Documente Academic
Documente Profesional
Documente Cultură
Management
Managing cyber risks on the journey to
Amazon Web Services (AWS) solutions
Deloitte
Cloud and security are not an “either-or”
proposition.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP
and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
?
business services and
Strategic business applications
?
initiative for new Governance &
?
Virtualization Monitoring
services and compliance
?
applications Identity &
?
cloud access Protect customer
Adopt AWS cloud controls data
perimeter 7
AWS 3
7• Reliance on ungoverned providers Cloud infrastructure
1 6
Traditional enterprise
• Applications • Databases • Infrastructure
2
Cloud data
protection
On-premise users Enterprise networks and legacy data centers
Traditional perimeter
• Product costs
Traditional Enterprise
• Users • Directories • Applications • Databases • Infrastructure
Database Encryption
S3
RDS RDS RDS RDS Amazon
RDS
SSQL Oracle MySQL Postgre Redshift
Encryption Instances
TDE TDE/HSM KMS SQL KMS
Copyright © 2017 Deloitte Development LLC. All rights reserved. 12
3. Network and Infrastructure Security in the
Cloud
Key considerations:
Virtual Private Cloud (VPC) and access defense:
• Secure access for enterprise users, customers, and Apps, services and data in a hybrid cloud
partners
• Securing ingress/egress between AWS, traditional AWS
Unsanctioned cloud
New cloud services:
custom & SaaS
Cloud infrastructure
enterprise and other cloud providers
?
Internal network protection and visibility: AWS
PaaS/SaaS AWS
IaaS
• Adapt DevSecOps with guardrails and compliance validations Apps, services and data in a hybrid cloud
leveraging AWS Inspector, AWS Config
Monitoring &
AWS
Unsanctioned cloud
New Cloud Services:
custom & SaaS
Cloud infrastructure
vulnerability
• Application architecture assessments
scanning
?
• Secure coding, standard application logging, error handling AWS
PaaS/SaaS IaaS
AWS
• Vulnerability management
Traditional Enterprise
• Applications • Databases • Infrastructure
Continuous improvements:
• Do I have documented procedures?
• Do I have a continuous improvement program
(DevSecOps)?
security
BYOD and remote users AWS
IaaS
Identity and
context
Traditional enterprise
• Applications • Databases • Infrastructure
Cloud data
protection
On-premise users Enterprise networks and legacy data centers
Traditional perimeter
Foundation &
Strategy Readiness Onboarding Improvement
discovery
Understanding the
Building a holistic Assessing cloud
Operationalization of
Continuous
business strategy cloud governance risks, capabilities the cloud management and
and growth and risk and controls across governance improvement of the
objectives to align management the enterprise and framework across cloud governance
cloud adoption framework for determining a cloud the enterprise program through
capabilities and consistency and governance program through onboarding assessment,
priorities efficiency strategy and of business units, monitoring, tool
roadmap for ongoing products and deployment,
Leveraging business program operations, functions extension of
view (top-down) and risk assessment, program, etc.
technology aided remediation and
(bottom-up) certification
discovery techniques
to profile cloud use,
including shadow IT,
and risk landscape
Copyright © 2017 Deloitte Development LLC. All rights reserved. 19
The path for enhancing cyber risk management
for customer cloud control responsibilities
Establish governance and technology
1 2 Establish controls & responsibilities specific
for the cloud to address governance and
technology gaps that will support risk
reduction efforts. Maintenance and
support
Assess cloud security risk Implement security Detail a support model,
capabilities establish a baseline and sustain
Baseline security requirements and
operation of services.
assess current maturity and Build, test and deploy a robust
capabilities, identify and prioritize 3 security architecture with
gaps and create roadmap for secure integrated controls. Deploy and
cloud as an integrated part of your document updated processes.
cloud strategy.
4 5
Design security capabilities
Build a baseline reference security
architecture and repeatable design
patterns with a prioritized
implementation plan.
2 4
Security architecture dependencies Cost and effort
Dependencies between security Prioritize initiatives based on cost and
architecture components to enable risk
capabilities
Roadmap is a phase approach and
Enabling visibility and monitoring of dependent on organizational maturity
security risks in the cloud and ability to absorb change
How does the organization keep up Develop benchmarking criteria for measuring operational efficiency
with compliance maintenance? and maturity development
Organization with the breadth, depth and insight to help Integrated, managed service solution to enable the design, construction,
complex organizations become secure, vigilant, and resilient. and deployment of secure applications and systems
Secure Software Enablement (SSE) Address security risks within applications, continuously monitor,
remediate application security risks and defects
Access to 11,000 risk management and security professionals
globally across the Deloitte Touche Tohmatsu Limited (DTTL)
Provide specific threat insights through ongoing research, custom threat
network of member firms. Threat intelligence and analytics reports, technical indicators, and monthly executive briefings
Identify customer control risks and provide specific recommendations to remediate the
risks:
• What is the actual cloud service inventory/use?
• Do the organization’s existing controls meet industry and organization
standards? Cloud vigilance
Apps, services and
DevSecOps data in a hybrid
cloud
• What is the inherent risk for the organization use of the cloud?
AWS
Unsanctioned cloud
Cloud provider
• What are the recommendations to manage risks and align to the goals of ?
cyber risk
governance
the business? Public
Internet New cloud services:
custom & SaaS
Cloud
resilience
AWS
PaaS/SaaS
Network &
AWS
infrastructure
Cloud infrastructure
Cloud data
protection
On-premise users Enterprise networks and legacy data centers
Traditional perimeter
Copyright © 2017 Deloitte Development LLC. All rights reserved. 25
Cloud Access Security Broker (CASB)
implementations
Continuous visibility to the hybrid cloud usage and risk exposure
Definition
A new class of security products (tools and services) that reside between
the enterprise and a cloud provider that acts as an extension to enterprise controls across risk
management, data privacy and protection, and monitoring for cloud-based services.
30
• Shadow IT • Understand cloud usage
CASB
and risk exposure
• Ability to manage and Providers
A library of sample artifacts and Materials to train cyber wargame An experienced roster of printers,
Engagement templates – including activity Training facilitators, players, and observers Production video producers, etc., to support
Artifacts checklists, design workbooks, Material on how to participate effectively in Team efficient, secure, and quality
facilitator guides, etc. a cyber wargame production of wargame materials
• Part of a global network of 11,000 risk management and cyber risk professionals across the DTTL network of member firms
Framework Mapping
FedRAMP (MOD)
CSA CCM 3.0.1
Control
Domain Sub Domain Control ID Risk Domain Control Requirements Control Owner
SOC 2
Activity Name
Access Control User access C001 Access Control - Security Requests for new access, or modifications to existing access, are Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-09,IAM-11 AC-2,AC-2(1),AC- C1.2,CC5.2,CC5.4 AC-2,AC-2(1),AC-
management User access submitted and approved prior to provisioning employee, Office, Human 2(2),AC-2(3) 2(2),AC-2(3)
request and contractor, and service provider access to specific applications or Resources
removal information resources. When users no longer require access or
upon termination the user access privileges of these users are
Access Control User access C002 Access Control - Security Automated procedures are in place to disable accounts upon the Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-11 AC-2,AC-2(1),AC- C1.2,CC5.2,CC5.4 AC-2,AC-2(1),AC-
management User account user's leave date and modify access during internal transfers. Office 2(2),AC-2(3),PS-5 2(10),AC-2(2),AC-
management 2(3),PS-5
Access Control User access C003 Access Control - Security Domain-level user accounts are disabled after 90 days of Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-11 AC-2,AC-2(1),AC-2(3) C1.2,CC5.2 AC-2,AC-2(1),AC-2(3)
management User account inactivity. Office
management
Access Control User access C004 Access Control - Security New access requests for CompanyX-managed network devices Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-04,IAM-09 AC-2,AC-2(1),AC-2(3) C1.2,CC5.2 AC-2,AC-2(1),AC-2(3)
management User account and domain-level accounts require approval by an FTE manager Office
management within the user's reporting hierarchy.
Access Control User access C005 Access Control - Security Modification of domain-level security group membership requires Information Security A.9.2.1,A.9.2.2 IAM-02,IAM-09 AC-2 CC5.4 AC-2
management Group approval by the security group owner(s). Office
memberships
Access Control User access C006 Access Control - Security, Procedures have been established for granting temporary or Information Security A.9.2.1,A.9.2.2 IAM-04, IAM-09 AC-2 CC5.2,CC5.3 AC-2
management Temporary / Continuity emergency access to CompanyX personnel upon appropriate Office
emergency approval for customer support or incident handling purposes.
access
Deloitte has experience in building cloud security Deloitte has a repository of Cloud Security Architecture
strategy and roadmaps that can be leveraged to Guiding Principles and Controls Framework, which can
identify business drivers and requirements for cloud be leveraged to build cloud security blueprints for the
cyber risk management. future cloud cyber risk program.
Deloitte Cloud Security Transformation Roadmaps Deloitte Cloud Security Deloitte Cloud Integrated
Strategy Methodology Architecture Criteria Controls Framework
Cloud Architecture Guiding Principles
Meets Busin ess Can Do (Later) Can Do
Req uirements
Lo w o r moderate application criticality Low application criticality Minim ize num ber of dependencies on other applications, com ponents, databases, or m iddleware
Business
Business
In tern al users with low latency n eeds Lo w n umber o f in ternal users with lo w laten cy n eeds Minimize
Moderate service level req uiremen ts Low to moderate service level req uiremen ts Architectural Avoid the sharing software stacks (e.g. databases, m iddleware) with other com ponents
Confidential data can be masked No co n fidential d ata o r data is easily masked Complexity Loosely couple com ponents where possible to allow future portability of individual components to cloud
Some interdependencies o n o ther ap ps / d ata Minimal interdependencies to o ther ap ps / d ata
Go o d virtualized can didate; uses cloud ven dor Currently virtualized o r is a strong virtualization
sup p orted OS can d idate; uses cloud vendor supported OS Em ploy parallelization in execution and data storage as a fundam ental design (e.g., utilize com putational
Technical
Technical
Uses co mmodity h ardware (e.g. x86 servers) Uses co mmodity h ardware (e.g. x86 servers) Build Massively grids and data grids into your design)
Business Requirements
Moderate bandwidth an d infrastructure Low bandwidth and low / mo derate infrastructure Parallel
req uirements req uirements Design for fully scalability, and allow for m anagement capabilities that will autom atically horizontally scale
Shares environments or software stacks Standalone environments and software stack your application; bringing up and shutting down instances on dem and as needed
Does not depend on specialized appliances Does not depend on specialized appliances
Structure inter-application com ponent com munications to be as efficient as possible, unnecessary chatter
Optimize introduces latency in com m unications and performance
Mission critical application Mission critical application
Component
Business
Business
Larg e n umber o f external users with h igh Large number of external users with lo w Consider using asynchronous com munications (m essaging) where applicable
laten cy requirements laten cy expectations Communications
Hig h service level requirements, co ntains High service level requirements, co n tains
co n fidential data not easily masked co n fidential data not easily masked
Complex interdependencies to o ther ap ps/data Complex interdependencies to o ther ap ps/data Avoid dependencies on special purpose proprietary appliances, devices, license dongles tied to hardware,
No t suited fo r virtualization; uses unsupported Curren tly virtualized o r is a strong virtualization Avoid Specialized etc.
OS by clo ud ven dors can d idate; uses cloud vendor supported OS Infrastructure If absolutely required, loosely couple that portion of the application to allow non associated com ponents to
Technical
Technical
Uses custom hardware (e.g . ven dor h ardware Uses co mmodity h ardware (e.g. x86 servers)
o r h ig hly customized g rid)
m ove to cloud
Lo w ban d width an d low / mo derate infrastructure
High bandwidth an d infrastructure req uirements req uirements
Sh ared en vironments an d software stack Stan d alone en vironments an d software stack
Understand the services capabilities and lim itations of cloud vendors and factor those into your design to
Depends on specialized appliance Do es n o t d epend o n specialized ap pliances Keep Cloud
Do es No t Meet allow for a easier future m igration to cloud
Busin ess Capabilities in
Cannot Do Should Not Do Keep on eye out on ‘cloud m iddleware’; services that allow you to use cloud offerings across vendors
Req uirements Mind
without being tied to any specific API
Do es No t Meet Meets Clo ud
Clo ud Technical Technical Requirements Tech n ical
Req uirements Req uirements
Infrastructure Library
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or
other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action
that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.