An approach to cloud adoption is a secure way. As security is a major concern for many organisations adopting cloud services, this is a way of starting the cloud adoption security strategy in a cost effective way. Basically leveraging existing standards and approaches.
2. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
WHO ARE IACS?
WE ARE SECURITY EXPERTS
THAT UNDERSTAND AND
ENHANCE BUSINESSES.
WE WORK WITH UK GOV AND
COMMERICAL ORGS ON THEIR
CLOUD ADOPTION AND
SECURITY INITIATIVES.
WE SUPPORT THE CSA EMEA
TEAM AND BOARD. WE ARE CSA
CCSK AND STAR CERTIFIED.
CLOUD SECURITY
CYBER SECURITY
SECURITY and COMPLIANCE
THREAT and VULNERABILITY
SERVICES
3. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
CHALLENGE AND RESPONSE
CHALLENGE
• Lots of guidance, advice, horror stories, reasons to move
to the cloud and reasons not to move to the cloud!
• Organisations get hung-up on myths, perception and
other organisations’ stories, albeit good or bad.
RESPONSE
• Simple guidance to help you define YOUR ‘Game’ plan
that fits your organisation to move to the cloud.
• 10 simple and practical steps to ensure that you don’t
overcomplicate the initiative.
4. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
01
Scope
02
Why?
03
Why Not?
04
Review
05
Assess
Criticality
06
80 / 20
Principle
07
Threat
Modelling
08
Define
Requirements
09
Choose
Solutions
10
Engage and
Demand
5. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
Next month at CSA Congress EMEA 2015, I’ll be explaining how to develop a
winning cloud adoption game plan in detail and the checklist below highlights
the key points forming the basis of my presentation.
These ten steps will help you define your adoption strategy, highlight key require-
ments and make the right decisions about processes and business and technical
controls. Read on to discover if your organisation is match-fit for cloud adoption.
Scope
Start by determining
the scope of the task
ahead. Identify the sys-
tems and applications
you want to migrate
to the cloud and the
practical implications
of doing so. This will
form the basis of your
strategy and help you
focus on priorities.
01
Why?
Ask yourself why you’re
migrating your chosen ap-
plication or systems to the
cloud and stop to sense-
check your decisions. We
recommend a maximum of
five key objectives.
02
Why not?
List your top five
03
Review
Review steps 1 to 3 and
04
Next month at CSA Congress EMEA 2015, I’ll be explaining how to develop a
winning cloud adoption game plan in detail and the checklist below highlights
the key points forming the basis of my presentation.
These ten steps will help you define your adoption strategy, highlight key require-
ments and make the right decisions about processes and business and technical
controls. Read on to discover if your organisation is match-fit for cloud adoption.
Scope
Start by determining
the scope of the task
ahead. Identify the sys-
tems and applications
you want to migrate
to the cloud and the
practical implications
of doing so. This will
form the basis of your
strategy and help you
focus on priorities.
01
Why?
Ask yourself why you’re
migrating your chosen ap-
plication or systems to the
cloud and stop to sense-
check your decisions. We
recommend a maximum of
five key objectives.
02
Why not?
List your top five
03
Review
Review steps 1 to 3 and
04Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
ahead. Identify the sys-
tems and applications
you want to migrate
to the cloud and the
practical implications
of doing so. This will
form the basis of your
strategy and help you
focus on priorities.
plication or systems to the
cloud and stop to sense-
check your decisions. We
recommend a maximum of
five key objectives.
Why not?
List your top five
concerns in relation to
the objectives you’ve
chosen. It’s likely these
will be predominately
security-related, but
also consider factors
such as availability,
cost of migration, and
additional resource
needed.
03
Review
Review steps 1 to 3 and
ensure the objectives
and concerns you’ve
examined are directly
relevant to the project
scope. This will help
you retain focus on
what’s critical to your
organisation.
04
Simplified Security for Cloud Adoption - Define your game plan www.iacs-llp.com
ahead. Identify the sys-
tems and applications
you want to migrate
to the cloud and the
practical implications
of doing so. This will
form the basis of your
strategy and help you
focus on priorities.
plication or systems to the
cloud and stop to sense-
check your decisions. We
recommend a maximum of
five key objectives.
Why not?
List your top five
concerns in relation to
the objectives you’ve
chosen. It’s likely these
will be predominately
security-related, but
also consider factors
such as availability,
cost of migration, and
additional resource
needed.
03
Review
Review steps 1 to 3 and
ensure the objectives
and concerns you’ve
examined are directly
relevant to the project
scope. This will help
you retain focus on
what’s critical to your
organisation.
04
6. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
SUMMARY - Don’t assess criticality in detail. Understand at a high level the
different levels of data within the scope. Take the whole application
environment and apply the same criticality to estate. Save time, money and
reduce complexity in design, implementation and operations.Assess
criticality
Next, assess the criticality
of your assets. We recom-
mend implementing a 1
to 3 score based on low,
medium or high criticality,
then assigning it at an ap-
plication estate level. This
will enable you to cate-
gorise assets in batches.
For example, a market
analysis application
estate might include
fifteen individual assets,
all of which can be
covered by assigning
them the same level of
criticality.
05 06
Apply the
80 / 20 Principle
It’s likely that 80% of your
risk is generic across your
estate and therefore, as
all assets have the same
criticality, they should
be treated similarly.
The remaining 20% is
specific and bespoke to
your cloud migration and
requires more time and
effort. By segmenting
your assets into these two
groups and applying the
same level of security to
each, you can safeguard
all of your assets efficient-
ly and cost-effectively.
07
Threat
modelling
By identifying the
specific threats other
organisations in your
sector or industry have
faced, you can define
the right type of counter
measures to protect your
organisation. The Cloud
Security Alliance, PwC
and Verizon all publish
reliable, industry-specific
research on a regular
basis, providing you with
a robust starting point for
threat modelling.
Your game plan for
secure cloud adoption.
• Understand your application data
Assess what data resides in your application environment based on Confidentiality, Integrity and Availability
ratings. Use a scoring system which will aid this analysis.
• Understand your selected criticality level
Aggregate the ratings (ratings equal L, M or H) to an overall average rating and ensure that you understand
why you have come to the overall rating. Review this to ensure that you are comfortable with this.
• Assign an applicationwide criticality
Once you have an overall criticality rating you need to assign the whole application this criticality rating. For
example, if the overall rating is high then you will be designing, implementing and operating this application to
a high level of security.
7. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
TEN SIMPLE STEPS
SUMMARY - The 80 / 20 principle (from the BSI-IT Grundschutz) is about
accepting that 80% of your risks and/or threats are generic across the
company and in most cases across industries. The 20% is specific to your
organisation and/or application. So instead of spending money performing a
detailed risk assessment across your environment, implement the generic
controls that cover 80% of your risk.
06
Apply the
80 / 20 Principle
It’s likely that 80% of your
risk is generic across your
estate and therefore, as
all assets have the same
criticality, they should
be treated similarly.
The remaining 20% is
specific and bespoke to
your cloud migration and
requires more time and
effort. By segmenting
your assets into these two
groups and applying the
same level of security to
each, you can safeguard
all of your assets efficient-
ly and cost-effectively.
07
Threat
modelling
By identifying the
specific threats other
organisations in your
sector or industry have
faced, you can define
the right type of counter
measures to protect your
organisation. The Cloud
Security Alliance, PwC
and Verizon all publish
reliable, industry-specific
research on a regular
basis, providing you with
a robust starting point for
threat modelling.
lan for
d adoption.
• Group your assets by type
Grouping your assets by type (i.e., Windows servers group and Unix server group, etc) enables you to
generically review these assets saving time and effort.
• Determine the generic threats that are applicable
Generically determine the threats that your assets may be exposed to. This should be based on a standard
threat/risk framework (Use BSI IT Grundschutz / CSA CCM).
• Identify the generic controls that are applicable
Generically identify the controls that must be applied based on a standard control framework (Use BSI IT
Grundschutz / CSA CCM).
8. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
TEN SIMPLE STEPS
SUMMARY – You have identified the generic threats and now need to focus
on the assets that you identified as specific. These are the assets that you
believe are different or core that you wish to protect further. Carry out a risk
assessment from these assets to ensure that the threats and necessary
control measures are appropriate. Doing a small risk assessment instead of a
large one has again reduced complexity, time and cost.
• Identify the specific assets that need more protection
Identify the assets that you believe are different and are not generic. They may be normal assets that you
believe are core to your business and need further protection.
• Determine the specific threats through a risk assessment
Carry out a risk assessment to identify the additional threats / risks that you believe that these assets may be
exposed to. This risk assessment is focused on a smaller scope, therefore reducing the cost, time and
complexity us such an assessment.
• Identify the specific controls required
Identify the additional controls that are appropriate from the control framework such as CSA CCM, a
regulatory or industry standard framework.
07
Threat
modelling
By identifying the
specific threats other
organisations in your
sector or industry have
faced, you can define
the right type of counter
measures to protect your
organisation. The Cloud
Security Alliance, PwC
and Verizon all publish
reliable, industry-specific
research on a regular
basis, providing you with
a robust starting point for
threat modelling.
9. WHO WE ARE
THE EXPERT
SECURITY ADVISORS
WWW.IACS-LLP.COM
TEN SIMPLE STEPS
Engage and
demand
Now you’ve got a game
plan, you’re ready to
kick-off your cloud migra-
tion. Equipped with the
knowledge gained over
the course of this process,
you’re prepared to engage
cloud service providers and
demand the technical and
process controls that are
right for your organisation.
10
Choose
solutions
Next, match specific controls
to your requirement. Not all
of these will be technical and
you may be able to overcome
challenges with existing or
new processes. Equally, new
hires may be necessary.
Before investing in people or
technology, ensure these will
enable you to deliver the spe-
cific benefits identified within
the scope of your project.
09
Define
requirements
Define your key security
requirements based on the
output of the threat modelling
you’ve conducted. Firstly,
ensure you can mitigate the
80% of generic security risks,
but concentrate time and re-
sources on guarding against
the 20% of cloud-specific
threats.
08
Learn how to implement these steps effectively by attending my presentation at