1. Clouds Unseen – What
PwC Routinely Sees And
You Might Not
October 20, 2015
CSX 2015 North America Conference
Washington, DC, USA
Satchit Dokras
US Leader, Cloud Risk Assurance
PwC
www.pwc.com
2. PwC
Clouds Unseen – What PwC Routinely Sees and
You May Not
Satchit Dokras
US Leader, Cloud Risk Assurance
PricewaterhouseCoopers
CSX 2015 North America Conference
Washington, DC, USA
October 20, 2015
2
3. PwC
Introduction
Today’s speaker
Satchit Dokras
US Cloud Risk Assurance Leader
Satchit Dokras is the developer of PwC’s cDiscovery TM and
cLifecycle TM security and privacy frameworks, and has deployed
industry’s Cloud Security Alliance Control Matrix, ISO and NIST.
His SaaS platforms work includes O365, Salesforce, Workday,
ServiceNow; and IaaS platforms such as Microsoft Azure, Amazon
Web Services and OpenStack.
Satchit has previously been with Microsoft with it’s Azure cloud
division, and with RSA-EMC (identity management, infrastructure,
information security).
Satchit has an MS from MIT and has a CISSP security certification.
He is an established author and keynote speaker on various cloud,
security, analytics technology advancements.
3
October 20, 2015
5. PwC 5
Detected security incidents – Growth continues
Average number of security incidents in past 12 months
• A security incident is defined as any adverse incident that threatens some aspect of computer security.
• Data from PwC’s “The Global State of Information Security® Survey 2016”
October 20, 2015
2011 2012 2013 2014 2015
2,562
2,989
3,741
4,948
6,853
38% more
information
security incidents.*
6. PwC
Insider threats – From inside and outside
6
Estimated likely source of incidents
Current employees Former employees Current service providers/
consultants/contractors
Former service
providers/consultants/contractors
Suppliers/business partners
2014 2015
October 20, 2015
35%
30%
18%
13%
15%
34%
29%
22%
19%
16%
+22%
• Data from PwC’s “The Global State of Information Security® Survey 2016”
7. PwC 7
Cyber targets – Employee, customer, internal data
Customer records
compromised
Employee records
compromised
Loss or damage
of internal records
Theft of “soft”
intellectual property
Theft of "hard"
intellectual property
2014 2015
Impact of security incidents
October 20, 2015
28% 29%
20%
24%
15%
38%
33%
26% 25%
23%
+35%
Eg: Strategic business
plans, financial
documents
• Data from PwC’s “The Global State of Information Security® Survey 2016”
8. PwC
New threats and actors — State-directed
capitalism
A. Continuous rise in the impact
of state sponsored threat actors
B. Governments continue to
militarize their cyber
capabilities
C. Sustained threats targeting
institutions/ infrastructure
D. Increased likelihood of cyber-
attacks on critical
infrastructure
• Data from PwC’s “The Global State of Information Security® Survey 2016”
8
October 20, 2015
9. PwC
Privacy & compliance – Compounding risks
A. Global compliance impacts with
multitudes of jurisdictions
B. Cross-border harmonization
C. Strong-arm laws: Russia, China
D. EU Data Protection Laws
E. Safe Harbour
F. CSP Subpoena
G. Privacy attestations
9
October 20, 2015
11. PwC
Cloud growth – Fueled by many sectors
Applications Internet of Things
11
October 20, 2015
Social media
Mobile
Analytics
Cloud
12. PwC
Cloud count – How many do you know of ?
2013 Q4 2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2
A. Across every sector
B. Following growth of
SaaS services
C. Increasing monitoring
capabilities and registry
sizes
Avg number of cloud services discovered in an enterprise
626
759 738
831
897
923
1,089
Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015
12
October 20, 2015
13. PwC
Banking and financial service – Categories in use
Customer
• CRM
• Marketing
• Media
Functions
• HR
• Health
• Finance
Infrastructure
• Storage
• DR
• IT services
• Platforms
• Security services
Etc
Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015
40% 60%
0
50
100
150
200
250
Collaboration
Development
Contentsharing
Socialmedia
Tracking
Business
Intelligence
195
65
47 43
25 21
13
October 20, 2015
14. PwC
Clouds do serve as a business innovation enabler
A. Better, Faster, Cheaper -
clearly a CEO agenda1
B. And Safer? - Clearly a
Board agenda1
The average employee uses
28 cloud services at work2
Top 10 Enterprise Cloud Services2
1. Microsoft
Office 365
2. Cisco Webex
3. Salesforce
4. Oracle
RightNow
5. Concur
6.
7.
8.
9.
10.
Yammer
Jive
Zendesk
Hightail
ServiceNow
1. PwC’s whitepaper: Managing risk in the cloud — The role of management
2. Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015
14
October 20, 2015
15. PwC
Compromised credentials — More common than
you think
Skyhigh Networks Cloud Adoption & Risk Report, Q2 2015
Finance is the most exposed industry to compromised accounts
94.3% of financial services companies have compromised accounts
15.5% of financial employees have at least one stolen password
Only 15.4% of cloud service providers offer multi-factor
authentication
15
October 20, 2015
16. PwC
Cloud security issues – Uniquely different
threat vectors
1. PwC Australia, Managing the Shadow Cloud, June 2015
2. Skyhigh Networks Cloud Adoption & Risk Report, Q1 2015
• 85% of high risk
cloud services are not
being blocked
effectively1
• 92% of companies
have users with
compromised
identities2
16
October 20, 2015
17. PwC
How to do digital transformation
of cloud security and
privacy capabilities?
17
October 20, 2015
18. PwC
Digital transformation — What clouds need
18
October 20, 2015
Policy
Risk based
Frameworks
People
Think Cloud
First
Technology
Automation at
Speed of Cloud Process
Shared
Responsibility
19. PwC 19
October 20, 2015
Have not
adopted a
security
framework
Have adopted
other security
framework(s)
Have adopted
ISF Standard of
Good Practice
Have adopted
SANS Critical
Controls
Have adopted
NIST
Cybersecurity
Framework
Have adopted
ISO 27001
8%
18%
26%
28%
34%
40%
of respondents
say they collaborate
with others to improve
information security
65%
Policy — Risk-based security framework adoption
• Data from PwC’s “The Global State of Information Security® Survey 2016”
20. PwC
Policy — Cloud discovery is foundation for
risk framework
Risk capacity
Risk appetite
Risk tolerance
Risk target
Risk limits
Evidence based cloud risk
discovery
Enterprise Risk Framework
Enterprise
Category
Elemental
20
October 20, 2015
21. PwC 21
PwC’s cLifecycle™— Risk assurance framework for cloud
operations lifecycle
cDiscovery™ Cull Consolidate Control Collaborate Comply
Discovery of cloud
services with risk
rating
Effective blocking
of high-risk clouds
Manage risks in
transition to
sanctioned clouds
Adequate controls
for cloud
operations
Security guidelines
& platforms to add
clouds
Test for risk
exposures in
compliance/
communications
Risk model
Policies
Information risk
management
SDLC
Vendor risk
Portfolios of suites:
O365 Salesforce
Workday
ServiceNow AWS
Azure
Third party risk
management
GRC Audit
October 20, 2015
22. PwC
People – Competition for resources as talent is key
A. Increased demand for
top talent
B. Steady increase in the
cyber workforce
C. Changing role of the CISO
• Data from PwC’s “The Global State of Information Security® Survey 2016”
22
October 20, 2015
23. PwC
People – Organization transformation needed to
think cloud first
23
Leadership
Resources
Depth of experience
Across platforms
Community
October 20, 2015
24. PwC
Process – Cloud first is a shared responsibility
24
• Access control
• Policy consistency
• Insurance
• Cloud security as a Service
• Federation services
• API security
• Legacy integration
• Cloud defense
• Core security & privacy
• Compliance and audits
• Insurance
• Functions
• Features
• Attestations
• Security services
• Insurance Cloud
Service
Provider
Cloud
Customer
(User)
Consumers
Partners
Contractors
Cloud
Security
Tool
Vendors
Complement
ary controls
Customer
controls
Complement
ary controls
Service
provider
controls
October 20, 2015
25. PwC
Process – Orchestrating O365 + customer controls
25
Data protection
DLP, Search, ediscovery
Admin access control
Lockbox: Customer approved access
Encryption
One Drive: Per file encryption with Key Vault
Exchange: Per message encryption with Azure
Key Vault
• Data from Microsoft’s Ignite, May 2015
October 20, 2015
Encryption at
rest
Per-file
encryption
Encryption
in transit
Customer
Data loss prevention
Search
Insights
General content analysis
Customer
Microsoft
engineer
Lockbox
system
Microsoft
manager
Submits
request
Customer
approved
Microsoft
approved
Microsoft
engineer
26. PwC
Process – Selection of O365 IDM architecture
26
Active Directory (AD)
Microsoft supported
Works for Office 365
Hybrid Scenarios
Existing non-ADFS Identity systems
with AD or Non-AD
Third-party supported; Verified through ‘works
with Office 365’ program
Works for Office 365 Hybrid Scenarios
Existing non-ADFS Identity systems with AD and
other directories on-premises
Microsoft supported for integration only, no identity
provider deployment support
• Data from Microsoft’s Ignite, May 2015
October 20, 2015
Federated identity
Zero on-premises
servers
Directory sync with
password sync
On-premises identity
Cloud identity Synchronized identity
Federation
Directory
sync
On-premises identity
27. PwC
of respondents
who use cloud-based
cybersecurity also
employ real-time
monitoring and analytics
from cloud providers
Technology – Building business + operations trust
27
October 20, 2015
56%
Cybersecurity insurance Big Data analytics Cloud-based cybersecurity
59% 59%
69%
• Data from PwC’s “The Global State of Information Security® Survey 2016”
28. PwC
Technology – Clouds enforce automation
transformation
Marketplace of approved subscription services
API security brokerage
Brokerage
Encryption, RMS, DLP
Provisioning hybrid clouds
Automation trend
Discovery of clouds and connected
services
API management
Federated identities, access
Quality, inventory, classification
Systems integration, migration
between clouds
Cloud challenges
Services
Apps
Users
Data
On
Premise
Cloud stack
Selection of technology (tools), orchestration of policies and digital transformation processes
27
October 20, 2015
29. PwC
Technology – Cloud delivered security and defense
IDaaS- Identities
CASB- Access control
Federation brokers- Directories, Rights
XaaS- Encryption
CaaS- Compliance
Advanced SoCs, APTs
Behavior Analytics
October 20, 2015
29
• Data from PwC’s “The Global State of Information Security® Survey 2016”