SlideShare uma empresa Scribd logo

CSX Megatrends Cloud Risk Assurance Oct 15 FINAL

Satchit Dokras
Satchit Dokras
1 de 34
Baixar para ler offline
Clouds Unseen – What PwC Routinely Sees And You Might Not October 20, 2015 CSX 2015 North America Conference Washington, DC, USA Satchit Dokras US Leader, Cloud Risk Assurance PwC www.pwc.com
PwC Clouds Unseen – What PwC Routinely Sees and You May Not Satchit Dokras US Leader, Cloud Risk Assurance PricewaterhouseCoopers CSX 2015 North America Conference Washington, DC, USA October 20, 2015 2
PwC Introduction Today’s speaker Satchit Dokras US Cloud Risk Assurance Leader Satchit Dokras is the developer of PwC’s cDiscovery TM and cLifecycle TM security and privacy frameworks, and has deployed industry’s Cloud Security Alliance Control Matrix, ISO and NIST. His SaaS platforms work includes O365, Salesforce, Workday, ServiceNow; and IaaS platforms such as Microsoft Azure, Amazon Web Services and OpenStack. Satchit has previously been with Microsoft with it’s Azure cloud division, and with RSA-EMC (identity management, infrastructure, information security). Satchit has an MS from MIT and has a CISSP security certification. He is an established author and keynote speaker on various cloud, security, analytics technology advancements. 3 October 20, 2015
PwC What’s the state of security today? 4 October 20, 2015
PwC 5 Detected security incidents – Growth continues Average number of security incidents in past 12 months • A security incident is defined as any adverse incident that threatens some aspect of computer security. • Data from PwC’s “The Global State of Information Security® Survey 2016” October 20, 2015 2011 2012 2013 2014 2015 2,562 2,989 3,741 4,948 6,853 38% more information security incidents.*
PwC Insider threats – From inside and outside 6 Estimated likely source of incidents Current employees Former employees Current service providers/ consultants/contractors Former service providers/consultants/contractors Suppliers/business partners 2014 2015 October 20, 2015 35% 30% 18% 13% 15% 34% 29% 22% 19% 16% +22% • Data from PwC’s “The Global State of Information Security® Survey 2016”
PwC 7 Cyber targets – Employee, customer, internal data Customer records compromised Employee records compromised Loss or damage of internal records Theft of “soft” intellectual property Theft of "hard" intellectual property 2014 2015 Impact of security incidents October 20, 2015 28% 29% 20% 24% 15% 38% 33% 26% 25% 23% +35% Eg: Strategic business plans, financial documents • Data from PwC’s “The Global State of Information Security® Survey 2016”
PwC New threats and actors — State-directed capitalism A. Continuous rise in the impact of state sponsored threat actors B. Governments continue to militarize their cyber capabilities C. Sustained threats targeting institutions/ infrastructure D. Increased likelihood of cyber- attacks on critical infrastructure • Data from PwC’s “The Global State of Information Security® Survey 2016” 8 October 20, 2015
PwC Privacy & compliance – Compounding risks A. Global compliance impacts with multitudes of jurisdictions B. Cross-border harmonization C. Strong-arm laws: Russia, China D. EU Data Protection Laws E. Safe Harbour F. CSP Subpoena G. Privacy attestations 9 October 20, 2015
PwC Where are the cloud risks? 10 October 20, 2015
PwC Cloud growth – Fueled by many sectors Applications Internet of Things 11 October 20, 2015 Social media Mobile Analytics Cloud
PwC Cloud count – How many do you know of ? 2013 Q4 2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2 A. Across every sector B. Following growth of SaaS services C. Increasing monitoring capabilities and registry sizes Avg number of cloud services discovered in an enterprise 626 759 738 831 897 923 1,089 Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015 12 October 20, 2015
PwC Banking and financial service – Categories in use Customer • CRM • Marketing • Media Functions • HR • Health • Finance Infrastructure • Storage • DR • IT services • Platforms • Security services Etc Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015 40% 60% 0 50 100 150 200 250 Collaboration Development Contentsharing Socialmedia Tracking Business Intelligence 195 65 47 43 25 21 13 October 20, 2015
PwC Clouds do serve as a business innovation enabler A. Better, Faster, Cheaper - clearly a CEO agenda1 B. And Safer? - Clearly a Board agenda1 The average employee uses 28 cloud services at work2 Top 10 Enterprise Cloud Services2 1. Microsoft Office 365 2. Cisco Webex 3. Salesforce 4. Oracle RightNow 5. Concur 6. 7. 8. 9. 10. Yammer Jive Zendesk Hightail ServiceNow 1. PwC’s whitepaper: Managing risk in the cloud — The role of management 2. Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015 14 October 20, 2015
PwC Compromised credentials — More common than you think Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015 Finance is the most exposed industry to compromised accounts 94.3% of financial services companies have compromised accounts 15.5% of financial employees have at least one stolen password Only 15.4% of cloud service providers offer multi-factor authentication 15 October 20, 2015
PwC Cloud security issues – Uniquely different threat vectors 1. PwC Australia, Managing the Shadow Cloud, June 2015 2. Skyhigh Networks Cloud Adoption & Risk Report, Q1 2015 • 85% of high risk cloud services are not being blocked effectively1 • 92% of companies have users with compromised identities2 16 October 20, 2015
PwC How to do digital transformation of cloud security and privacy capabilities? 17 October 20, 2015
PwC Digital transformation — What clouds need 18 October 20, 2015 Policy Risk based Frameworks People Think Cloud First Technology Automation at Speed of Cloud Process Shared Responsibility
PwC 19 October 20, 2015 Have not adopted a security framework Have adopted other security framework(s) Have adopted ISF Standard of Good Practice Have adopted SANS Critical Controls Have adopted NIST Cybersecurity Framework Have adopted ISO 27001 8% 18% 26% 28% 34% 40% of respondents say they collaborate with others to improve information security 65% Policy — Risk-based security framework adoption • Data from PwC’s “The Global State of Information Security® Survey 2016”
PwC Policy — Cloud discovery is foundation for risk framework Risk capacity Risk appetite Risk tolerance Risk target Risk limits Evidence based cloud risk discovery Enterprise Risk Framework Enterprise Category Elemental 20 October 20, 2015
PwC 21 PwC’s cLifecycle™— Risk assurance framework for cloud operations lifecycle cDiscovery™ Cull Consolidate Control Collaborate Comply Discovery of cloud services with risk rating Effective blocking of high-risk clouds Manage risks in transition to sanctioned clouds Adequate controls for cloud operations Security guidelines & platforms to add clouds Test for risk exposures in compliance/ communications Risk model Policies Information risk management SDLC Vendor risk Portfolios of suites: O365 Salesforce Workday ServiceNow AWS Azure Third party risk management GRC Audit October 20, 2015
PwC People – Competition for resources as talent is key A. Increased demand for top talent B. Steady increase in the cyber workforce C. Changing role of the CISO • Data from PwC’s “The Global State of Information Security® Survey 2016” 22 October 20, 2015
PwC People – Organization transformation needed to think cloud first 23 Leadership Resources Depth of experience Across platforms Community October 20, 2015
PwC Process – Cloud first is a shared responsibility 24 • Access control • Policy consistency • Insurance • Cloud security as a Service • Federation services • API security • Legacy integration • Cloud defense • Core security & privacy • Compliance and audits • Insurance • Functions • Features • Attestations • Security services • Insurance Cloud Service Provider Cloud Customer (User) Consumers Partners Contractors Cloud Security Tool Vendors Complement ary controls Customer controls Complement ary controls Service provider controls October 20, 2015
PwC Process – Orchestrating O365 + customer controls 25 Data protection DLP, Search, ediscovery Admin access control Lockbox: Customer approved access Encryption One Drive: Per file encryption with Key Vault Exchange: Per message encryption with Azure Key Vault • Data from Microsoft’s Ignite, May 2015 October 20, 2015 Encryption at rest Per-file encryption Encryption in transit Customer  Data loss prevention  Search  Insights  General content analysis Customer Microsoft engineer Lockbox system Microsoft manager Submits request Customer approved Microsoft approved Microsoft engineer
PwC Process – Selection of O365 IDM architecture 26 Active Directory (AD) Microsoft supported Works for Office 365 Hybrid Scenarios Existing non-ADFS Identity systems with AD or Non-AD Third-party supported; Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios Existing non-ADFS Identity systems with AD and other directories on-premises Microsoft supported for integration only, no identity provider deployment support • Data from Microsoft’s Ignite, May 2015 October 20, 2015 Federated identity Zero on-premises servers Directory sync with password sync On-premises identity Cloud identity Synchronized identity Federation Directory sync On-premises identity
PwC of respondents who use cloud-based cybersecurity also employ real-time monitoring and analytics from cloud providers Technology – Building business + operations trust 27 October 20, 2015 56% Cybersecurity insurance Big Data analytics Cloud-based cybersecurity 59% 59% 69% • Data from PwC’s “The Global State of Information Security® Survey 2016”
PwC Technology – Clouds enforce automation transformation Marketplace of approved subscription services API security brokerage Brokerage Encryption, RMS, DLP Provisioning hybrid clouds Automation trend Discovery of clouds and connected services API management Federated identities, access Quality, inventory, classification Systems integration, migration between clouds Cloud challenges Services Apps Users Data On Premise Cloud stack Selection of technology (tools), orchestration of policies and digital transformation processes 27 October 20, 2015
PwC Technology – Cloud delivered security and defense IDaaS- Identities CASB- Access control Federation brokers- Directories, Rights XaaS- Encryption CaaS- Compliance Advanced SoCs, APTs Behavior Analytics October 20, 2015 29 • Data from PwC’s “The Global State of Information Security® Survey 2016”
PwC Conclusions 30 October 20, 2015
PwC Digital transformation of cloud audit function Plan Audit Report Previously Henceforth October 20, 2015 31 Report PlanDiscover
PwC Digital transformation of cloud risk management • Digital intelligence • Operations lifecycle • Automation technologies • Knowns (O365, SalesForce, Workday, AWS, Azure,,..) • Unknown residuals • Extended (NIST, ISO, ..) • Compliance certifications • Evidence-based, trustworthy 1. Scope (Discovery) 2. Framework 3. Methodology 4. Focus 5. Assessments 6. Reporting October 20, 2015 32
PwC Questions, Discussion Thank you! October 20, 2015 33
Satchit Dokras US Leader, Cloud Risk Assurance PricewaterhouseCoopers Satchit.Dokras@us.pwc.com https://www.linkedin.com/in/dokras The Global State of Information Security® is a registered trademark of International Data Group, Inc. © 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

Recomendados

internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guide
Satchit Dokras
 
There's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a HospitalThere's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a Hospital
NETSCOUT
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Doeren Mayhew
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – Netmagic
Netmagic Solutions Pvt. Ltd.
 
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
STASH | Datacentric Security
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Veritas Technologies LLC
 
IDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPRIDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPR
Veritas Technologies LLC
 
Direct Edge and BATS Global Markets Trusts Intralinks Dealspace™
Direct Edge and BATS Global Markets Trusts Intralinks Dealspace™Direct Edge and BATS Global Markets Trusts Intralinks Dealspace™
Direct Edge and BATS Global Markets Trusts Intralinks Dealspace™
Intralinks
 

Recomendados

internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guide
Satchit Dokras
 
There's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a HospitalThere's No Such Thing As "Downtime" In a Hospital
There's No Such Thing As "Downtime" In a Hospital
NETSCOUT
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Doeren Mayhew
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – Netmagic
Netmagic Solutions Pvt. Ltd.
 
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
STASH | Datacentric Security
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Veritas Technologies LLC
 
IDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPRIDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPR
Veritas Technologies LLC
 
Direct Edge and BATS Global Markets Trusts Intralinks Dealspace™
Direct Edge and BATS Global Markets Trusts Intralinks Dealspace™Direct Edge and BATS Global Markets Trusts Intralinks Dealspace™
Direct Edge and BATS Global Markets Trusts Intralinks Dealspace™
Intralinks
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
Happiest Minds Technologies
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
Eryk Budi Pratama
 
365 infographic-compliance
365 infographic-compliance365 infographic-compliance
365 infographic-compliance
365 Data Centers
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the Outside
DLT Solutions
 
The Rise of Hybrid IT
The Rise of Hybrid ITThe Rise of Hybrid IT
The Rise of Hybrid IT
Interxion
 
Big Data (security Issue)
Big Data (security Issue)Big Data (security Issue)
Big Data (security Issue)
Export Promotion Bureau
 
Data Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for StandardsData Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for Standards
Cloud Standards Customer Council
 
The Reconciliation Maturity Model
The Reconciliation Maturity ModelThe Reconciliation Maturity Model
The Reconciliation Maturity Model
run_frictionless
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud Computing
Joseph Williams
 
Maximising value while migrating your Oracle Estate to Microsoft Azure
Maximising value while migrating your Oracle Estate to Microsoft AzureMaximising value while migrating your Oracle Estate to Microsoft Azure
Maximising value while migrating your Oracle Estate to Microsoft Azure
run_frictionless
 
Where's My Data? Managing the Data Residency Challenge
Where's My Data? Managing the Data Residency ChallengeWhere's My Data? Managing the Data Residency Challenge
Where's My Data? Managing the Data Residency Challenge
Cloud Standards Customer Council
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEA
Veritas Technologies LLC
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
Michael Ofarrell
 
Phil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of viewPhil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of view
Veritas Technologies LLC
 
Cashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidence
CloudMask inc.
 
DevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileDevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay Agile
Ben Saunders
 
Security in RegTech's Playground
Security in RegTech's PlaygroundSecurity in RegTech's Playground
Security in RegTech's Playground
John ILIADIS
 
Cloud Services & the Development of ISO/IEC 27018
Cloud Services & the Development of ISO/IEC 27018Cloud Services & the Development of ISO/IEC 27018
Cloud Services & the Development of ISO/IEC 27018
Corporacion Colombia Digital
 
Property & Casualty: Deterring Claims Leakage in the Digital Age
Property & Casualty: Deterring Claims Leakage in the Digital AgeProperty & Casualty: Deterring Claims Leakage in the Digital Age
Property & Casualty: Deterring Claims Leakage in the Digital Age
Cognizant
 
March cybersecurity powerpoint
March cybersecurity powerpointMarch cybersecurity powerpoint
March cybersecurity powerpoint
Courtney King
 
Scot-Cloud 2015
Scot-Cloud 2015Scot-Cloud 2015
Scot-Cloud 2015
Ray Bugg
 

Mais conteúdo relacionado

Mais procurados

Data Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for StandardsData Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for Standards
Cloud Standards Customer Council
 
Where's My Data? Managing the Data Residency Challenge
Where's My Data? Managing the Data Residency ChallengeWhere's My Data? Managing the Data Residency Challenge
Where's My Data? Managing the Data Residency Challenge
Cloud Standards Customer Council
 

Mais procurados (20)

California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
365 infographic-compliance
365 infographic-compliance365 infographic-compliance
365 infographic-compliance
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the Outside
 
The Rise of Hybrid IT
The Rise of Hybrid ITThe Rise of Hybrid IT
The Rise of Hybrid IT
 
Big Data (security Issue)
Big Data (security Issue)Big Data (security Issue)
Big Data (security Issue)
 
Data Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for StandardsData Residency: Challenges and the Need for Standards
Data Residency: Challenges and the Need for Standards
 
The Reconciliation Maturity Model
The Reconciliation Maturity ModelThe Reconciliation Maturity Model
The Reconciliation Maturity Model
 
IEEE PHM Cloud Computing
IEEE PHM Cloud ComputingIEEE PHM Cloud Computing
IEEE PHM Cloud Computing
 
Maximising value while migrating your Oracle Estate to Microsoft Azure
Maximising value while migrating your Oracle Estate to Microsoft AzureMaximising value while migrating your Oracle Estate to Microsoft Azure
Maximising value while migrating your Oracle Estate to Microsoft Azure
 
Where's My Data? Managing the Data Residency Challenge
Where's My Data? Managing the Data Residency ChallengeWhere's My Data? Managing the Data Residency Challenge
Where's My Data? Managing the Data Residency Challenge
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEA
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
Phil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of viewPhil Carter of IDC: An analyst point of view
Phil Carter of IDC: An analyst point of view
 
Cashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidence
 
DevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileDevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay Agile
 
Security in RegTech's Playground
Security in RegTech's PlaygroundSecurity in RegTech's Playground
Security in RegTech's Playground
 
Cloud Services & the Development of ISO/IEC 27018
Cloud Services & the Development of ISO/IEC 27018Cloud Services & the Development of ISO/IEC 27018
Cloud Services & the Development of ISO/IEC 27018
 
Property & Casualty: Deterring Claims Leakage in the Digital Age
Property & Casualty: Deterring Claims Leakage in the Digital AgeProperty & Casualty: Deterring Claims Leakage in the Digital Age
Property & Casualty: Deterring Claims Leakage in the Digital Age
 

Semelhante a CSX Megatrends Cloud Risk Assurance Oct 15 FINAL

CyberScope - 2015 Market Review
CyberScope - 2015 Market ReviewCyberScope - 2015 Market Review
CyberScope - 2015 Market Review
resultsig
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the Cloud
Capgemini
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Cohesive Networks
 
Streamline Identity Management & Administration on AWS
Streamline Identity Management & Administration on AWSStreamline Identity Management & Administration on AWS
Streamline Identity Management & Administration on AWS
Amazon Web Services
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Cohesive Networks
 
The CyberScope - Q2 2015 Market Review
The CyberScope - Q2 2015 Market ReviewThe CyberScope - Q2 2015 Market Review
The CyberScope - Q2 2015 Market Review
resultsig
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud Computing
Amazon Web Services
 

Semelhante a CSX Megatrends Cloud Risk Assurance Oct 15 FINAL (20)

March cybersecurity powerpoint
March cybersecurity powerpointMarch cybersecurity powerpoint
March cybersecurity powerpoint
 
Scot-Cloud 2015
Scot-Cloud 2015Scot-Cloud 2015
Scot-Cloud 2015
 
Big Data in The Cloud: Architecting a Better Platform
Big Data in The Cloud: Architecting a Better PlatformBig Data in The Cloud: Architecting a Better Platform
Big Data in The Cloud: Architecting a Better Platform
 
CyberScope - 2015 Market Review
CyberScope - 2015 Market ReviewCyberScope - 2015 Market Review
CyberScope - 2015 Market Review
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter Meeting
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the Cloud
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton Ravindran
 
Module 1 - Evolution to Secure DevOps.pptx
Module 1 - Evolution to Secure DevOps.pptxModule 1 - Evolution to Secure DevOps.pptx
Module 1 - Evolution to Secure DevOps.pptx
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Regaining the Defensive Advantage in Cybersecurity
Regaining the Defensive Advantage in CybersecurityRegaining the Defensive Advantage in Cybersecurity
Regaining the Defensive Advantage in Cybersecurity
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
 
Streamline Identity Management & Administration on AWS
Streamline Identity Management & Administration on AWSStreamline Identity Management & Administration on AWS
Streamline Identity Management & Administration on AWS
 
Industry Insights & Cloud Skeptics - How Enterprises Use The Cloud And What S...
Industry Insights & Cloud Skeptics - How Enterprises Use The Cloud And What S...Industry Insights & Cloud Skeptics - How Enterprises Use The Cloud And What S...
Industry Insights & Cloud Skeptics - How Enterprises Use The Cloud And What S...
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
The CyberScope - Q2 2015 Market Review
The CyberScope - Q2 2015 Market ReviewThe CyberScope - Q2 2015 Market Review
The CyberScope - Q2 2015 Market Review
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud Computing
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud Computing
 

CSX Megatrends Cloud Risk Assurance Oct 15 FINAL

  • 1. Clouds Unseen – What PwC Routinely Sees And You Might Not October 20, 2015 CSX 2015 North America Conference Washington, DC, USA Satchit Dokras US Leader, Cloud Risk Assurance PwC www.pwc.com
  • 2. PwC Clouds Unseen – What PwC Routinely Sees and You May Not Satchit Dokras US Leader, Cloud Risk Assurance PricewaterhouseCoopers CSX 2015 North America Conference Washington, DC, USA October 20, 2015 2
  • 3. PwC Introduction Today’s speaker Satchit Dokras US Cloud Risk Assurance Leader Satchit Dokras is the developer of PwC’s cDiscovery TM and cLifecycle TM security and privacy frameworks, and has deployed industry’s Cloud Security Alliance Control Matrix, ISO and NIST. His SaaS platforms work includes O365, Salesforce, Workday, ServiceNow; and IaaS platforms such as Microsoft Azure, Amazon Web Services and OpenStack. Satchit has previously been with Microsoft with it’s Azure cloud division, and with RSA-EMC (identity management, infrastructure, information security). Satchit has an MS from MIT and has a CISSP security certification. He is an established author and keynote speaker on various cloud, security, analytics technology advancements. 3 October 20, 2015
  • 4. PwC What’s the state of security today? 4 October 20, 2015
  • 5. PwC 5 Detected security incidents – Growth continues Average number of security incidents in past 12 months • A security incident is defined as any adverse incident that threatens some aspect of computer security. • Data from PwC’s “The Global State of Information Security® Survey 2016” October 20, 2015 2011 2012 2013 2014 2015 2,562 2,989 3,741 4,948 6,853 38% more information security incidents.*
  • 6. PwC Insider threats – From inside and outside 6 Estimated likely source of incidents Current employees Former employees Current service providers/ consultants/contractors Former service providers/consultants/contractors Suppliers/business partners 2014 2015 October 20, 2015 35% 30% 18% 13% 15% 34% 29% 22% 19% 16% +22% • Data from PwC’s “The Global State of Information Security® Survey 2016”
  • 7. PwC 7 Cyber targets – Employee, customer, internal data Customer records compromised Employee records compromised Loss or damage of internal records Theft of “soft” intellectual property Theft of "hard" intellectual property 2014 2015 Impact of security incidents October 20, 2015 28% 29% 20% 24% 15% 38% 33% 26% 25% 23% +35% Eg: Strategic business plans, financial documents • Data from PwC’s “The Global State of Information Security® Survey 2016”
  • 8. PwC New threats and actors — State-directed capitalism A. Continuous rise in the impact of state sponsored threat actors B. Governments continue to militarize their cyber capabilities C. Sustained threats targeting institutions/ infrastructure D. Increased likelihood of cyber- attacks on critical infrastructure • Data from PwC’s “The Global State of Information Security® Survey 2016” 8 October 20, 2015
  • 9. PwC Privacy & compliance – Compounding risks A. Global compliance impacts with multitudes of jurisdictions B. Cross-border harmonization C. Strong-arm laws: Russia, China D. EU Data Protection Laws E. Safe Harbour F. CSP Subpoena G. Privacy attestations 9 October 20, 2015
  • 10. PwC Where are the cloud risks? 10 October 20, 2015
  • 11. PwC Cloud growth – Fueled by many sectors Applications Internet of Things 11 October 20, 2015 Social media Mobile Analytics Cloud
  • 12. PwC Cloud count – How many do you know of ? 2013 Q4 2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2 A. Across every sector B. Following growth of SaaS services C. Increasing monitoring capabilities and registry sizes Avg number of cloud services discovered in an enterprise 626 759 738 831 897 923 1,089 Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015 12 October 20, 2015
  • 13. PwC Banking and financial service – Categories in use Customer • CRM • Marketing • Media Functions • HR • Health • Finance Infrastructure • Storage • DR • IT services • Platforms • Security services Etc Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015 40% 60% 0 50 100 150 200 250 Collaboration Development Contentsharing Socialmedia Tracking Business Intelligence 195 65 47 43 25 21 13 October 20, 2015
  • 14. PwC Clouds do serve as a business innovation enabler A. Better, Faster, Cheaper - clearly a CEO agenda1 B. And Safer? - Clearly a Board agenda1 The average employee uses 28 cloud services at work2 Top 10 Enterprise Cloud Services2 1. Microsoft Office 365 2. Cisco Webex 3. Salesforce 4. Oracle RightNow 5. Concur 6. 7. 8. 9. 10. Yammer Jive Zendesk Hightail ServiceNow 1. PwC’s whitepaper: Managing risk in the cloud — The role of management 2. Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015 14 October 20, 2015
  • 15. PwC Compromised credentials — More common than you think Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015 Finance is the most exposed industry to compromised accounts 94.3% of financial services companies have compromised accounts 15.5% of financial employees have at least one stolen password Only 15.4% of cloud service providers offer multi-factor authentication 15 October 20, 2015
  • 16. PwC Cloud security issues – Uniquely different threat vectors 1. PwC Australia, Managing the Shadow Cloud, June 2015 2. Skyhigh Networks Cloud Adoption & Risk Report, Q1 2015 • 85% of high risk cloud services are not being blocked effectively1 • 92% of companies have users with compromised identities2 16 October 20, 2015
  • 17. PwC How to do digital transformation of cloud security and privacy capabilities? 17 October 20, 2015
  • 18. PwC Digital transformation — What clouds need 18 October 20, 2015 Policy Risk based Frameworks People Think Cloud First Technology Automation at Speed of Cloud Process Shared Responsibility
  • 19. PwC 19 October 20, 2015 Have not adopted a security framework Have adopted other security framework(s) Have adopted ISF Standard of Good Practice Have adopted SANS Critical Controls Have adopted NIST Cybersecurity Framework Have adopted ISO 27001 8% 18% 26% 28% 34% 40% of respondents say they collaborate with others to improve information security 65% Policy — Risk-based security framework adoption • Data from PwC’s “The Global State of Information Security® Survey 2016”
  • 20. PwC Policy — Cloud discovery is foundation for risk framework Risk capacity Risk appetite Risk tolerance Risk target Risk limits Evidence based cloud risk discovery Enterprise Risk Framework Enterprise Category Elemental 20 October 20, 2015
  • 21. PwC 21 PwC’s cLifecycle™— Risk assurance framework for cloud operations lifecycle cDiscovery™ Cull Consolidate Control Collaborate Comply Discovery of cloud services with risk rating Effective blocking of high-risk clouds Manage risks in transition to sanctioned clouds Adequate controls for cloud operations Security guidelines & platforms to add clouds Test for risk exposures in compliance/ communications Risk model Policies Information risk management SDLC Vendor risk Portfolios of suites: O365 Salesforce Workday ServiceNow AWS Azure Third party risk management GRC Audit October 20, 2015
  • 22. PwC People – Competition for resources as talent is key A. Increased demand for top talent B. Steady increase in the cyber workforce C. Changing role of the CISO • Data from PwC’s “The Global State of Information Security® Survey 2016” 22 October 20, 2015
  • 23. PwC People – Organization transformation needed to think cloud first 23 Leadership Resources Depth of experience Across platforms Community October 20, 2015
  • 24. PwC Process – Cloud first is a shared responsibility 24 • Access control • Policy consistency • Insurance • Cloud security as a Service • Federation services • API security • Legacy integration • Cloud defense • Core security & privacy • Compliance and audits • Insurance • Functions • Features • Attestations • Security services • Insurance Cloud Service Provider Cloud Customer (User) Consumers Partners Contractors Cloud Security Tool Vendors Complement ary controls Customer controls Complement ary controls Service provider controls October 20, 2015
  • 25. PwC Process – Orchestrating O365 + customer controls 25 Data protection DLP, Search, ediscovery Admin access control Lockbox: Customer approved access Encryption One Drive: Per file encryption with Key Vault Exchange: Per message encryption with Azure Key Vault • Data from Microsoft’s Ignite, May 2015 October 20, 2015 Encryption at rest Per-file encryption Encryption in transit Customer  Data loss prevention  Search  Insights  General content analysis Customer Microsoft engineer Lockbox system Microsoft manager Submits request Customer approved Microsoft approved Microsoft engineer
  • 26. PwC Process – Selection of O365 IDM architecture 26 Active Directory (AD) Microsoft supported Works for Office 365 Hybrid Scenarios Existing non-ADFS Identity systems with AD or Non-AD Third-party supported; Verified through ‘works with Office 365’ program Works for Office 365 Hybrid Scenarios Existing non-ADFS Identity systems with AD and other directories on-premises Microsoft supported for integration only, no identity provider deployment support • Data from Microsoft’s Ignite, May 2015 October 20, 2015 Federated identity Zero on-premises servers Directory sync with password sync On-premises identity Cloud identity Synchronized identity Federation Directory sync On-premises identity
  • 27. PwC of respondents who use cloud-based cybersecurity also employ real-time monitoring and analytics from cloud providers Technology – Building business + operations trust 27 October 20, 2015 56% Cybersecurity insurance Big Data analytics Cloud-based cybersecurity 59% 59% 69% • Data from PwC’s “The Global State of Information Security® Survey 2016”
  • 28. PwC Technology – Clouds enforce automation transformation Marketplace of approved subscription services API security brokerage Brokerage Encryption, RMS, DLP Provisioning hybrid clouds Automation trend Discovery of clouds and connected services API management Federated identities, access Quality, inventory, classification Systems integration, migration between clouds Cloud challenges Services Apps Users Data On Premise Cloud stack Selection of technology (tools), orchestration of policies and digital transformation processes 27 October 20, 2015
  • 29. PwC Technology – Cloud delivered security and defense IDaaS- Identities CASB- Access control Federation brokers- Directories, Rights XaaS- Encryption CaaS- Compliance Advanced SoCs, APTs Behavior Analytics October 20, 2015 29 • Data from PwC’s “The Global State of Information Security® Survey 2016”
  • 31. PwC Digital transformation of cloud audit function Plan Audit Report Previously Henceforth October 20, 2015 31 Report PlanDiscover
  • 32. PwC Digital transformation of cloud risk management • Digital intelligence • Operations lifecycle • Automation technologies • Knowns (O365, SalesForce, Workday, AWS, Azure,,..) • Unknown residuals • Extended (NIST, ISO, ..) • Compliance certifications • Evidence-based, trustworthy 1. Scope (Discovery) 2. Framework 3. Methodology 4. Focus 5. Assessments 6. Reporting October 20, 2015 32
  • 34. Satchit Dokras US Leader, Cloud Risk Assurance PricewaterhouseCoopers Satchit.Dokras@us.pwc.com https://www.linkedin.com/in/dokras The Global State of Information Security® is a registered trademark of International Data Group, Inc. © 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.