�

�

�

�

�

�

�

� Are my current security processes and controls sufficient if we were

to adopt the cloud?

� Should we adopt a security framework? If so, when and how?

� How do we know if cloud vendors will comply with our regulatory

requirements?

� Perform a controls assessment to identify controls

gaps which may expose your organization to

additional risks.

� Evaluate compliance requirements and determine if

they are being addressed adequately by the cloud

vendor and the company.

� Provide education to audit committee on risks

associated with the cloud.

� What environment is right for my company – private, public, hybrid?

� Which vendors are players in this space? Will they be in business a

year from now?

� Do we have any requirements prohibiting our company data from

being stored in certain jurisdictions?

� Evaluate implementation activities for adherence to

the company’s SDLC, project management, and

change management methodologies.

� How do we stay secure and ensure expected controls are operating

if someone else is running/managing our computers and software?

� How will the cloud vendors control access to our data? How do we

know they will not abuse that access?

� Can we perform audits of the vendor’s environment?

� Assess vendor internal controls so they meet your

needs – review policies, vulnerability and pen test

results, and SSAE16s.

� Understand where your data is physically stored.

� Assist with “right to audit” contract requirements.

�

�

�

Service Models

Infrastructure as a Service (IaaS) involves the vendor providing physical computer hardware including CPU processing,

memory, data storage, and network connectivity.

Platform as a Service (PaaS) This model involves the vendor providing Infrastructure as a Service plus operating systems and server applications such as web servers.

Software as a Service (SaaS) This model involves the vendor using their cloud infrastructure and cloud platforms to provide customers with software applications.

Deployment Models

Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Private Cloud The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party and may exist on-premises or off-premises.

Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.

Hybrid CloudThe cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

�

�

�

�

�

�

�

�

�

�

�

Background�

�

� https://cloudsecurityalliance.org/

Affiliate Members�

�

�

Corporate Members

�

�

�

�

�

Control Domains

�

�

�

�

�

�

�

�

�

�

�

�

�

� Datacenter Security� Governance and Risk Management� Threat and Vulnerability Management

Framework Comparison ISO (27000 Series) NIST Cybersecurity Framework (CSF)

Framework background

� Provides a broad information security framework that can be applied to all types and sizes of organizations and across industries.

� Broken up into different sub-standards based on the content.

� Regulatory agency of the United States Department of Commerce.� Initially intended for U.S. companies that are considered part of critical

infrastructure.� http://www.nist.gov/cyberframework/upload/cybersecurity-framework-

021214.pdf

� Yes � No

� Yes � Yes

Methodology on how to implement cybersecurity in organization

� Yes� Yes

� No � Yes

Applicable to all industries � Yes � Yes

� Yes � No

Framework consisted of domains

� Yes � Yes

Implementation complexity High Medium

Number of controls 114 98

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�