espion and sureskills presentation - your journey to a secure cloud
TRANSCRIPT
1
Your Journey
to a Secure Cloud
June 10, 2015
2
SPEAKERS
Ross Spelman, Cloud Assurance Specialist at Espion, will show you how businesses can confidently evaluate the impact of a move or procurement of a cloud solution & to
successfully manage software platforms & infrastructure once in the cloud.
Nigel Tozer, Product Marketing Director EMEA at CommVault will take you on your organisation’s journey to the Cloud & the options that public, private & hybrid cloud
strategies can provide.
Ruaidhri McSharry, COO at SureSkills will show us how cyber security is an issue for a whole organisation, from board to staff & from customers to suppliers – its about Resilience!
3
IT Solutions & Consulting
SURESKILLS
LearningServices
Training & Certification
Learning Service Provision - Develop
- Support
- Manage
Training Service Provision - Certification Training
- Tailored Training
- Managed Training Services (Local)
IT Service Provision - IT Change
- IT Transition
- IT Support
4
WHAT? TRAINING & CERTIFICATION
ACCREDITATION TAILORED VALUE BLENDED
• Project Management
• Service Management
• Business Analysis• Unified Learning• Applications• VMware & AWS• Technology• Digital Marketing• On-Boarding• Specialised • Other – bespoke
requirements
Blending bespoke learning that is multi modality
based on learners & business needs.
Programmes that are developed with
specific goals in mind – sales
readiness; baseline skills& more
5
WHAT? IT SOLUTIONS & CONSULTING
Our project management will ensure the smooth
transition from implementation to support. As you take ownership we
will make sure that you have the right level of service to maintain the
systems.
With your new systems in place and your staff
trained up, you need to ensure continued
business value – sustain with continual service
improvement.
Change is good, we help you plan for Change, Our
planning & risk management strategies
ensure successful & sustained change with
minimal disruption to the business.
CHANGE TRANSITION SUSTAIN
6
WHAT? LEARNING SERVICES
DEVELOP SUPPORT MANAGEGlobal Support & Delivery – Dell Education Services
Global Operations Readiness
Global Education Services
DEVELOP SUPPORT MANAGE
Audience
- Inside, Partners & Customers
Service Provision
- Help-Desk (L/CMS)
- BI & Analytics
- IM/KM Support
- Content Management
Comment: Helpdesk, System Support, Migration & Content Rationalization
Audience
- Inside, Partners & Customers
Service Provision
- Design, Development & Delivery
- Multi-Modality
- Global Certification
- Execution Excellence
Comment: ICM, VTSP, VCP, VCA – Web Based Learning & Instructor Led Training
Audience
- Inside, Partners
Service Provision
- Full E2E Managed Learning Service
- Though-Leadership
- Business Value
- Execution Excellence
Comment: CAP/id2, 3E Approach & Operations Launch Readiness Process
7
A SELECTION OF OUR CLIENTS
Making Your Journey to the Cloud a Success
Nigel Tozer
Your Journey To A Secure Cloud
Friday 10th June 2015
Organisations need to be able to confidently evaluate the impact of a move or procurement of a cloud solution and to successfully manage software, platforms and infrastructure once in the cloud.
need
Speaker: Ross Spelman
With an in-depth knowledge and understanding of enterprise risk management and the importance of sound internal controls, I help companies to assess, identify and manage risk. Through the development and evaluation of business and technology standards, procedures and controls I help organisations keep their information safe, on premise or in the cloud….
The total market size for cloud computing is expected to reach $555 billion by 2020.
Allied Market Research July 2014
Global SaaS software revenues are forecasted to reach $106B in 2016, increasing 21% over projected 2015 spending levels.
A Goldman Sachs study published in January 2015 had already projected that spending on cloud computing infrastructure and platforms will grow at a 30% CAGR through to 2018 compared with 5% growth for the overall enterprise IT.
Importance for Businesses
• Achieve economies of scale – increase volume output or productivity with less people. Overall cost per unit, project or product drops significantly.
• Reduce spending on technology infrastructure. Maintain easy access to your information with minimal upfront spending. Pay as you go (weekly, quarterly or yearly), based on demand.
• Globalise your workforce inexpensively. Users worldwide can access the cloud, provided they have an Internet connection.
• Streamline processes. Get more work done in less time with less people. • Reduce capital costs. No need to spend big money on hardware, software or licensing fees. • Improve accessibility. Access anytime, anywhere, making you more available.• Monitor projects more effectively. Stay within budget and ahead of completion cycle times. • Less personnel training is needed. It takes fewer people to do more work on a cloud, with a
minimal learning curve on hardware and software issues.• Minimise licensing software. Scale up and down without the need to buy expensive software
licenses or programs. • Improve flexibility. You can change direction without serious “people” or “financial” issues at
stake.
Risky
Importance for Businesses
Businesses need to reduce risk
Overview of Cloud Assurance
By gaining assurance on how a Cloud Service Provider is treating risk and by verifying the standard of their security controls, systems and practices, a cloud consumer can build trust.
The areas to assess in order gain Cloud Service Provider assurance are:
• Business Context & Requirements• Market Performance Analysis & Forecast• Cloud Service Provider Business Analysis & Verification• Cloud Service Provider Security & Verification
Business Context and Requirements
Market Analysis and Performance
Thousands of applications in the cloud
Fewer major platforms
Elite group
Different levels of volatility
SAAS Market Analysis and Performance
SAAS Market Analysis and Performance
SAAS Market Analysis and Performance
PAAS Market Analysis and Performance
Bit healthiercompetition….
Looking at the market just tells a small part of the story……• Through the utilisation of PAAS companies are launching 80% more apps per year with a 70% accelerated time to market and a 75-85% reduction in infrastructure costs, resulting in a 520% return on investment.
• PAAS reduces time to software-launch by integrating with IaaS.
PAAS Market Analysis and Performance
PAAS Market Analysis and Performance
Looking at the market just tells a small part of the story……
IAAS Market Analysis and Performance
Few Major Players
Market domination over last near decade
IAAS Market Analysis and Performance
IAAS Market Analysis and Performance
Microsoft on the rise
Assessing a Cloud Service Provider Business
Size
Certifications
QMS
History
Stability
Procedures
Assessing a Cloud Service Provider Business
Strategic • Business plan • Strategic plan for the following 3 years
Financial • Financial statements audited
Management • Organisation chart Short-term objectives • CV/Bio of people in the management of the company/unit
responsible for the service • Commercial • Number of service users • Evolution of service users • Commercial plan for the service
Assessing a Cloud Service Provider Business
Operation • Service road map • People certifications in the service operation • Training policy • Unwanted rotation ratio • Service awards and recognitions • Certifications (quality, development…) • Outsourcing policy • Dispute resolution system (arbitration)
Supplemental information • Mergers and acquisitions • Security incidents • Changes in service plans • Certifications and/or audits issues • Change in key third party outsourcers
Assessing a Cloud Service Provider Business
Metrics to Assess a CSP from a Business perspective
If a cloud provider's pricing or promises seem too good to be true, they probably are.
Assessing a Cloud Service Provider Business
The company filed for US Chapter 11 bankruptcy in October 2013
Introduced in January 2012, Exec.Cloud was designed with SMBs in mind. Two years after its release, Symantec realised that two features that they felt critical to its success were missing: content-sharing features and mobile capabilities.
Rather than investing in the development of those features, Symantec felt it was a smarter move to focus on its other backup product rather than fix Exec.Cloud. This decision wasn’t without repercussion for SMBs who signed up for Symantec’s BE.Cloud.
Assessing a Cloud Service Provider Business
Differences
Differences
• Five layers of governance for IT are Network, Storage, Server, Services and Applications
• On premise - organisation has control over Storage, Server, Services and Applications; vendor and organisation can have shared control over Networks
• SaaS model - most layers are controlled by the vendor
• PaaS model - Applications and Services are controlled by both while Servers, Storage and Network controlled by the vendor
• IaaS model - Applications are controlled by the organisation, Services controlled by both while the Network, Storage and Server controlled by the vendor
General Cloud Governance
Different Responsibilities for Cloud Governance
Some Control & Governance
Least Control & Governance
More Control
CSP - Secures
CSP - Secures
CSP - Secures
Different Responsibilities for Cloud Security
Cloud Service Provider Security & Verification
Open Certification FrameworkCloud Security Alliance
AICPA Assurance Services Executive CommitteeService Organisation Controls
Payment Card Industry Data Security CertificationPCI Security Standards Council
Key factors for cloud - Security Rating GuideLeet Security
EuroCloud Star AuditEuroCloud Europe
Tools to help to verify Cloud Service Provider Security
ISO/IEC 27001 CertificationInternational Organisation for Standardisation
Including ISO/IEC 27017 controls based on ISO/IEC 27002 for cloud services
Certified Quality in Cloud ComputingTÜV Rheinland's certification for cloud providers
What is Cloud Computing?
Ubiquitious Network Access
Rapid ElasticityMeasured Service with
Pay Per Use
On DemandSelf-Service
Location Transparent Resource Pooling
Cloud Security
Cloud Vulnerabilities
Resource Capping
Resources Isolation
Inaccurate Modelling
Media Sanitisation
High Risk Jurisdictions
IP Ownership
Interoperability
Cloud Risks
Isolation failure
Insecure or incomplete data deletion
Compliance risks
Management interface compromise
AssetProtection Data
Process
Technology
Different Levels of Criticality
Data: Your next Strategic Asset
• Where is it?• What is it?• Who created it?• Who has access to it?• How long should you keep it?• How do we do more with it?• How do we really derive value for it?• Do we need to keep it?
Cloud Journey
Espion Cloud Assurance Journey
Cloud Risk
Assessment
SecureCloudDesign
IntelligentCloud
Migration
Cloud Testing and
Audit
CloudIncident
Response
Cloud Service Provider
Assessment
Cloud Assurance Journey Example
Customer Relationship Management System
Cloud Risk AssessmentDiscover your environment:
• Asset Inventory• Understanding the organisation• Information security posture of the organisation• Key Stakeholders and Participants involved• Context Establishment – Asset Valuation • Vulnerability and threat identification• Risk Treatment
Secure Cloud Design
Intelligent Cloud Migration
Cloud Testing and Audit
Cloud Incident Response
Cloud Service Provider Assessment
Benefits of Cloud Assurance
• Risk identification, reduction & transference
• Improving security posture
• Compliance
• Confidence
• Adherence to industry-leading best practices (CSA, ISO, ENISA, NIST)
Cyber Security, Business Value & Critical
First Steps
61
Ruaidhri McSharrySureSkills
COO & Director Service
Management
WHAT DOES IT MEAN?
HOW PEOPLE, PROCESSES &
SYSTEMS INTERACT
DIFFERENT VERSIONS OF REALITY!
BEST PRACTICE
65
Service Management Project Management Business Analysis Lean Agile Scrum SureSkills CAP/id2™
Cyber Security
BEST PRACTICE
66
Assurance Governance Auditability Structure
WHAT DOES IT MEAN?
Adopt & Adapt Business
Value Foundation
Point Assurance!
67
INTRODUCTION – CYBER RESILIENCE
Cyber resilience is not just information security More focus on network connectivity & the internet Recognition that we can’t always prevent incidents
The need for balance Prevent, detect & correct People, process & technology Risks & opportunities
Characteristics needed for information Confidentiality, integrity & availability Authentication & non-repudiation
INFORMATION & VALUE
Your precious information Customer/client data Operational data Market data Operational documents & insight Confidential data & IP
Enabled by IT systems (which can be hacked or compromised) – &now critical to success
BEYOND IT
THE HUMAN FACTOROrganizational value resides in data plus
people (information + intelligence = knowledge & ability)
The “system” is technology plus peoplePeople/behaviours cause most vulnerabilitiesNarrow focus on IT won’t align strategy,
operations & peopleNeed to look beyond IT security – to cyber
resilience
WILL YOUR INFORMATION BE COMPROMISED?
The risks are high. 73% of large organizations suffered from infection
by viruses or malicious software in the past year(BIS, 2014 Information Security Breaches Survey)
37.3 million users experience phishing attacks in 2013 (Kapersky Lab)
95% of security incidents involve human(IBM 2014 Cyber Security Intelligence Index report)
50% of users open emails and click on phishinglinks with the first hour(Verizon 2015 data breach investigations report)
The U.S. Government Is Under (Cyber) AttackThe State Department confirmed on Monday that hackers breached its unclassified email system. The White House, the Postal Service, & NOAA have also been compromised in recent weeks.
71
Obama: We have long known about 'signifi cant
vulnerabilities'
The Offi ce of Personnel Management is notifying 4 million
current & former federal government employees that their
personally identifi able information may have been exposed
by a breach of its IT systems that the government
discovered in April
Cybercrime costs Irish economy €630m a year (RTE 2014)
Some 62,500 Supervalu customers at risk over breach(2013)
Some 8,000 AXA customers also aff ected after ‘attack’ on
fi rm managing holiday breaks (2013)
RISK!
RISKS TO VALUE
Loss of corporate reputation & customer trust
Financial loss & reduced productivityRegulatory finesReduced competitive advantage
through IP theft(Damaged personal reputations)
INTRODUCING CYBER RESILIENCE
Cyber resilience is about keeping data safe, but critically…It’s about keeping the value
tied to that data safe
It’s about how you minimise damage & come through an attack or security failure
It’s about how you prevent, detect, respond & recover
BARRIERS TO CYBER RESILIENCE?
Lack of awareness (board level down)
Silo thinking (“it’s an IT problem”)
Narrow focus on regulatory compliance, not risk
Confusion about what “good” looks like
Cyber resilience demands a “whole system” view (technology & people)
Cyber resilience has to be part of your organisational culture…
This is why you need RESILIA
WHAT IS RESILIA?
RESILIA is a portfolio of training, learning & certification aimed at building cyber resilience across the organization, from the boardroom down. Underpinned by Cyber Resilience Best Practices it comprises of: 1. Foundation & Practitioner Certifications 2. Organization wide awareness learning 3. Cyber Pathway Tool 4. Leadership engagement 5. Professional Development Programme
WHAT WILL YOU GAIN (AND KEEP)?
Clarity & confidence throughout your organization as it responds to a cyber attack
Best practice disciplines – encompassing people, process & technology, whatever your organization’s size
Enhanced management strategiesAligned IT operations, security
& incident managementSecured value
WHAT WILL YOU GAIN (AND KEEP)?
The right ingredients for effective cyber resilienceCommon language across IT & non-IT teamsEnhanced collaborationEnhanced control, reporting good governance
A framework to exploit ITIL best practice investments
Higher levels of certified staff
Best Practice GuideCore practical guidance for strategy,
implementation & management:“what good looks like”
Individual Awareness Learning & Know-
howAll staff across an organisation
IT teams & data owners/managers
Membership & CPDIT teams & data owners/managers
LeaderEngagemen
tLeadership team across an organisation
Management Pathway Tool
Foundation & Practitioner Training
RESILIA: THE PORTFOLIO
WHY? WHO IS IT FOR?
The Foundation & Practitioner certification is aimed at: IT & security functions Risk & compliance functions Core business functions including HR,
Finance, Procurement, Operations & Marketing.
The awareness learning is for the entire organization. The leadership engagement delivers specialised training & learning for the leaders within an organization
RESILIA: BEST PRACTICE
The management processes you need to embed across the organization (large or small)
An organization-wide management system involving people, process & technology
Practical, pragmatic guidance aligned with common approaches & standards
Structure follows the proven ITIL lifecycle used by thousands of organizations across the world
RESILIA: CERTIFIED TRAINING
Foundation & Practitioner courses for global certified training
Link cyber resilience to business strategy Enable effective resilience based on best
practice & repeatable processesCreate individual expertise in
risk & vulnerability assessment the selection of appropriate controls,
including their structured implementation and management
IT VENDORS- CISCO, MS, ORACLE etc
ISC(2)CISSP
CompTIA Security
+
EC CouncilEthical Hacker
EC CouncilCertified Security Analyst
CISM
ISC(2) SSCP
CLAS
ISO27001 auditor
CESG CCP
CESG CCT
ISACA Cybersecurity Fundamentals Certificate
AXELOS Cyber
Practitioner
AXELOS Cyber
Foundation
BCS InfoSecPrinciples
KeyGrey = non-certification course
Size of circle = course market share
TECHNICAL FOCUS
BUSINESS FOCUS
GENERAL AUDIENCE
NICHE AUDIENCE
RESILIA:CERTIFICATION POSITIONING
RESILIA: AWARENESS LEARNING
Empower all individuals with awareness of cyber risks and their personal responsibilities for the organization’s overall resilience Content for regular, continuous learning Adaptive and personalised to suit different
learning speeds and styles Users can learn where and when it suits
with minimal disruption to their day to day activities
Learning modules
Phishing Social engineering
Password safety
Information handling
Online safety Remote and mobile working
Personal information
Learning formats
Games Simulations Videos eLearningTests and refreshers
Animations
RESILIA: AWARENESS LEARNING
RESILIA: LEADER ENGAGEMENT
Build cyber resilience expertise, insight & action in the boardroomCreate active understanding of the cyber threat landscape, cyber risks and vulnerabilities
Create practical knowledge of how to respond & recover in the face of cyber attacks
RESILIA & BEYOND
Building the best practice community:Effective cyber resilience involves a multi-disciplinary approach with an organization that encompasses people, process and technology. The RESILIA community will bring together practitioners, decision makers & leaders across a range of core functions.
87
CONCLUSIONS
Meaningful
Business Value
Actions
88
Your Journey
to a Secure Cloud
June 10, 2015