Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paul Woods Chair, ISNorthEast @paulw_pm MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.

Similar presentations


Presentation on theme: "Paul Woods Chair, ISNorthEast @paulw_pm MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast."— Presentation transcript:

1 Paul Woods Chair, ISNorthEast @paulw_pm
MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast @paulw_pm @neict #ESB16

2 What are you buying? Making sense of “aaS” @neict #ESB16

3 Caveat Emptor Central Government – has a ‘cloud first’ policy
G-Cloud is a procurement option. ALL other procurement routes are available. Cloud first policy and use commercially available systems instead of custom built systems - to save costs. G-Cloud is a series of framework agreements with suppliers, from which public sector organisations can buy services without needing to run a full tender or competition procurement process. CCS does not assure services, we have to Must take suppliers agreed Ts & Cs Maximum contract duration (exit strategy) CCS – Crown Commercial Services @neict #ESB16

4 Before you start Know your business requirements Understand your:
risk appetite information / application Think about your exit strategy Talk to colleagues in IG, IA, IS and any third party data controllers Understand Information/Application - Are YOU the data controller or processing someone else’s data? In cloud based systems – you need to know how to get YOUR information into the system and out of the system once the contract has come to an end. @neict #ESB16

5 Talk to colleagues from IG, IA and IS
Determine which cloud security principles are important and what implementation options are acceptable to manage risks to your organisation's information. You need to be able to score / exclude cloud providers that don’t meet your requirements. @neict #ESB16

6 Talk to colleagues from IG, IA and IS
Include investigations of how the principles are implemented in your award questions. Evaluate responses with colleagues from IG, IA and IS. @neict #ESB16

7 Cloud Security Principles
Lets look at HMG’s 14 Cloud Security Principles Principle 1: Data in transit protection Principle 2: Asset protection and resilience Principle 3: Separation between consumers Principle 4: Governance framework Principle 5: Operational security Principle 6: Personnel security Principle 7: Secure development Principle 8: Supply chain security Principle 9: Secure consumer management Principle 10: Identity and authentication Principle 11: External interface protection Principle 12: Secure service administration Principle 13: Audit information provision to consumers Principle 14: Secure use of the service by the consumer @neict #ESB16

8 Cloud Security Principles
Principle 1: How is data protected in transit? Principle 2: How is your data and the assets storing or processing it protected against physical tampering, loss, damage or seizure? Principle 3: How is separation put in place between your data/application and others? Principle 1: Between you and the cloud provider Across the cloud provider’s systems Where any APIs are exposed Network protection Encryption Principle 2 Physical location and legal jurisdiction Data centre security Data at rest protection Data sanitisation Equipment disposal Physical resilience and availability Principle 3 Public, private or community cloud? Is the underlying infrastructure IaaS and how does that impact on separation risks? Who are you sharing with? What level of sharing is acceptable? Shared server / rack / cage / data centre @neict #ESB16

9 Cloud Security Principles
Principle 4: What is the cloud provider’s security governance framework? Principle 5: What processes and procedures are in place to ensure the operational security of the service? Principle 6: What staff security screening and education has the cloud provider put in place? Principle 4 Is a board member responsible for security? Have key security policies been developed and are they in place? Are security risks managed as part of the organisation’s risk reporting mechanisms? What legal and regulatory frameworks apply and how does the cloud provider ensure compliance? Principle 5 Configuration and change management Vulnerability management Protective monitoring Incident management Patching policies and procedures Principle 6 Does the nature of your data / application dictate any special screening needs? How / does the cloud provider screen staff that can access your data? What regular training is in place? @neict #ESB16

10 Cloud Security Principles
Principle 7: What measures has the cloud supplier designed into their service to identify and mitigate threats to their security? Principle 8: How does the cloud supplier ensure its supply chain doesn’t compromise any of the security principles it has put in place? Principle 7 Is continual development in place in response to threat evolution? Is development in line with industry good practice on design, coding, testing and deployment? Are configuration management processes in place? Principle 8 What third parties provide what services to the cloud provider? Do any of these have access to your data? How does the cloud provider manage their conformance with their security requirements? How the cloud provider verifies any hardware and software they use is genuine and not been tampered with. @neict #ESB16

11 Cloud Security Principles
Principle 9: What tools does the cloud provider give you access to so you can manage your service securely? Principle 10: How does the cloud provider ensure access to service interfaces is constrained to authorised and authenticated individuals? Principle 9: What tools does the cloud provider give you access to so you can manage your service securely? Principle 10: How does the cloud provider ensure access to service interfaces is constrained to authorised and authenticated individuals? What authentication is in place? How are unauthorised people denied access to your application / data? @neict #ESB16

12 Cloud Security Principles
Principle 11: Has the cloud provider identified all external or less trusted interfaces to its services and taken appropriate actions to protect them? Principle 12: How has the cloud provider ensured that its services are administered securely? Principle 11 Are interfaces documented? What penetration testing regime is in place? Principle 12 Are more stringent controls applied to who can administer the cloud provider’s systems and what data they can access? Is your data/application segregated and administrated separately? At what level? e.g. private cloud Can the service be managed from devices used for normal business use? (high risk) Are the services being managed offsite – from various locations? @neict #ESB16

13 Cloud Security Principles
Principle 13: Does the cloud provider give you access to audit records so you can monitor access to your service and the data in it? Principle 14: What measures has the cloud provider taken to help end users (employees/citizens) use the service responsibly and not create security risks? Principle 13 What information is available? How can you access it? What format? Retention period? Suitable for investigating misuse or incidents? Do you need a copy of the logs at your site? Risk of log tampering? Principle 14 Especially for IaaS and PaaS What configuration options are available? Is access restricted to devices you own and manage? (think PSN) What end user education is available / recommended? @neict #ESB16

14 Other Considerations What are the guaranteed availability levels of the cloud system, if any? When will patching/updating of the system be carried out? What business continuity provisions has the cloud provider put in place? What security and business continuity testing regimes has the cloud provider put in place? What security and business continuity accreditations / certifications does the cloud provider have? Availability – 99.9% = 8.76 Hrs per year, 99.99% = 0.87 hrs per year, uptime etc. BC - if a data centre is unavailable? @neict #ESB16

15 Other Considerations What connectivity does the cloud provider have in place? What connectivity do you have in place? What browsers and/or devices does the cloud service support? Is there an ongoing application compatibility issue? What additional mitigations could you apply? What residual risks are there? The EU General Data Protection Regulation. Connectivity Can it cope with the traffic? Is it resilient? What browsers and/or devices does the cloud service support - manufacturer / product / version Is there an ongoing application compatibility issues? – current browser & previous for example? IE11 and previous versions. There will be lots of others that need to be taken into consideration. @neict #ESB16

16 @neict #ESB16


Download ppt "Paul Woods Chair, ISNorthEast @paulw_pm MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast."

Similar presentations


Ads by Google