john godwin's presentation at digital leaders conference 2015
TRANSCRIPT
Page 1© Skyscape Cloud Services 2015 Commercial In Confidence
The rise of public sector cloudA major drive by the UK Public Sector to improve
public facing services and reduce costs.Digital by Default and Cloud First agendas.
Secure multi-tenancy cloud environments enablebetter resource utilisation and lower prices for the customer.
Key consideration for the rights of citizens and the protection of their data.
So data security and assurance remains the most important consideration.
Not all cloud service suppliers are the same – they need to willingly demonstrate their level of competence to their customers.
Page 2© Skyscape Cloud Services 2015 Commercial In Confidence
Public sector data – it’s OFFICIAL
Not
the
sam
e!
Page 3© Skyscape Cloud Services 2015 Commercial In Confidence
The 14 CESG Cloud Security Principles
1. Data in transit protection
2. Asset protection and resilience
3. Separation between consumers
4. Governance (e.g. ISO27001)
5. Operational process security
6. Personnel security, screening
7. Secure code development
(more detail on .gov.uk website)
8. Supply chain security
9. Secure consumer management
10. Identity and authentication
11. External interface protection
12. Secure service administration
13. Audit information provision to consumers
14. Secure use of the service by the consumer
Page 4© Skyscape Cloud Services 2015 Commercial In Confidence
Demonstrating credibility
1. Cloud Service Provider Assertions
Demonstrating an acceptable level of information security maturity. Experienced information and technical security resources. Where is the cloud service (sovereignty, data protection, etc.) Regular, proactive security testing activities. Evidence of capable responses to previous security challenges.
2. Contractual Commitments
Specific, measurable performance indicators.within contracts (e.g. maintaining certifications,clean test results, security incident responses, etc.)
Page 5© Skyscape Cloud Services 2015 Commercial In Confidence
Demonstrating credibility3. Independent Validation of Assertions
Independent third party tests, properly scoped to test the supplier’s assertions. Holding certificates of compliance against relevant, recognised standards. Controls reviewed by a suitably qualified individual (e.g. CESG Cert. IA Auditor)
4. Independent Testing of Implementation
Proper scoping of testing activities, undertakenby a suitably qualified organisation/individual.
Testing activities to demonstrate that controlshave been properly implemented: CHECK, CREST, Tiger
Page 6© Skyscape Cloud Services 2015 Commercial In Confidence
Demonstrating credibility
5. Assurance in the Service Design
Service designed/reviewed by a qualified individual (CESG Cert. IA Architect) Provides additional independent assurance about robustness of security controls.
6. Assurance in the Service Components
Scope of testing of assured products/services. Suitability of different assessment schemes. Foundation Grade assurance is considered a
good commercial level of security. Also requires checks on configuration and use.
Page 7© Skyscape Cloud Services 2015 Commercial In Confidence
Supporting cloud customersThe Digital Marketplace allows public sector customers to make easier
comparisons between different cloud service suppliers.
Risk-based decisions remain with the data-owning customer.
There is an expectation that customers will be “kicking the tyres”…
If information security skills need boosting, they should seek credible assistance. They should challenge suppliers to evidence their security assertions willingly. Gain confidence from existing accreditations or previous customer validations. If it looks suspicious, or the supplier evidence doesn’t add up, trust their instincts. Monitor cloud suppliers carefully, seek regular and meaningful interactions.
Page 8© Skyscape Cloud Services 2015 Commercial In Confidence
Thank you
@johngodwin1