www.cloudsec.com | #CLOUDSEC

Security Strategy when moving to the Public CloudKeith PrabhuFounder & Director, Cloud Security Alliance – Mumbai ChapterExecutive Director, Confidis

CLOUDSEC INDIA 2016

Security Strategy for the Cloud

Select the right candidates based on security and regulatory concerns

Select the right deployment model

Security criteria for selecting a Public Cloud Services Provider

Cost Confidentiality

Availability Regulations

All Applications are NOT meant for the Cloud

Select the RIGHT deployment/Service Model

How would we be harmed if the

confidentiality of information was compromised?

How would we be harmed if the integrityof the information/data

was compromised?

How would we be harmed if the asset was

not available?

How would we be harmed if there was an

insider breach at the CSP?

How would we be harmed if integrity of

the process or function was manipulated by an

outsider?

How would we be harmed if the process or function failed to

provide expected results?

Select the RIGHT deployment/Service Model

Source: https://www.yokogawa.com/us/technical-library/resources/application-notes/scada-cloud-computing/

Key Security Criteria when selecting a Public CSP

OpSec

• SoD• Security in Development

Process• Security in Operations

Process• Well defined DR/BC

policy/process• Configuration

management process• Patch management

process

Security Framework

• Well defined security policies

• Well defined DR/BC policy

Contractual

• Well defined contractual language (security/privacy)

• Reviewable audits• Right to audit

CSA Tools to help

• The Cloud Controls Matrix• List of controls that maps to ISO 27001/27002, ISACA COBIT, PCI, NIST,

Jericho Forum and NERC CIP.• Consensus Assessment Initiative

• Starter questionnaire.• CloudAudit

• For automated assessment, audit, assertion, and assurance• Trusted Cloud Initiative

• IAM reference architecture• And more! > https://cloudsecurityalliance.org/research/

• Join CSA, Mumbai Chapter – It’s FREE

About the Cloud Security Alliance• Global, not-for-profit organization• Building security best practices for

next generation IT• Research and Educational

Programs• Cloud Provider Certification – CSA

STAR• User Certification - CCSK• The globally authoritative source

for Trust in the Cloud

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

CSA Fast Facts• Founded in 2009 • Headquarters in Seattle (Bellingham),

Singapore, Edinburgh UK• 74,000+ Individual members• 300+ Corporate members• 75+ Chapters

• Over 30 research projects in 25 working groups• Strategic partnerships with governments,

research institutions, professional associations and industry

• CSA Research is FREE!

Update to our Website

• Cloud Controls Matrix WG• Quantum Safe Security WG• Big Data Working Group• Security as a Service WG• Containers & Microservices WG• Open API WG• Mobile Application Security Testing

WG• Health Information Management WG

Active Working Groups

• Consensus Assessment Initiative• IoT Working Group• SDP Working Group• Mobile Working Group• Cloud Data Governance WG• Security Guidance V.4 WG• Financial Services Working Group• Incident Management & Forensics WG• Cyber Incident Sharing Center

Active Working Groups (contd.)

More questions? Contact: keith.prabhu@confidis.co