This document provides an agenda for the Scot-Cloud 2017 conference. It lists various speakers and topics that will be covered, including discussions around cloud computing, cybersecurity, fintech, GDPR, and more. Breakout sessions will cover topics such as cloud adoption challenges, the importance of data privacy and security, and TechUK's vision for keeping the UK at the forefront of cloud adoption. There will also be presentations on securing the cloud generation and network security challenges in the third platform age.
20. Date
Scot-Cloud 2017
Rider Levett Bucknall
Professional Services
Construction Industry
120 global offices
Cost consultancy
Building Surveying
Project Management
21. Date
Scot-Cloud 2017
I have nothing to sell!!!
• Cloud isn’t the be-all and end-all
• Cloud can help break down the physical constraints in a business
• Transitioning RLB to SaaS
• Supporting anywhere working and remote access to systems and tools
• Re-skilling the workforce to fit a new business model
Transitioning to a new IT paradigm
22. Date
Scot-Cloud 2017
Sometimes, “easy” just… isn’t…
• Legacy systems
• What does “that box” actually do?
• What does it do?
• Can we switch it off?
• Can it be re-created?
• Intellectual Property
• Concerns over security
• GDPR
• Management inertia
Cloud isn’t the be-all and end-all…
23. Date
Scot-Cloud 2017
Beyond the hype?
Cloud can help break down the physical constraints in a business.
Why move back or stay on premise?
• Cost control
• Data security
• True flexibility
• Better, overall control
24. Date
Scot-Cloud 2017
Don’t do as I say.
Or do.
Transitioning RLB to SaaS
Everything – subscription.
• Hardware
• Telephony
• Networking
• WiFi
• Printing
• Services
• ERP
• DMS
25. Date
Scot-Cloud 2017
The World is my office.
Supporting working anywhere
Mobility. Agility. Fragility?
• Cost control
• Data security
• True flexibility
• Have internet,
will work…
26. Date
Scot-Cloud 2017
It’s not brain surgery.
Re-skilling the workforce?
Copy the home computing model
• Simplicity
• Security
• Awareness
• Sell the benefits
33. techuk.org |@techUK |#techUK
6 Key areas to be addressed
1. Enabling data portability and system interoperability within the
cloud computing ecosystem
2. Building trust in the security of cloud computing services
3. Supporting the cultural shift required to optimise the use of cloud
4. Ensuring effective public sector adoption and usage of cloud
5. Having a communications infrastructure that keeps pace with mass
cloud adoption
6. Building a coherent regulatory framework for cloud
34. techuk.org |@techUK |#techUK
Enabling data portability and system interoperability
• techUK to develop with members a set of cloud interoperability
principles
• The European Commission should work closely with cloud computing
providers.
35. techuk.org |@techUK |#techUK
Building trust in the security of cloud computing services
• Bring together business leaders, cloud computing, cyber security
experts and government official from BIS, DCMS, Home Office to:
• Update the cloud security messaging being used today
• Identifying possible solutions to building UK cloud confidence.
37. techuk.org |@techUK |#techUK
Embracing the change required to optimise the use of cloud
• techUK’s Cloud Champions campaign will be launched
• Showcasing employees, demonstrating how people can develop their
skills and potential in cloud driven organisations.
39. techuk.org |@techUK |#techUK
Ensuring effective public sector adoption and usage of cloud
• Government departments should engage with
industry early in the commissioning process
• Government departments and industry should
work together to promote positive case studies
• Public sector leaders should enable a culture
which allows the public sector commissioners
and buyers to leverage cloud computing as part
of its business transformation.
42. techuk.org |@techUK |#techUK
Having a communications infrastructure that keeps pace with mass
cloud adoption
• techUK will seek to engage with OFCOM to enter into a dialogue
• Discuss the connectivity requirements needed to support and enable
mass cloud adoption.
43. techuk.org |@techUK |#techUK
Building a coherent regulatory framework that supports cloud
• The government’s planned Industrial Strategy and Digital Strategy
should recognise the importance of cloud
44. techuk.org |@techUK |#techUK
Building a coherent regulatory framework that supports cloud
• The European Commission’s Free Flow of Data Initiative should create a
clear and simple regulatory framework
• Prevent the emergence of specific data localisation requirements and
obligations.
Building a coherent regulatory framework
that supports cloud…
48. techuk.org |@techUK |#techUK
6 Key areas to be addressed
1. Enabling data portability and system interoperability within the cloud
computing ecosystem
2. Building trust in the security of cloud computing services
3. Supporting the cultural shift required to optimise the use of cloud
4. Building a coherent regulatory framework for cloud
5. Ensuring effective public sector adoption and usage of cloud
6. Having a communications infrastructure that keeps pace with mass
cloud adoption.
49. techuk.org |@techUK |#techUK
Cloud 2020 Vision – The first step forward
Cloud 2020 Vision is the
start of conversation
Sue Daley
Head of Programme
Sue.daley@techuk.org
+44 07701 289 964
@techUK
@channelswimsue
73. 73
Scot Cloud 2017:
Network Security
in the Third
Platform Age
Stephen Hampton
CTO, Hutchinson Networks
10 July 2017
74. 74
• Mobile
• Social Media
• Big Data
• Cloud
• IoT
• Cognitive
SystemsAI
• Next Generation
Security
• 3D Printing
• Natural Interfaces
• Robotics
Innovation
Accelerators
• 75% of IT Spend will be driven by Third Platform technologies.
• 50% of Global 2000 businesses will depend on ability to create digitally enhanced
products, services & experiences
By
2019
Four Pillar
Technologies
The Third Platform
75. 75
Expanding Attack Surface
Proliferation of
mobile and IoT
devices significantly
expand the attack
surface.
Cloud Providers and
Service Providers in
general become high
impact, high profile
targets
IoT is an enabler for
DDoS attacks.
High Impact
Breaches
• Heart Monitors,
• Driverless Cars
• Baby Monitors
“Public Cloud
workloads will rise
from 49% in 2015 to
68% in 2020”
68% 3x
“There are will 3X as many
IP connected devices in
2020 as there are people
on the planet”
Global cloud traffic will
rise from 3.9ZB per year
in 2015 to 14.1 ZB per
year in 2020
14.1
“Smartphone traffic will
overtake PC internet
traffic by 2020”.
76. 76
50%
Micro-services, SDN,
NFV, micro-segmentation
and the end to end
principal will eventual
render the Security
Perimeter irrelevant.
Outside users access private
cloud services on the inside
Inside users access public
cloud services on the outside
Mobility, VPN, Smartphones, Tablets and
IoT devices have all eroded the perimeter.
Mobile Devices
Inside Users
Outside Users
Micro
Services
The Increasingly Irrelevant Security Perimeter
Over 50% of
internet traffic is
now encrypted and
invisible to
perimeter firewalls.
77. 77
DDoS & Application Layer Attacks
DYN Attack – October 2016
• Mirai Trojan Botnet (Linux IP Cameras and Home
Routers)
• Impacted Twitter, Github, NetFlix, Spotify,
Amazon, AirBnB
• 1.2 Tbps (unverified) of TCPUDP 53 traffic
• DDoS take a volumetric approach by
exploiting large Botnets.
• Enormous amounts of data are
transmitted which impact the target and
often impact the service provider.
• IoT is commonly used to create the
Botnets.
• Application Layer attacks target
vulnerability in application code.
• DDoS can be used as a cover for a
more sophisticated Application Layer
attack.
78. 78
DDoS & Application Layer Attacks
53%
95%
67%
150%
53% of service providers identified
more than 50 attacks per month
95% of service providers have
experience application layer attacks
67% of service providers have
experience multi-vector attacks
The number DDoS attacks over 100
Gbps increased from 223 to 558
between 2015 and 2016
79. 79
Third Platform Security Opportunities
“By the end of 2017, 60% of major SIEM vendors will
incorporate advanced analytics and UEBA (User and Entity
Behavioural Analysis) into their products”
Gartner Magic Quadrant for SIEM 2016
80. 80
Third Platform Security Opportunities
• Big data provides an
opportunity to do more
with security events
• IoT provides more data
collection points
• Private and public cloud
provides environments
capable of processing
the data
• Global Security
Intelligence – Talos
(Cisco), Arbor Atlas &
Digital Attack Map
• Necessity is the
mother of invention
• Malware and
Ransomware
Detection
• Co-ordination with
Global Security
Intelligence
• Insider Threat
• Public & Private IaaS
is driving automation,
orchestration and
DevOps
• Emergence of intent
based automation
models
• Cisco Tetration –
combines analytics
and security
automation
• Cloud and social
have heavily
adopted HTTPS
• 77% of Google
Traffic is Encrypted
• 50% of Internet
Traffic in General is
Encrypted
• Intel Xeon E5 V3 –
SSL Handshake
Instructions
Security Analytics End Point Security Security Automation Encryption
81. 81
Third Platform Security Approaches
Private Cloud
• Information Security Policy (Mobile & Social)
• Endpoint Security
• IoT Management
• 3rd Party Review
• Vendor & Provider Management
• Web & E-mail Filtering
• Identity ManagementSingle Sign-on
• Information Security Policy (Mobile & Social)
• Endpoint Security
• IoT Management
• Web & E-mail Filtering
• Identity ManagementSingle Sign-on
• Software Defined (Micro-Segmentation – Zero
Trust)
• NFV (Network Functions Virtualisation)
• SSL Termination
• Application Layer Security
• Provider Based DDoS
• Automation and Orchestration
Multi-Cloud
Multi-CloudPrivate Cloud
82. 82
Security Practice and Benefits
• UK Data Sovereignty
• Network Firewalling
• Web Application Firewalls
• Zero Trust Security Policy
• SSL Offload
Fabrix IaaS Security BenefitsHN - Network Security Practice
• Firewalls
• Security Analytics
• SSL Offload
• DDoS
• Web Application Firewalls
• Security Automation
• VPN
• Web and E mail Filtering
85. Outline
• What’s changing with GDPR?
• Key issues for cloud contracts
• Reviewing your contracts
• Dealing with Amazon and Google etc
86. GDPR – In brief
• The General Data Protection Regulation (GDPR)
– New EU-wide data protection law which will have direct effect in EU
member states
– Enters into force on 25 May 2018
– Greater consistency of regulatory treatment
– Stronger and more coherent data protection framework
– Backed by strong enforcement
• Will apply in UK notwithstanding Brexit
– Brexit white paper aspires to “friction free” data transfers with EU27
– GDPR will be incorporated into UK national law but prospect of
divergence thereafter
– Status of EU27/UK data transfers post-Brexit – adequacy finding/UK
privacy shield?
– Right to repatriate data to UK?
87. Evolutionary
Some concepts remain broadly similar
• Key concepts – personal data, sensitive personal data, processing, data
controllers, data processors etc
• Data protection principles – recognizable, but explicit reference to both
transparency and accountability
• Conditions for processing – similar, but some changes
• Data subject rights – broadly recognizable (subject access, rectification,
processing restrictions), but there are some new ones
• International transfers – same regime/same old issues
• Basic data security obligations – BUT see new data security breach
notification requirements
• The ICO – still a UK national supervisory authority
88. What’s changing?
• Application – direct effect in member states
• Transparency – enhanced fair processing transparency requirements
• Consent – concept of consent tightened; easier for individuals to withdraw
• Accountability – obligation to demonstrate compliance; use of privacy
impact assessments
• Administration – increased administration/record keeping requirements
• Data subject rights – enhanced rights including subject access, increased
‘rights to be forgotten’ and data portability
• Organisational principles – data protection by design and by default
• Data processors – Statutory responsibility for data processors
• Data protection officers – mandatory for certain organisations
• Breach notification – mandatory breach notification for certain breaches
• Supervisory authorities – lead authority; formal consistency mechanism
• Sanctions – fines of up to 4% of worldwide turnover or €20M
90. xkcd.com “The Cloud” http://xkcd.com/908/
Licensed under Creative Commons Attribution Non-Commercial 2.5 Licence
91. The Cloud model
SaaS
Platform as
a Service
Infrastructure as a
Service
Software as a Service -
services delivered over
the Internet
Storage, hosting
and computing
power delivered
over the Internet
Platform as a
Service –
computing platform
offered over the
Internet
(processor)
(sub-processor)
(sub-sub-processor)
92. Key issues for cloud contracts
• Supplier diligence
– Data security – are you satisfied that data will be kept secure?
– Sub-processing – what subcontractors are used? Do you know?
– Data location – where is the data held? Do you have control?
• Privacy Impact Assessments
– Have you carried out a PIA?
– Have you identified the privacy risks and potential mitigation?
– Is the processing still “high risk”?
• Accountability
– Can you demonstrate your compliance with GDPR?
• Compliance
– Does your contract include the express requirements set out in GDPR?
93. What does GDPR require in your contract?
Contractual requirement New under GDPR?
More detail about what data is being processed, the types
of individuals, and the purpose of the processing
Yes – but may already
be in some contracts
Obligation to process only on instructions of the controller No
Processor’s employees must commit to confidentiality Yes
Data security Increase in detail
Controls on appointment of sub-processors Yes
Obligation to assist with data subject rights Yes
Obligation to assist with data security, breach notification,
DPIAs and consultations with regulators
Yes
Obligation to delete and destroy data Yes (though should be
doing anyway)
Obligation to provide information necessary to demonstrate
compliance
Yes
Obligation to allow for and assist with audits/inspections Yes
94. Action points
• Existing cloud contracts
– No grandfathering for existing contracts
– Review your existing contracts
• Understand the processing and review risks/non-compliance
• Contract amendments
• Migration to another vendor
– Develop a contracts register
• New cloud contracts
– Build a PIA into your supplier diligence process
– Adopt a contract checklist for cloud services – don’t assume the
supplier’s terms and conditions comply
– Develop template contracts?
• Privacy Notices
95. Introducing BOrganised
• Online contract management service which helps clients to manage
their contracts more effectively
• Service is hosted and provided by Brodies
• Key features
– central contract repository accessible from anywhere with
internet connection
– secure, simple, intuitive and flexible
– manage renewals and deadlines using e-mail alerts
– contract ‘linking’
– generates contract summaries to allow at a glance review of key
terms
– searchable
– virtual forum for contract discussions and to store key post
contract documents to facilitate knowledge sharing
Find out more: http://www.brodies.com/borganised
97. Dealing with Google, Microsoft, Amazon etc
• The problem:
– GDPR requires controllers to have greater oversight and accountability:
• PIAs and supplier diligence
• Privacy by Design and Default
• Access to information
• Ability to demonstrate compliance
– Consequences of a breach are more severe under GDPR
– But, many cloud vendors operate a black box approach to data security
and there is limited scope to negotiate on commoditised services
• May impact on:
– Understanding of where the data is held
– What security measures are actually in place
– Audit and inspection rights
• GDPR also creates compliance problems for cloud service providers…
100. Cloud contracts checklist
Data Privacy Impact Assessment
Issue Approach
Compliance with GDPR
contract requirements
• Review the contract!
• Identify material risks
Location of data • Supplier diligence
• Do you have control over data centre locations?
• If outside the EEA, how are you ensuring there is a
lawful transfer and that data is adequately
protected?
Adequacy of data security
measures
• Supplier diligence
• Use of independent assurance reports (eg
ISAE3402/SSAE16)
• ISO 27001 accreditation
107. Our team
• 120 Staff across the organisation:
• 7 people work directly in IT:
• 2 of those on our CRM platform.
• 2 of those on service desk.
• 2 of those projects/infrastructure.
• 2 Developers
112. Case Study: Community Jobs Scotland
Online
Registration
Modelling
3rd Party
Data
Contract
Service
Payments
Processes
On Boarding
Public App
Evaluation
Monitoring
Survey and
Comms Apps
113. Case Study: Community Jobs Scotland
Online
Registration
Modelling
3rd Party
Data
Contract
Service
Payments
Processes
On Boarding
Public App
Evaluation
Monitoring
Survey and
Comms Apps
114. Case Study: Community Jobs Scotland
• Savings of around £250K on first 12 months
• Onboarding drops from 7 to 2 weeks
• Claim back reduced by 80%
• Programmes run in parallel
• New services added in days rather than weeks
• Teams can collaborate around problems from anywhere
123. Challenges and Rewards
• C-Level Support.
• Teams love the tools, but need constant engagement and
encouragement.
• Shadow IT - easier than before – but easier to block.
• Compliance is easier as we can search and block activities.
• Real $$$ Savings
124. What's Next for us
• Last legacy database – accounts– gone by October.
• Extending our knowledgebases & examining options for machine
learning.
• Extend our automation.
125. Our Experience
• Focus on adoption and training:
• Our team 10% min time spent on learning.
• 40% of our effort is on training and supporting others.
• Less time on fixing ‘stuff’.
• Fun, engaging adoption - #1
130. Disclaimer
The views expressed in this presentation may contain statements that involve risks, uncertainties, and
assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results
are nothing to do with the author, the author’s current employer, or ISACA as they are personal views
expressed by the author alone.
The information upon which this presentation is based has either been comes from our the author’s own
experience, knowledge and research from other companies. The opinions expressed in this report are
those of the author and noone else – however due to the time constraints of producing the presentation
we do not guarantee their fairness, completeness or accuracy. The opinions, as of this date, are subject to
change. The author, the author’s current employer or ISACA does not accept any liability for your reliance
upon them.
131. Agenda
• The challenges of the digital landscape and Cloud security risks
• Where are businesses falling short in cloud security and what assurances should be
taken
• Amazon case study
• The future of the Cloud market for organisations as a business enabler
132. EVOLVING LANDSCAPE FOR ENTERPRISES
Consumerization/Outso
urcing
• Mobile devices
(Wearables / BYOD)
• Digital FootPrint
• Malware as a service
• Enterprise as a
Service
• ANYTHING as a
Service
Continual Regulatory and
Compliance Pressures
• EU Privacy, Anti-Bribery,
SOX, PCI, etc.
• New country “specific “
data protection laws
throughout 2014
• Canadian Anti-SPAM
• Australian Privacy
• Proposed Russian Privacy
• ISO 27000, ISAE 3402
• Other regulations
Emerging Trends
• Decrease in time to exploit
• Sharing of exploit kits
• Big Data
• Advanced persistent threats
(APTs) as a Service
• Multi-Billion Dollar
CyberSecurity Industry
• Solution Rich
132 | 7/10/2017
134. What are the types of cloud
based systems ?
134 | 7/10/2017
http://www.virtualclouds.in
EXPERTISELoss of CONTROL
135. Cloud risks dirty dozen –
CSA (ref below)
Insufficient Due Diligence
Data Breaches
Data Loss
System Vulnerabilities
Insufficient Identity, Credentials and Access Management
Insecure Interfaces and API
Account Hijacking
Malicious Insiders
Abuse and Nefarious use of Cloud Services
Advanced Persistent Threats
Denial of Service
Shared Technology issues.
https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
136. Risk Assessment Matrix
What assets are you putting
at risk ?
Validate the risks to assets
Does the analysis make sense ? Have you missed anything ?
Reduce the list to a top 10
Going with bigger lists never gets anything done !
I am always asked for my top 10 risks…… due to resoure constraints….
Validate the top 10 with the key business stakeholders
Are there any new objectives which change the risks ?
Get the key stakeholders to sign off the priorities
Get ownership for the risks
137. Based on the risk – what assurances
have you taken ?
• SaaS example of web-based application key data held
• Legal and technical aspects of data handling
• Who has access to the data ?
• IAM controls for users/admins
• Logging access
• Data Protection, E-Privacy
• Encryption
• Key management
• Multi-tenancy
• DDOS
• Data back-ups
138. Based on the risk – what assurances
have you taken ?
• Supplier assurance
• When should you engage in checking the supplier and what should you check ?
• Vulnerability and Penetration Testing
• BCP/DR/Incident Response
• Right to Audit
• Right to obtain logs from key systems for access and forensics
• Certifications
• ISO27000 (ISO27001, ISO27018), ISAE 3402 , SSAE-16 and CSA-STAR
• Transfers and use of third parties.
139. Based on the risk – what assurances
have you taken ?
• Contractual agreements
• SLA (service level agreement)
• READ SLA and all supporting documentation
• SLA should have an EXIT STRATEGY
• MSA (master service agreement)
• Change Management, Incident Response, Auditing and Reporting
• Cyber insurance ?
141. Cost Considerations
• Security capabilities for AMAZON
• FREE
• IAM and MFA
• Certificate Manager
• Storage and Database Encryption
• Security groups, subnets, network ACLs
• Architecture review (need to know your stuff)
• CHARGED
• Directory Service ( $0.05 - $0.496/hour)
• Key Management Service ( $1/month)
• Cloud HSM ($5000 to provision, $1.88/hour)
• CloudWatch (see pricing for VPC logs)
• Web Application Firewall ($5/month)
• Amazon Inspector ($0.05 - $0.30 per agent/month)
• Amazon CloudTrail ($2/ 100,000 events)
142. CIS Amazon Best Practice
guidance standard
• Key areas
• Identity and Access Management
• Root account is NOT USED !
• Logging
• Cloud Trail
• VPC logging
• Monitoring
• I.e. if someone logs into root account create alarm
• Networking
• Backups
• Use multiple Application Zones (Azs) or Data Centres
• https://aws.amazon.com/architecture
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
144. The future of the cloud
• By 2020 a Corporate “No-Cloud” Policy will be as rare as a “No-Internet” Policy
• By 2019, more 30% of 100 largest vendors new software will have shifted to
• “Cloud-ONLY” policy
• By 2020 more compute power will have been sold by IaaS and PaaS than sold by
• Enterprise data centres.
• By 2019 the majority of VMs will be delivered by IaaS (*)
(*= www.gartner.com/newsroom/id/3354117 )