- Eric Chiu,Founder and President, HyTrust
- John Lamboy, President and CEO, Cyber Defence Security and Intelligence (CDIS)
- Michel Fosse, Consulting Services Manager, IBM
- Paul Stillwell, Senior Security Consultant, Intrepita
- Robert Hawk, Secure Networking Designed/Risk and Security Assessment SME, BC Hydro
- Steven Woodward, CEO, Cloud Perspectives
- Hosted cloud environments, such as infrastructure as a service (IaaS) or platform as a service (PaaS), offer major IT and business benefits that organizations are looking to realize.
- Organizations may decide to migrate some part of their IT operations to a hosted cloud environment to realize any number of benefits.
- Security remains a large impediment to realizing cloud benefits. Numerous concerns still exist around the ability for data privacy, confidentiality, and integrity to be maintained in a cloud environment.
- Even if adoption is agreed upon, it becomes hard to evaluate vendors that have strong security offerings and even harder to utilize security controls that are internally deployed in the cloud environment.
- Security Perception: Cloud can be secure although unique security threats and vulnerabilities create concerns for consumers.
- Balancing Act: Securing an IaaS or PaaS environment is a balancing act of determining whether the vendor or the consumer is responsible for meeting specific security requirements.
- Structured CSP Selection Process: Most security challenges and concerns can be minimized through our structured process (CAGI) of selecting the trusted CSP partner.
Impact and Result
- The business is adopting a hosted cloud environment and it must be secured, which includes:
- Ensuring business data cannot be leaked or stolen.
- Maintaining privacy of data and other information.
- Securing the network connection points.
- Determine a balancing act between yourself and your CSP—through contractual and configuration requirements, determine what security requirements your CSP can meet and cover the rest through internal deployment.
- This blueprint and associated tools are scalable for all types of organizations within various industry sectors.
1. Determine your IaaS/PaaS risk profile
Gain understanding of what the major implications of adopting an IaaS/PaaS program are and what this means for your organization’s security.
2. Determine your IaaS/PaaS security control requirements
Determine a customized list of security controls specific to your organization’s needs.
3. Evaluate IaaS/PaaS vendors from a security perspective
Determine which cloud vendors are most appropriate for your security needs.
4. Implement your hosted IaaS/PaaS security controls
Delegate responsibilities for meeting security requirements to create action-orientated items that can be communicated effectively with stakeholders to ensure proper implementation of security controls for your program.
5. Build an IaaS/PaaS security governance program
Ensure the continued maintenance and security of your IaaS/PaaS programs.
This guided implementation is a four call advisory process.
Call #1 - Determine your hosted cloud risk profile
Info-Tech will work with you to identify your organization’s specific risk profile of hosted cloud environments. Various factors will be evaluated and the final result will be discussed.
Call #2 - Determine your security control requirements
Info-Tech will work with you to determine what security control requirements the organization will need based on its risk profile. Discuss and identify what control requirements should be met by the vendor or by your organization.
Call #3 - Implement your hosted security controls
Info-Tech will work with you to implement identified security controls by providing in-depth implementation steps for each security control.
Call #4 - Build an IaaS/PaaS security governance program
Info-Tech will work with you to develop processes so your organization can maintain and measure their cloud environment security.
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Determine Your Hosted Cloud Risk Profile
- Identify rationale for adopting an IaaS/PaaS program to ensure security is not an impediment.
- Identify major changes to security obligations from the adoption of an IaaS/PaaS program.
- Determine the risk profile of the organization’s new IaaS/PaaS program.
Key Benefits Achieved
- Realized business benefits: Identify the business’s main rationale for adopting cloud and ensure this is not impeded.
- Understanding of your security scope: Assess the business processes being changed and respective changes to your security.
- Determination of your specific cloud security risk profile.
Determine your organization’s rationale for cloud adoption and what that means for your security obligations.
- Determined what the organizational risk profile is for adopting IaaS/PaaS.
Evaluate all risk-based variables to determine your IaaS/PaaS cloud risk profile.
- IaaS/PaaS Risk Profile.
Analyze and document your hosted cloud risk profile.
Module 2: Determine Your Iaas/Paas Security Control Requirements
- Develop an understanding of how IaaS/PaaS security can be achieved.
- Determine and document all security control requirements of the organization.
Key Benefits Achieved
- Select a safe IaaS/PaaS vendor.
- Select an auditable IaaS/PaaS vendor.
- Select a transparent IaaS/PaaS vendor.
- Select a portable IaaS/PaaS vendor.
Understand how consumers can evaluate vendors’ security capabilities.
Perform a cloud security requirement completeness assessment.
- Evaluated vendors’ security capability completeness based on your organization’s IaaS/PaaS risk profile.
Perform a cloud security auditability assessment.
- Evaluated vendors’ auditable levels of their certifications and security testing.
Perform a cloud security governability assessment.
- Evaluated vendors’ governability by assessing transparency.
Perform a cloud security interoperability assessment.
- Evaluated vendors’ portability by assessing their interoperability.
Module 3: Evaluate Your Cloud Vendors and Implement Your Security Controls
- Evaluate vendors’ ability to meet those internal control requirements as well as their ability to meet vendor specific control requirements.
- Build action plan/roadmap on how to secure their cloud environment.
- Implement the action plan.
Key Benefits Achieved
- Effectively communicate with potential CSPs.
- Ensure your requirements are understood and being met.
- Delegated responsibilities for meeting security requirements.
- Moved from a list of needs to an action plan.
- Communicate your security strategy.
Understand the problems and components of cloud contracts.
Create your IaaS/PaaS SLA document.
- Created your security portion of your cloud SLA.
Determine communication lines.
- Entered into vendor selection and contract negotiations.
Perform due diligence on shortlisted vendors.
- Begun due diligence practices on vendor selection.
Identify potential obstacles and stakeholders.
- Allocated responsibility between the consumer and the CSP for meeting specific requirements.
Turn your security requirements into specific tasks and develop your implementation roadmap.
- Translated security requirements into actionable tasks that have then been prioritized and planned.
Develop a communication plan to ensure successful adoption and buy in.
- Developed a communication plan to gain senior buy in and ensure successful adoption of security controls.
Module 4: Build a Governance Program
- To develop processes so the member can maintain and measure their cloud environment security.
- Ongoing vendor governance.
- Ongoing internally deployed security control governance.
Key Benefits Achieved
- Ensure continued security and maintenance of privacy and integrity of your cloud environment.
Build the organizational structure of your IaaS/PaaS Security Governance Program.
- A completed security governance program to track ongoing cloud security duties and responsibilities.
Define your escalation processes.
Build an IaaS/PaaS Security Governance Committee.
Document out your identity and access policies and procedures.
Develop your ongoing communication management practices.
Define information governance for data in this new environment.
Build a metrics program in order to objectively measure your project success.