Security and Privacy Services
Cloud computing point of view
October 2012
Cloud Opportunities
Beyond apparent security and risk challenges, Cloud computing
will lead to…
New Security Opportunities
Leverage Cloud solutions to
realize better efficiency
within security management
program
Privacy
Regulatory
Cyber Threat
Resiliency and
Availability
Opportunity to implement
stronger security than
legacy on premise security
models
1
Disposable environment turn it off when not in use
to keep security efficiency
high
Cloud
Security
Strategy
Security
Operations
Identity, and
Access Mgmt
ERP
App
Development
Reduce vulnerabilities by
‘rightsizing’ resources in
use through dynamic
provisioning capability
Copyright © 2012 Deloitte Development LLC. All rights reserved.
Regulations
Using integrated frameworks to help comply with regulatory requirements
WHAT YOU NEED TO KNOW:
CHALLENGES:
Some regulations have not been updated
Since cloud computing is relatively new,
many regulatory agencies have not updated
the requirements for the cloud.
As regulations change, companies may not know
each of the requirements needed to comply before
they use cloud computing. Often, the regulatory and
security requirements come after the fact.
There are strategies for managing multiple
requirements
Companies are at different levels of maturity,
requiring strategies for prioritization and
remediation.
Companies are concerned with various unknowns,
including the rapid development of many new
products, technologies, and services available for
the cloud.
Standards and leading practices are too new
Cloud computing does not yet have an
established “standard” and many leading
practices are still evolving.
Depending on the cloud computing solution, using
certain cloud service providers may actually increase
or change the regulatory requirements that a company
traditionally needs to comply with.
Security
operations
Resiliency and
availability
App
development
Cloud
Security
Strategy
ERP
Identity, and
access mgmt
• Identifying the current and upcoming regulatory requirements
should be part of the design and selection of the cloud solution.
• Use an integrated framework that rationalizes the various
regulatory requirements as the assessment and tracking
mechanism for the various regulatory requirements.
• Create strategies for managing and prioritizing remediation
efforts.
• Use a risk-based approach for managing risk.
What to include in your regulatory strategy
2
SOLUTION:
Cyber threat
Privacy
Regulatory
• Perform a regulatory analysis of your cloud computing adoptions
to understand what requirements are needed.
• Establish an integrated framework for the current and even
upcoming requirements.
• Consider a GRC (Governance, Risk and Compliance) strategy
that allows an “Assess Once, Test Once, Satisfy Many” model.
Next steps
Copyright © 2012 Deloitte Development LLC. All rights reserved.
Application Security
How to enable secure application development
WHAT YOU NEED TO KNOW:
CHALLENGES:
Operation Software Development Life Cycle
SaaS applications should follow a specific
Software Development Lifecycle (SDLC) model
and operational release management process
(e.g., security-focused user acceptance testing).
Operational SDLC for SaaS services may not
mature. CSP’s SDLC process may not include
operational testing, throughput put, and data
transfer/failover capabilities via PaaS/IaaS.
Secure Configuration and Vulnerability Testing
SaaS applications need be configured in
accordance to a published common configuration
management guide as well as use common
security benchmarks (e.g., OWASP Top 10 , CIS
Configuration Benchmarks, and NIST SCAPs).
Cloud application hosting can involve several
outsourced services (e.g., PaaS and IaaS), which
can create difficulties for aligning security
practices, response and patch, and vulnerability
management capabilities throughout the service
offering.
Migrating Legacy Applications
Many companies are recognizing the value of
migrating legacy applications to a PaaS model to
reduce cost and avoid expensive hardware costs for
the upkeep of less active applications.
Application release cycle and patch and vulnerability
management can be difficult based on CSP
capabilities, terms, and service operations. The cycle
of version changes may not always be known and
sometimes can change without warning.
• Create and define application security requirements and
regulatory expectations for moving to the cloud.
• Define SDLC approach and expectation for use of an
operational software application hosted by a CSP.
• Update and document patch and vulnerability management
expectations for hosted applications to include support services.
• Create a data and application access strategy, which aligns to
existing data access security policies.
What to include in your App Development strategy
3
SOLUTION:
Privacy
Regulatory
Cyber Threat
Cloud
Security
Strategy
Resiliency and
availability
Security
operations
Identity, and
access mgmt.
ERP
App
development
• Create an application deployment roadmap for moving to a CSP
based on risk exposure, reduction, and deployment capability.
• Develop a security evaluation criterion to evaluate application
environments to include evaluations for support PaaS and IaaS.
• Outline service-level expectation within SLA along with an ISA,
which outlines security expectation (e.g., uptime, upgrades, and
response capabilities).
Next steps
Copyright © 2012 Deloitte Development LLC. All rights reserved.