTX
The Impact of Cloud: Cloud Computing Security and Privacy
byCharles Mok
 
PDF
The Art of Cloud Auditing - ISACA ID
byEryk Budi Pratama
 
PDF
EuroCACS 2016 There are giants in the sky
byCarlos Chalico
 
PPT
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
byBill Annibell
 
PPT
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
byTT L
 
PDF
Lecture27 cc-security2
byAnkit Gupta
 
PDF
Cloud services and it security
byEast Midlands Cyber Security Forum
 
PDF
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
byShah Sheikh
 
PPTX
Cloud is not an option, but is security?
byJody Keyser
 
ODP
Securing The Cloud
bygeorge.james
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
byMoshe Ferber
 
Cloud security for financial services
byMoshe Ferber
 
Transforming cloud security into an advantage
byMoshe Ferber
 
Effectively and Securely Using the Cloud Computing Paradigm
byfanc1985
 
Cloud computing-security-issues
byAleem Mohammed
 
The Cloud & I, The CISO challenges with Cloud Computing
byMoshe Ferber
 
4831586.ppt
byahmad21315
 
Best Practices in Cloud Security Standards.pptx.pdf
byapurvar399
 
What is Cloud Security, and Can I Have Some?
byJohn Kinsella
 
Cloud Computing Security Essentials for beginners
byssuser1e89a0
 
The Impact of Cloud: Cloud Computing Security and Privacy
byCharles Mok
 
The Art of Cloud Auditing - ISACA ID
byEryk Budi Pratama
 
EuroCACS 2016 There are giants in the sky
byCarlos Chalico
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
byBill Annibell
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
byTT L
 
Lecture27 cc-security2
byAnkit Gupta
 
Cloud services and it security
byEast Midlands Cyber Security Forum
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
byShah Sheikh
 
Cloud is not an option, but is security?
byJody Keyser
 
Securing The Cloud
bygeorge.james
 

More from Moshe Ferber

PPTX
Cloud Security - the egregious 11 cloud security threats
byMoshe Ferber
 
PPTX
Understanding IaaS/PaaS attack vectors.pptx
byMoshe Ferber
 
PPTX
Foundations of cloud security monitoring
byMoshe Ferber
 
PPTX
Cloud security certifications landscape
byMoshe Ferber
 
PPTX
Cloud Security Architecture.pptx
byMoshe Ferber
 
PPTX
Architect secure cloud services.
byMoshe Ferber
 
PPTX
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
byMoshe Ferber
 
PPTX
Surviving the lions den - how to sell SaaS services to security oriented cust...
byMoshe Ferber
 
PPTX
Cloud security what to expect (introduction to cloud security)
byMoshe Ferber
 
PPTX
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
byMoshe Ferber
 
PPTX
Aligning Risk with Growth - Cloud Security for startups
byMoshe Ferber
 
PPTX
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
byMoshe Ferber
 
Cloud Security - the egregious 11 cloud security threats
byMoshe Ferber
 
Understanding IaaS/PaaS attack vectors.pptx
byMoshe Ferber
 
Foundations of cloud security monitoring
byMoshe Ferber
 
Cloud security certifications landscape
byMoshe Ferber
 
Cloud Security Architecture.pptx
byMoshe Ferber
 
Architect secure cloud services.
byMoshe Ferber
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
byMoshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
byMoshe Ferber
 
Cloud security what to expect (introduction to cloud security)
byMoshe Ferber
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
byMoshe Ferber
 
Aligning Risk with Growth - Cloud Security for startups
byMoshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
byMoshe Ferber
 

Recently uploaded

PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
PDF
OutSystsems User Group Brabant November 2025
bymail496323
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PPTX
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
PDF
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
OutSystsems User Group Brabant November 2025
bymail496323
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
Agentic AI presentation with Python Exercises
byParth Mane
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 

What the auditor need to know about cloud computing

  • 1.
    Cloud Security For auditors MosheFerber, CCSK, CCSP, CCAK Onlinecloudsec.com When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
  • 2.
    #About  Information securityprofessional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)  Co-hosting the Silverlining podcast – lean about security engineering  Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
  • 3.
    So, what iscloud computing?
  • 4.
    Actually, cloud doeshave a definition…
  • 5.
    Cloud characteristics: • Cloudcomputing characteristics distinguish cloud from other forms of compute (i.e. hosting, outsourcing , static virtualization) • Mostly relevant for certain regulations
  • 6.
    ‫מזה‬ ‫זה‬ ‫שונים‬‫מאוד‬ ‫הענן‬ ‫שירותי‬ .... SaaS PaaS IaaS Private Hybrid Public
  • 7.
    The Share responsibilitymodel Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
  • 8.
    The CISO Challenge SaaS PaaS IaaS Gainthe expertise for building secure applications Evaluate providers correctly Very hard to provide best practices
  • 9.
  • 10.
  • 11.
    Building a cloudstrategy: relevant steps Guidelines for which data/app can migrate Threats & Risks to consider Identifying key Stakeholders Evaluating the provider maturity and security controls. Additional controls that should be implemented in the service.
  • 12.
    Cloud Policy: Balancingthe requirements Laws (i.e. Privacy laws) Regulations (sector specific) Standards (PCI, ISO) Contracts
  • 13.
    Data classification ismandatory Data that can be migrated Data that can not be migrated Data that can only migrate to certain providers Data that can only migrated to certain jurisdiction Data that can only migrated if encrypted / anonymized UK gov data classification: • Official • Secret • Top secret Official is allowed at public cloud
  • 14.
    Dealing with riskand threats
  • 15.
    Identifying key stakeholders Internalstakeholder • IT department • Business owners • R&D department • Legal Department • GRC Department • Procurement department External Stakeholder • Integration & Implementation partners • Brokers • Software development companies • Auditors • Security consultant Often internal stakeholder will form sort of Cloud Computing Center of Excellence
  • 16.
    Stakeholder responsibilities •Monitor ShadowIT •Authorized providers list •Budget management - IaaS/PaaS •SaaS license management Procurement •Building cloud architecture •Integrating new tools •Vision and roadmap Architecture •Guidelines for compliance program •Provider screening process •Specific controls GRC/CRO •Automation •Monitoring •Security (secdevops) Operations/devops
  • 17.
  • 18.
  • 19.
    Hi diversity inthe market (specially in SaaS) • Could you do an audit? • Should you do an audit? In many cases you must settle for 3rd party attestation. Cloud provider A Cloud provider B
  • 20.
    Provider evaluation Is theservice adequate? How mature is the provider? Are the provider responsibilities clear? Are customer responsibilities clear? Are there gaps?
  • 21.
    Provider evaluation –what do I really looking for? Trust Accountability Is the provider accountable for his responsibilities? Transparency Is the information I am receiving accurate and actionable? Assurance Wil the provider perform as planned?
  • 22.
    Provider evaluation (mostlyon SaaS) Reviewing security policy Evaluating the provider Evaluating the service Evaluating the supply chain Analyzing gaps Setting special requirements Contract signing Ongoing monitoring
  • 23.
    Tools for providerevaluation https://cloudsecurityalliance.org/star/registry/
  • 24.
    SaaS services –security foundation Encryption • Encrypting data at the cloud provider (who has the keys)? Identity Management • Who control the user store? • Who is responsible for authentication? Governance & Audit • Who does what? • Suspicious events detection
  • 25.
    IaaS/PaaS – performingsecurity testing Security assessment • Usually assessing the cloud infrastructure • Require knowledge in the cloud platform • Usually made against a checklist • Evaluating the security posture of the environment Penetration testing • Usually cover the application layer • Mostly black box • Require coordination with the provider • Assessing the application resilience
  • 26.
    Assessing with asecurity framework Security framework (non cloud specific) • ISO27001 • SOC 2/3 • COBIT • EU-Sec Security framework (cloud specific) • ISO27017 / 27018 (Cloud Security & privacy) • CSA STAR • BSI C5 • NIST 800-53 • PCI DSS cloud guidelines • CIS benchmark Considuration: Cloud Native vs. Migrated to the cloud
  • 27.
    Contract management Usually madefrom 3 parts: • Agreement • SLA • ToS Usually not negotiable Must address the shared responsibility model Must address sub- processors Cloud specific • Location of services • Conflict resolution • Breach notification Must address end-of- service and migration
  • 28.
    Privacy considerations Data privacylaws are turning the world into privacy islands Important topics: • Data residency • Processor vs. controller roles • Data subject's rights • Breach notifications Check put the CSA Privacy Level Agreement: https://cloudsecurityalliance.org/research/working-groups/privacy-level-agreement/
  • 29.
    Summary  The wordcloud describes many different types of services, with different security considerations.  Pick your battles – • Large mature IaaS/PaaS providers – focus on customer maturity • SaaS services – Choose your partners wisely • Practical cloud policy is the place to begin, everything else will follow Cloud Security Course Schedule can be found at: ty Course http://www.onlinecloudsec.com/course-schedule
  • 30.
    KEEP IN TOUCH CloudSecurity Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
  • 31.