Cloud Cyber Risk

Management
Managing cyber risks on the journey to
Amazon Web Services (AWS) solutions
Deloitte
Cloud and security are not an “either-or”
proposition.

Together, Deloitte and AWS can offer AWS

customers services that help them reap the
benefits of cloud services and improve their
cyber risk posture.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP
and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2017 Deloitte Development LLC. All rights reserved. 2

 Contacts to support your AWS cyber risk needs

Aaron Brown Mark Campbell

Partner | Deloitte Advisory Sr. Manager | Deloitte Advisory
Cyber Risk Services Cyber Risk Services
Deloitte & Touche LLP Deloitte & Touche LLP
aaronbrown@deloitte.com markcampbell@deloitte.com

Copyright © 2017 Deloitte Development LLC. All rights reserved. 3

 Not all security and compliance controls are
inherited or “automatic”
Security of the AWS cloud is Amazon’s responsibility
Security in the AWS cloud is the enterprise’s responsibility

Managing cyber risk

is a shared
responsibility

Representative Cloud Security Responsibility Matrix

Copyright © 2017 Deloitte Development LLC. All rights reserved. 4

A cloud strategy must address cyber risks
associated with the customer control
responsibilities
As enterprises build new IT services
and data in the AWS cloud,
customer controls are needed for
Adopt the AWS cloud as achieving a compliant & secure
the core platform for
?
integrated cloud platform

?
business services and
Strategic business applications

?
initiative for new Governance &

?
Virtualization Monitoring
services and compliance

?
applications Identity &

?
cloud access Protect customer
Adopt AWS cloud controls data

New business as core platform

services Customer controls for the
initiative cloud

Copyright © 2017 Deloitte Development LLC. All rights reserved. 5

Cloud integration presents common challenges
that need security re-architecture
1• Unmanaged users, bring your own devices (BYOD)
and systems Apps, services and
data in a hybrid
2• Data outside of the perimeter cloud

3• Hybrid cloud architecture is a new attack surface AWS

Unsanctioned cloud
5
4• Direct access to cloud applications from public ?
networks Public
Internet New cloud services:
5• Lack of activity visibility outside the traditional custom & SaaS

perimeter 7

6• Events outside of the enterprise impact operations AWS

PaaS/SaaS

AWS 3
7• Reliance on ungoverned providers Cloud infrastructure

BYOD and remote users 4

AWS
IaaS

1 6

Traditional enterprise
• Applications • Databases • Infrastructure

On-premise users Enterprise networks and legacy data centers

Traditional perimeter

Copyright © 2017 Deloitte Development LLC. All rights reserved. 6

Deloitte provides security capabilities needed for
managing cyber risks associated with customer
controls
1• Identity, access, and contextual awareness Apps, services and
Cloud vigilance DevSecOps data in a hybrid
2• cloud
Data protection and privacy
3• Virtual infrastructure and platform security AWS
Unsanctioned cloud
Cloud provider
5
cyber risk
4• Secure all cloud applications ? governance
Public
5• Vigilance and monitoring of risks of cloud traffic and Internet New cloud services:
integrations with other cloud services custom & SaaS
7
6• Resilience and incident response across the cloud Cloud
resilience
AWS
PaaS/SaaS
Network &
AWS 3 infrastructure
7• Govern risk and compliance
Cloud infrastructure

BYOD and remote users 4

AWS
IaaS
Identity and 6
1
context
Traditional enterprise
• Applications • Databases • Infrastructure

2
Cloud data
protection
On-premise users Enterprise networks and legacy data centers
Traditional perimeter

Copyright © 2017 Deloitte Development LLC. All rights reserved. 7

Extend existing security products or augment
with new ones?
A critical consideration across all domains is rationalizing whether to
‫‏‬

leverage existing security products vs. augmenting with new security

products for cloud:
• Fit of security product features to security requirements

• Compatibility of security product with hybrid cloud components

• Product costs

• Maturity and scaling of products

• Deployment option analysis (e.g., Amazon Machine Image vs. Application

Program Interface vs. proxy)

• Delegation of operational responsibilities for enterprise vs. cloud

• Operational costs (Operate vs. Managed Service)

Leverage Augment
existing with new
security security
product product

Copyright © 2017 Deloitte Development LLC. All rights reserved. 8

 What are specific considerations for each cloud
security capability?

Copyright © 2017 Deloitte Development LLC. All rights reserved. 9

1. Identity and Access Management (IAM) –
Hybrid cloud and the extended enterprise drive
complex identity requirements
Customers
• Key considerations: and Partners Apps, services and
data in a hybrid
3 4
1• Employee identity context cloud

2• Integration with enterprise directories AWS

Unsanctioned cloud

3• Customer and partner identity context ?

CloudCloud
IAM
4• Enterprise SSO + strong authentication MFA BYOD and BYOA 5 6
5 7 Vigilance
Identity and New cloud services:
Context custom & SaaS
5• User provisioning, AWS IAM roles, role-
based access controls (RBAC)
AWS
PaaS/SaaS
6
• Privileged account management AWS
7 1 4
Cloud infrastructure
• Mobile device app & data management
2 5 6 AWS
IaaS

Traditional Enterprise
• Users • Directories • Applications • Databases • Infrastructure

Employees Directory Enterprise networks and legacy data centers

Copyright © 2017 Deloitte Development LLC. All rights reserved. Traditional Perimeter 10
2. Data protection – It’s ALL about the data
Key considerations:

• Identify data assets in the

cloud
Data governance, data protection & privacy policies
• Revisit data classification and
implement tagging
BYOD and remote users
Apps, services and data in a hybrid cloud data
• On-premise or in the cloud
security tools: discovery,
AWS
Unsanctioned cloud
New cloud services:
custom & SaaS
Cloud infrastructure
classification,
• Data Loss Prevention asset
?
(DLP) AWS
PaaS/SaaS IaaS
AWS management

• Key Management Service

(KMS) DLP
• Hardware Security
Module (HSM)
Key management
• What remains on-premise vs.
in the cloud (keys, encryption,
etc.)
Traditional Enterprise
• Data residency issues
• Applications • Databases • Infrastructure
• Encryption, tokenization,
masking

On Premise Users Enterprise Networks and Legacy Data Centers

Traditional Perimeter
Copyright © 2017 Deloitte Development LLC. All rights reserved. 11
Encryption, tokenization, and masking
Application Layer Encryption
• What data needs to be
Application Encryption of
encrypted based on Tokenization Masking Level Encryption data
classification? (ALE) in applications

Field-Level Transparent Data

• Secure structured and Encryption Obfuscation Encryption (TDE)
Internet
unstructured data throughout
all logical layers within your Transport Layer Encryption
SSL/TLS/SSH/IPSEC

AWS environment using Encryption of

data Firewall
encryption technologies Encryption/ Encryption/
Encryption/ in transit
Decryption in
Decryption at Decryption in SSL/TLS/SSH/IPSEC
Application
ELB Webserver
• Proper use of encryption Server

minimizes the attack surface Elastic Load

Volume Encryption
and mitigates cyber risks Balancer

related to exposure or AWS Marketplace/

EBS Encryption OS Tools
exfiltration of data Partners
EC2 web
servers/
Object Encryption application
• Encrypt data in running Encryption of servers
data
applications, at rest, and in S3 Server Side S3 SSE with customer Client Side at rest
transit (including audit logs) Encryption (SSE) provided keys Encryption

Database Encryption
S3
RDS RDS RDS RDS Amazon
RDS
SSQL Oracle MySQL Postgre Redshift
Encryption Instances
TDE TDE/HSM KMS SQL KMS
Copyright © 2017 Deloitte Development LLC. All rights reserved. 12
3. Network and Infrastructure Security in the
Cloud
Key considerations:
Virtual Private Cloud (VPC) and access defense:
• Secure access for enterprise users, customers, and Apps, services and data in a hybrid cloud
partners
• Securing ingress/egress between AWS, traditional AWS
Unsanctioned cloud
New cloud services:
custom & SaaS
Cloud infrastructure
enterprise and other cloud providers
?
Internal network protection and visibility: AWS
PaaS/SaaS AWS
IaaS

• Segmentation, Micro-segmentation (Subnets,

Security Groups, NACLs, etc.)
• Visibility on transmission down to the guest to
guest level:
• AWS Web Application Firewall (WAF)
• Intrusion Detection and Prevention
VPC and Internal Operating Software
Operating system and server protection: access network system and defined
• Operating system integrity, performance, and defense protection server infrastructure
endpoint protection and visibility protection
• Host configuration and management
• Vulnerability scanning
Hybrid cloud
Software defined infrastructure:
• Compliance scanning before deployment Traditional Enterprise
• Integrity and version management • Applications • Databases • Infrastructure
• Backup and access controls for continuous
integration and deployment (CI/CD) automation
components

On Premise Users Enterprise networks and legacy data centers

Traditional perimeter
Copyright © 2017 Deloitte Development LLC. All rights reserved. 13
4. DevSecOps expands the responsibilities for
application security
Key considerations:

• Adapt DevSecOps with guardrails and compliance validations Apps, services and data in a hybrid cloud
leveraging AWS Inspector, AWS Config
Monitoring &
AWS
Unsanctioned cloud
New Cloud Services:
custom & SaaS
Cloud infrastructure
vulnerability
• Application architecture assessments
scanning
?
• Secure coding, standard application logging, error handling AWS
PaaS/SaaS IaaS
AWS

• Integrate security controls into continuous integration and

deployment (CI/CD), AWS Code Deploy and Code Commit

• Protect source code and configurations Security guardrails

• Code scanning (SAST) including automation scripts Security Vulnerability

CI/CD
policies management
• Application testing (DAST)

• Vulnerability management

Configuration management and change control

Traditional Enterprise
• Applications • Databases • Infrastructure

On Premise Users Enterprise networks and legacy data centers

Traditional perimeter
Copyright © 2017 Deloitte Development LLC. All rights reserved. 14
 5. Vigilance – new visibility and detection
requirements outside the traditional perimeter
Key considerations:
‫‏‬

Security monitoring capabilities:

• Achieving comprehensive visibility of cloud assets down to
the guest-level
• Keeping up with elastic environments with proprietary IaaS
and PaaS technology
• Use on-premise Security Information and Event Monitoring
(SIEM) or build new one in the cloud?
• Do I have defined use cases?
• Where do my capabilities reside?
• How mature are my operations?

Continuous improvements:
• Do I have documented procedures?
• Do I have a continuous improvement program
(DevSecOps)?

Copyright © 2017 Deloitte Development LLC. All rights reserved. 15

6. Resilience at the next level – take advantage
of technology with process and organization
Extend existing incident response programs to AWS. Identify the most relevant incident
classes and prepare strategies for the incident containment, eradication and recovery.
assistance.
IR lifecycle Key focus areas
Incident detection logging and tracking
Incident detection logging • Perform the analysis for understanding what incident types are possible for AWS cloud integration.
and tracking Categorization and prioritization
• Understand and agree on the definition of events of interest vs. security incidents by AWS and what
Categorization and events/incidents the cloud-service provider reports to the organization and in which way.
prioritization Initial diagnosis
• The organization must understand the AWS support model incident analysis, particularly the nature
Initial diagnosis (content and format) of data that AWS will supply for analysis purposes and the level of interaction
with the AWS incident response team.
Communication, • In particular, it must be evaluated whether the available data for incident analysis satisfies
containment and legal requirements on forensic investigations that may be relevant to your organization.
escalation • Understand what AWS has by way of a knowledge base that the IR team can tap into for
understanding capabilities with AWS tools. This may can be in the form of an FAQ.
Investigation and Communication, containment, and escalation
diagnosis • Understand what is necessary to implement containment related to the cloud integration. The
organization must carefully analyze the potential containment cases, and negotiate mutually
agreeable processes for containment decision and execution.
Resolution and recovery • Determine and establish proper communication paths (escalation, hand-off, etc.) with AWS that can
be consistently followed in the event of an incident.
Investigate and diagnosis
Incident closure • The organization must evaluate the AWS support model in forensic analysis and incident recovery
such as access/roll-back to snapshots of virtual environments, virtual-machine introspection, etc.
Resolution and recovery
• Post Recovery “Lessons Learned" activities involves sharing detailed incident reports with AWS and
related organizations, in addition to your internal IR team.
Copyright © 2017 Deloitte Development LLC. All rights reserved. 16
Evaluate resilience preparedness with AWS
through cyber wargames

Cyber wargames involve an interactive technique that immerses potential cyber-

incident responders in a simulated cyber scenario to help organizations evaluate their
cyber incident response preparedness leading to deeper, broader lessons learned

Cyber wargames can drive improvements in cyber resiliency, including:

Stronger response capabilities aligned Broader consensus on the appropriate

toward mitigating the highest impact strategies and activities to execute
risks of a cyber incident cyber incident response

Improved understanding of the Better identification of gaps in cyber

people, processes, data, and tools incident response people, processes,
needed to respond to a cyber incident and tools

Enhanced awareness of the Tighter integration between parties

downstream impacts of cyber incident likely to be collectively involved in the
response decisions and actions response to a cyber incident

Improved clarity regarding ownership Reduced time-to-response through

of authority related to certain key the development of cyber incident
cyber incident response decisions response “muscle memory”

Copyright © 2017 Deloitte Development LLC. All rights reserved. 17

 7. Cloud governance – bring the pieces together
and measure success

Risk metrics &

dashboard
New reports
identifying risks and
Tools & performance across
technology information security
domains for AWS; Apps, services and
Management Confirm feasibility of Cloud vigilance DevSecOps
communicated to data in a hybrid
processes tools and technology multiple levels of
cloud

Policies & that support cloud

Enhance processes management AWS
Unsanctioned cloud
Cloud provider
standards risk management
to manage and integration cyber risk
Governance & Update expectations information security ? governance
across cloud risk Public
oversight for the management risk factoring AWS domains Internet
Define organizational of AWS security considerations (e.g.,
New cloud services:
custom & SaaS

structure, committees, including AWS as a automation and

and roles & responsible party agile) Cloud
resilience
AWS
PaaS/SaaS
Network &
responsibilities for AWS
infrastructure
managing AWS Cloud infrastructure

security
BYOD and remote users AWS
IaaS
Identity and
context
Traditional enterprise
• Applications • Databases • Infrastructure

Cloud data
protection
On-premise users Enterprise networks and legacy data centers
Traditional perimeter

Copyright © 2017 Deloitte Development LLC. All rights reserved. 18

Building a sustainable cloud cyber risk
governance program

Foundation &
Strategy Readiness Onboarding Improvement
discovery

Understanding the
‫‏‬ Building a holistic Assessing cloud
‫‏‬ Operationalization of
‫‏‬ Continuous
‫‏‬

business strategy cloud governance risks, capabilities the cloud management and
and growth and risk and controls across governance improvement of the
objectives to align management the enterprise and framework across cloud governance
cloud adoption framework for determining a cloud the enterprise program through
capabilities and consistency and governance program through onboarding assessment,
priorities efficiency strategy and of business units, monitoring, tool
roadmap for ongoing products and deployment,
Leveraging business program operations, functions extension of
view (top-down) and risk assessment, program, etc.
technology aided remediation and
(bottom-up) certification
discovery techniques
to profile cloud use,
including shadow IT,
and risk landscape
Copyright © 2017 Deloitte Development LLC. All rights reserved. 19
 The path for enhancing cyber risk management
for customer cloud control responsibilities
Establish governance and technology
1 2 Establish controls & responsibilities specific
for the cloud to address governance and
technology gaps that will support risk
reduction efforts. Maintenance and
support
Assess cloud security risk Implement security Detail a support model,
capabilities establish a baseline and sustain
Baseline security requirements and
operation of services.
assess current maturity and Build, test and deploy a robust
capabilities, identify and prioritize 3 security architecture with
gaps and create roadmap for secure integrated controls. Deploy and
cloud as an integrated part of your document updated processes.
cloud strategy.

4 5
Design security capabilities
Build a baseline reference security
architecture and repeatable design
patterns with a prioritized
implementation plan.

Copyright © 2017 Deloitte Development LLC. All rights reserved. 20

 Considerations when enhancing cloud security
capabilities
1 3
Security capability development based Strategic investment
on risks and gaps
Align security investment with business
Derive relative risks from actual cloud priorities and investments
application and service gap
Security architecture with AWS
assessments
Prioritize applications and services to
Further prioritization of which security
address first based on risk profile
domains to focus on first Factors that
need to be
prioritized

2 4
Security architecture dependencies Cost and effort
Dependencies between security Prioritize initiatives based on cost and
architecture components to enable risk
capabilities
Roadmap is a phase approach and
Enabling visibility and monitoring of dependent on organizational maturity
security risks in the cloud and ability to absorb change

Copyright © 2017 Deloitte Development LLC. All rights reserved. 21

Deloitte cloud cyber risk capabilities
Prioritize objectives to address typical challenges
Challenges Objectives
‫‏‬

Does the organization know the

business objectives for the Identify and prioritize cyber risk capabilities needed for the AWS
compliance, security, and operations solution. Separate anecdotes from must-have requirements.
of the AWS cloud?

Are the data assets being put in the

AWS Cloud already inventoried and Manage cloud data protection and privacy
classified?

How can security keep up with

DevOps that is already configuring Security as a baseline within standardized and repeatable DevOps
and deploying on AWS? Compliant
& secure
How should the various cloud Align cloud environment with existing enterprise security architecture AWS
services integrate with the existing
enterprise security architecture?
and control requirements to drive value cloud

Is the security design aligned with

the business delivery model and Agile and modular security architecture with repeatable practices
AWS cloud architecture?

What enhanced policies, processes,

security capabilities are needed for Introduce secure operations changes to achieve compliance
compliance?

How does the organization keep up Develop benchmarking criteria for measuring operational efficiency
with compliance maintenance? and maturity development

Copyright © 2017 Deloitte Development LLC. All rights reserved. 23

Proactively managing cloud cyber risk and
developing an adaptive strategy
Challenges and opportunities
 What the organization’s current exposure to cloud cyber
risks?
 Determine current cloud cyber risk profile based on
present inherent risk and identify prioritized risk-based
cloud strategy
 Are cyber risk investment/processes are really working for
cloud services?:
 Real world testing to confirm the effectiveness of
security controls across cyber risk domains
 There has been an increase in number of attacks such as
phishing/hack/other security incidents targeted against the
company:
 Understand what the adversary sees and how the
adversary approaches exploiting your company’s risks
 We need a “Cloud Security Assessment” for compliance
readiness
Results
 Deloitte is a leading provider of cyber risk management
solutions
 Organization with the breadth, depth and insight to help
complex organizations become secure, vigilant, and resilient.
Secure Software Enablement (SSE) 
 Access to 11,000 risk management and security professionals
globally across the Deloitte Touche Tohmatsu Limited (DTTL)
network of member firms.
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Cloud risk assessment
Cloud platform assessment
Cyber risk strategy
implementation
CASB implementation
Cyber wargames
Threat intelligence and analytics
Our selected key solutions
 Identify cloud cyber risks and provide specific recommendations to
remediate the risks
 Define prioritized strategic cloud cyber risk roadmap
 Determine ability to identify / track cyber security risks for platforms
 Identify gaps and prioritize recommendation to improve platforms’
security posture and cyber defense controls
 Establish overall cyber risk strategy
 Confirm existing capability gap/fit for cyber risk requirements
 Develop core cyber risk conceptual designs
 Develop integration plans covering technical specifications for priority
cloud technology
 Establish project team
 Assign integration roles and responsibilities
 Scope and plan additional cyber risk capability improvements
 Provide on going implementations support
 Continuous visibility to cloud usage and risk exposure
 Manage risk and compliance
 Protect data and privacy
 Monitor security activity and threats
 Improve cyber response plan by exposing missing roles, data , and
controls
 Build consensus and shared vision through practice in a safe environment
 Increase probability of success if/when faced with similar event
 Integrated, managed service solution to enable the design, construction,
and deployment of secure applications and systems
Address security risks within applications, continuously monitor,
remediate application security risks and defects
 Provide specific threat insights through ongoing research, custom threat
reports, technical indicators, and monthly executive briefings
24
Conduct cloud assessment to identify and
prioritize risks

Identify customer control risks and provide specific recommendations to remediate the
risks:
• What is the actual cloud service inventory/use?
• Do the organization’s existing controls meet industry and organization
standards? Cloud vigilance
Apps, services and
DevSecOps data in a hybrid
cloud
• What is the inherent risk for the organization use of the cloud?
AWS
Unsanctioned cloud
Cloud provider
• What are the recommendations to manage risks and align to the goals of ?
cyber risk
governance
the business? Public
Internet New cloud services:
custom & SaaS

Cloud
resilience
AWS
PaaS/SaaS
Network &
AWS
infrastructure
Cloud infrastructure

BYOD and remote users AWS

IaaS
Identity and
context
Traditional enterprise
• Applications • Databases • Infrastructure

Cloud data
protection
On-premise users Enterprise networks and legacy data centers
Traditional perimeter
Copyright © 2017 Deloitte Development LLC. All rights reserved. 25
Cloud Access Security Broker (CASB)
implementations
Continuous visibility to the hybrid cloud usage and risk exposure

Definition
A new class of security products (tools and services) that reside between
the enterprise and a cloud provider that acts as an extension to enterprise controls across risk
management, data privacy and protection, and monitoring for cloud-based services.

Common problems Technology companies

Typical capabilities
in the space

30
• Shadow IT • Understand cloud usage
CASB
and risk exposure
• Ability to manage and Providers

measure risk in the • Manage risk and

extended enterprise
• Lack of consistent data
compliance
• Protect data and privacy
+
protection and privacy
• Monitor security activity
across cloud providers
and threats
• Inadequate visibility in
Who are the players
cloud activity

Copyright © 2017 Deloitte Development LLC. All rights reserved. 26

Deloitte’s approach to designing and delivering
cyber wargames
Effective cyber wargames require precise planning, structured execution, and
comprehensive post exercise analysis. Through experience delivering hundreds of
wargames, Deloitte has developed a seven-step approach and toolkit to support the
consistent delivery of effective cyber wargames.
STAGE 1 STAGE 2 STAGE 3 STAGE 4
Define and Design Coordinate Develop and Refine Execute and Evaluate

BUSINESS STEP 1 STEP 2 STEP 3 STEP 4 STEP 5 STEP 6 STEP 7 PRIORITIZED

PRIORITIES & IMPROVEMENT
Define Design Coordinate Develop Conduct Deliver Develop
CONCERNS OPPORTUNITIES
objectives scenario logistics materials dry-run wargame report

Deloitte’s Cyber Wargaming Toolkit

A wargame design and
engagement execution
methodology informed by military
Methodology practices, educational research,
and Deloitte’s experience from
prior engagements
An inventory of scenarios, ranging
Scenario and from basic to complex; and
Delivery
Inject inventory of injects including SOC
Tools
Inventories alerts, news articles, social media
feeds, news clips, etc.
Customized tools to enable
realistic exercises – including a
secure player communications
platform, electronic player status
placards, and participant polling
system

A library of sample artifacts and Materials to train cyber wargame An experienced roster of printers,
Engagement templates – including activity Training facilitators, players, and observers Production video producers, etc., to support
Artifacts checklists, design workbooks, Material on how to participate effectively in Team efficient, secure, and quality
facilitator guides, etc. a cyber wargame production of wargame materials

Copyright © 2017 Deloitte Development LLC. All rights reserved. 27

Appendix
 Why Deloitte

Providing value at the intersection of risk, regulation and technology

• We have a dedicated cloud cyber risk practice and alliances with leading cloud security vendors
• Use a case-driven innovation environment built on emerging platforms and technologies designed to help clients address cloud cyber risk
• We assisted in developing the National Institute of Standards and Technology (NIST) cyber security framework
• We are currently assisting in the development of Cloud Security Application Program Interface Standards the Cloud Security Alliance (CSA) working
group
• We bring deep understanding of the client-side role in the collaborative relationship between client and cloud vendor, through security program
engagements for some of the largest cloud providers
• Our services are built on leading cloud security technologies, leveraging pre-built integrations to shorten time-to-value
• Our Secure.Vigilant.Resilient.TM Cyber Risk Management Framework helps clients manage their information risks and provides a structure for
governance and organizational enablers
• Our rich experience across a range of industry sectors guides focus on the regulations, standards, and cyber threats that are most likely to impact
your business
• We are recognized by major analyst firms as a global leader in security

Depth and breadth of experience

• Approximately 2,000 cyber risk professionals in the US

• Part of a global network of 11,000 risk management and cyber risk professionals across the DTTL network of member firms

Copyright © 2017 Deloitte Development LLC. All rights reserved. 29

 Our cloud accelerators
Deloitte leverages demonstrated proven methodologies and standard accelerators to
streamline engagement activities
Deloitte Secure.Vigilant.Resilient.TM Framework
Deloitte has IT assessment data Gathering templates, which can
be customized for an enterprise’s needs to evaluate current risk.
Deloitte can analyze the risk gap and make prioritized
recommendations through pre-developed models.
Deloitte Cloud Risk Management Framework
Deloitte Cloud Controls Framework
Deloitte has an Integrated Cloud Controls Framework
with mappings to industry control sets and common
controls,. It is an accelerator and can be customized for
an enterprise’s specific controls environment.
Deloitte Integrated Cloud Controls Framework
Integrated Controls Framework

Framework Mapping

NIST 800-53 (MOD

ISO/IEC 27001:20

FedRAMP (MOD)
CSA CCM 3.0.1
Control
Domain Sub Domain Control ID Risk Domain Control Requirements Control Owner

SOC 2
Activity Name

Access Control User access C001 Access Control - Security Requests for new access, or modifications to existing access, are Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-09,IAM-11 AC-2,AC-2(1),AC- C1.2,CC5.2,CC5.4 AC-2,AC-2(1),AC-
management User access submitted and approved prior to provisioning employee, Office, Human 2(2),AC-2(3) 2(2),AC-2(3)
request and contractor, and service provider access to specific applications or Resources
removal information resources. When users no longer require access or
upon termination the user access privileges of these users are
Access Control User access C002 Access Control - Security Automated procedures are in place to disable accounts upon the Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-11 AC-2,AC-2(1),AC- C1.2,CC5.2,CC5.4 AC-2,AC-2(1),AC-
management User account user's leave date and modify access during internal transfers. Office 2(2),AC-2(3),PS-5 2(10),AC-2(2),AC-
management 2(3),PS-5

Access Control User access C003 Access Control - Security Domain-level user accounts are disabled after 90 days of Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-11 AC-2,AC-2(1),AC-2(3) C1.2,CC5.2 AC-2,AC-2(1),AC-2(3)
management User account inactivity. Office
management

Access Control User access C004 Access Control - Security New access requests for CompanyX-managed network devices Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-04,IAM-09 AC-2,AC-2(1),AC-2(3) C1.2,CC5.2 AC-2,AC-2(1),AC-2(3)
management User account and domain-level accounts require approval by an FTE manager Office
management within the user's reporting hierarchy.

Access Control User access C005 Access Control - Security Modification of domain-level security group membership requires Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-09 AC-2 CC5.4 AC-2
management Group approval by the security group owner(s). Office
memberships

Access Control User access C006 Access Control - Security, Procedures have been established for granting temporary or Information Security A.9.2.1,A.9.2.2 IAM-04, IAM-09 AC-2 CC5.2,CC5.3 AC-2
management Temporary / Continuity emergency access to CompanyX personnel upon appropriate Office
emergency approval for customer support or incident handling purposes.
access

Cloud Security Strategy Cloud Security Architecture

Deloitte has experience in building cloud security Deloitte has a repository of Cloud Security Architecture
strategy and roadmaps that can be leveraged to Guiding Principles and Controls Framework, which can
identify business drivers and requirements for cloud be leveraged to build cloud security blueprints for the
cyber risk management. future cloud cyber risk program.

Deloitte Cloud Security
Strategy Methodology
Transformation Roadmaps Deloitte Cloud Security Deloitte Cloud Integrated
Architecture Criteria Controls Framework
Cloud Architecture Guiding Principles
Meets Busin ess Can Do (Later) Can Do
Req uirements
 Lo w o r moderate application criticality  Low application criticality  Minim ize num ber of dependencies on other applications, com ponents, databases, or m iddleware

Business

Business
 In tern al users with low latency n eeds
 Moderate service level req uiremen ts
 Confidential data can be masked
 Some interdependencies o n o ther ap ps / d ata
 Go o d virtualized can didate; uses cloud ven dor
sup p orted OS
 Lo w n umber o f in ternal users with lo w laten cy n eeds Minimize
 Low to moderate service level req uiremen ts Architectural  Avoid the sharing software stacks (e.g. databases, m iddleware) with other com ponents
 No co n fidential d ata o r data is easily masked Complexity  Loosely couple com ponents where possible to allow future portability of individual components to cloud
 Minimal interdependencies to o ther ap ps / d ata
 Currently virtualized o r is a strong virtualization
can d idate; uses cloud vendor supported OS  Em ploy parallelization in execution and data storage as a fundam ental design (e.g., utilize com putational

Technical

Technical
 Uses co mmodity h ardware (e.g. x86 servers)  Uses co mmodity h ardware (e.g. x86 servers) Build Massively grids and data grids into your design)

Business Requirements
 Moderate bandwidth an d infrastructure
req uirements
 Shares environments or software stacks
 Does not depend on specialized appliances
 Low bandwidth and low / mo derate infrastructure Parallel
req uirements  Design for fully scalability, and allow for m anagement capabilities that will autom atically horizontally scale
 Standalone environments and software stack your application; bringing up and shutting down instances on dem and as needed
 Does not depend on specialized appliances

 Structure inter-application com ponent com munications to be as efficient as possible, unnecessary chatter
Optimize introduces latency in com m unications and performance
 Mission critical application  Mission critical application
Component

Business
Business
 Larg e n umber o f external users with h igh  Large number of external users with lo w  Consider using asynchronous com munications (m essaging) where applicable
laten cy requirements laten cy expectations Communications
 Hig h service level requirements, co ntains  High service level requirements, co n tains
co n fidential data not easily masked co n fidential data not easily masked

 Complex interdependencies to o ther ap ps/data  Complex interdependencies to o ther ap ps/data  Avoid dependencies on special purpose proprietary appliances, devices, license dongles tied to hardware,
 No t suited fo r virtualization; uses unsupported  Curren tly virtualized o r is a strong virtualization Avoid Specialized etc.
OS by clo ud ven dors can d idate; uses cloud vendor supported OS Infrastructure  If absolutely required, loosely couple that portion of the application to allow non associated com ponents to

Technical

Technical
 Uses custom hardware (e.g . ven dor h ardware  Uses co mmodity h ardware (e.g. x86 servers)
o r h ig hly customized g rid)
m ove to cloud
 Lo w ban d width an d low / mo derate infrastructure
 High bandwidth an d infrastructure req uirements req uirements
 Sh ared en vironments an d software stack  Stan d alone en vironments an d software stack
 Understand the services capabilities and lim itations of cloud vendors and factor those into your design to
 Depends on specialized appliance  Do es n o t d epend o n specialized ap pliances Keep Cloud
Do es No t Meet allow for a easier future m igration to cloud
Busin ess Capabilities in
Cannot Do Should Not Do  Keep on eye out on ‘cloud m iddleware’; services that allow you to use cloud offerings across vendors
Req uirements Mind
without being tied to any specific API
Do es No t Meet Meets Clo ud
Clo ud Technical Technical Requirements Tech n ical
Req uirements Req uirements

Copyright © 2017 Deloitte Development LLC. All rights reserved. 30

 Cloud Risk Framework and Cloud Governance
Deloitte’s cloud risk framework and services incorporate key security areas and is built on industry leading
practices and regulatory expectations. It allows an organization to take stock of current capabilities to manage
cloud risk.
Inputs Deloitte’s Cloud Risk Framework
Industry standards
 ISO1 27001/2
Business Growth / Operational Risk-based
 NIST2 cybersecurity Objectives Innovation Efficiency
Brand Protection
Decision Making
Compliance
framework
 Global privacy and data Governance & Policies & Management Tools & Risk Metrics &
Oversight Standards Processes Technology Dashboard
protection laws Core Cloud
‫‏‬
The organizational Expectations for Processes to Tools and Reports identifying
 ITIL3 Operating structure, committees, technology that risks and performance Governance Program
Model the management manage risks in
and roles & support risk across information
Components responsibilities for
of information
security
information
security risk management and security domains; Capabilities
managing integration across communicated to
Leading practices information security management and multiple levels of
cyber risk domains
oversight management

 Recognized information Secure Vigilant Resilient

security leader 1. Risk & Compliance 5. App Security & 9. Vulnerability 12. Cybersecurity
15. Crisis Management
 Project / engagement Management Secure SDLC Management Operations

experience Cyber Risk 2. Identity & Access

6. Asset Management 10. Threat Intelligence
13. Predictive Cyber 16. Resiliency & Governance Program
‫‏‬

Domains Management Analytics Recovery

 Published industry
3. Data Protection & 7. Third-Party Risk 11. Security and Threat 14. Insider Threat
Integration & Advisory
research Management Management Monitoring Monitoring
17. Cyber Simulations
Areas
4. Infrastructure 18. Incident Response
8. Cloud Services
Security & Forensics
Threat Landscape
 Who might attack?
 What are they after?
 What tactics will they
use?

1 International Organization for Standardization

2 National Institute for Standards and Technology
3 Formerly known as the Information Technology

Infrastructure Library

Copyright © 2017 Deloitte Development LLC. All rights reserved. 31

Deep Dive – Deloitte Cloud Risk Framework
Components & Capabilities
Deloitte’s cloud risk framework is organized by key capability areas that cover leading practices that are prevalent
in many organizations. These capability areas are derived based on our experience serving clients, industry
leading practices and applicable regulatory requirements.

Secure Vigilant Resilient

Risk and Compliance Vulnerability Cyber Crisis Management

Application Security & SDLC
Policies and standards Management Operations
• • Secure development lifecycle • Crisis response (including
• Risk Management Framework • Security during change management • Vulnerability • Security Operations readiness, forensics,
• Risk Assessment and Mitigation • Emergency change control management Center (SOC) notification, etc.)
• Regulatory exam management • Security configuration management framework • Logging and • Cyber insurance
• Compliance testing • ERP Application controls • Vulnerability scans monitoring • Case management
• Issue management and remediation • Risk based authentication (external and internal) • Log correlation
Risk and compliance reporting Anti-fraud controls • Vulnerability scoring • Threat Intelligence and
• • Resilience &
Database security model Analytics
• Recovery
Identity and Access Management • Functional ID management • Vulnerability • System, network and
application monitoring • Business Continuity and
• Identity repositories • Application security monitoring remediation
• User activity Disaster Recovery Planning
• Provisioning and de-provisioning • White labeling
monitoring • Continuity Testing and
• Authentication and authorization
Threat • Privileged user Exercising
• Role based access control Infrastructure Security Intelligence monitoring • IT Backups and Media
• Segregation of duties • Malware protection • Penetration testing Handling
• Access re-certification and reporting • Threat intelligence and
• Network and wireless security • Service Continuity and
• Federation and SSO modeling (external and internal)
• Network / application firewall (and Availability Management
• Privileged user management • Cyber profile
recertification) • Capacity Management
monitoring (including Cyber
• Network admission control
internet presence, typo
Data Protection • Intrusion Detection / Prevention Analytics Incident Response
squatting, social
• Data classification and inventory Systems (host and network) • User, account, entity, and Forensics
media, etc.)
• Data encryption and obfuscation • E-mail security host and network data
• Content / use case • Incident management
• Data loss prevention • Key and Certificate Management gathering
development framework
• Data retention and destruction • Web Proxy • Events and incidents • Incident reporting
• Records management • Remote access aggregation • Incident response
• Developer access to production • Endpoint protection Security & Threat • Fraud / AML / Physical procedures
• Records management • Secure file transfer and storage Monitoring • Operational Loss • Incident triage
• Device to device authentication • Source / cause
• Security Information • Incident reporting and
Third-Party Risk • Patch management
and Event monitoring
• Security during selection onboarding Management • Forensics
Security during contracting Cloud Services
• • Threat feeds and
• Third-party monitoring and SLA’s • Integration with the Enterprise honey pots Cyber Simulations
• Termination and removal of assets • Access Controls • Brand monitoring • Simulation plans and
• Segmentation • Insider threat schedule
Asset Management • Monitoring monitoring • Table top exercises
• Asset Inventory • Tenant Management • DDOS monitoring • Full scale simulation
• Asset Classification and Labeling • Service Level Agreements • Post exercise analysis and
• Asset Monitoring and Reporting • Regional Availability improvement

Copyright © 2017 Deloitte Development LLC. All rights reserved. 32

Product names mentioned in this document are the trademarks or registered trademarks of their respective owners and are mentioned for identification purposes only.

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or
other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action
that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

Copyright © 2017 Deloitte Development LLC. All rights reserved.