1. Building trust in the cloud
2nd Middle East Cloud Computing and Big Data
Conference and Exhibition
November 2014

2. Contents
Why: the need for a trusted
cloud environment
How: how to build “trust”
in the cloud
What: what kind of assurance
can be provided
Summary
1
2
3
Page 2 | Building trust in the cloud
The Cloud Framework
Trust
Govern
4

3. Why: the need for a trusted cloud environment
Page 3 | Building trust in the cloud

4. Cloud adoption is on the rise and is becoming more
critical for business
► There has been a dramatic increase in cloud
adoption over the last two years.
► Cloud is accelerating the digital transformation
currently underway.
► Users continue to bypass in-house IT when
adopting cloud solutions.
► Since cloud solutions have been mostly
implemented as point solutions, integrating
these is quickly becoming a priority.
► Organizations are beginning to understand that
the “hybrid cloud model” is the preferred
method of service delivery in many situations.
► However, a hybrid model introduces complexity
and risk if not assessed and fully understood.
► Companies are weighing the value, cost and
risk of cloud solutions rather than building new
environments in-house.
Page 4 | Building trust in the cloud
Does your organization currently
use cloud-based services?
44%
Cloud adoption
has almost
doubled from
2010 to 2012.
30%
of respondents say they are
currently using or planned to use
cloud computing services
59%
Source: EY Global Information Security Survey (GISS) 2012
2010
2011
2012
of respondents say they are
currently using or planned to use
cloud computing services
of respondents say they are
currently using or planned to use
cloud computing services

5. Some sectors are faster to adopt the cloud than others.
► Certain sectors have unique
challenges to cloud adoption.
► Privacy (and security) concerns and
migration costs present a barrier to
cloud adoption.
► Industries like media and education
are quick to embrace cloud because
it enables faster collaboration and
better content integration.
► Bottom line: know your industry
and the unique technology hurdles
to clear when starting your journey
to the cloud.
Page 5 | Building trust in the cloud
Industry Adopting Maturity
Source: Gartner (May 2012)
Banking Private cloud – SaaS and IaaS
Education Email, collaborative and back-office SaaS/IaaS
Energy
and
utilities
Not much happening; delivery model for consumption
data and billing or managing asset-related GIS data
Governme
nt
Private cloud, email and some SaaS
Healthcar
e payers
Administration, care transformation
Healthcar
e
providers
Collaboration, imaging, medical records
Insurance
Noncore applications and limited SaaS for vertical
solutions
Media Content management, distribution and analytics
Manufactu
ring
SaaS mostly
Retail IaaS, PaaS and SaaS
Advanced Heavy Moderate Measured Lagging

6. Fighting to close the “cloud control expectation gap”
► Companies have made significant
moves to cloud-based solutions.
► Adopters of cloud solutions expect
cloud service providers to deliver all
the necessary controls to address the
confidentiality, integrity and availability
of their data.
► However, we have seen a much
slower adoption of the controls
necessary to promote a secure,
trusted and audit-ready environment.
► As a result, the gap between what
cloud controls we think we have in
place and the controls we typically
implement in the cloud is widening.
► This exposes adopters of cloud
technologies to unmitigated risk.
Page 6 | Building trust in the cloud
Controls required
to promote a secure,
trusted and audit-ready
cloud environment
Controls typically
implemented in the cloud
Cloud control
expectation gap

7. Does cloud create a better, stronger fortress or easier
access to the crown jewels?
Failed
attack
Page 7 | Building trust in the cloud
Our research indicates that cloud
solutions are more likely to be the
target of cyber attacks.
Financial
data
Pricing,
costing data
Trade
secrets
Customer
info
SSN, PHI,
PII data*
R&D data Legal
actions
Strategic
information
Proprietary
data/processes
Successful
attack
Cloud providers consistently invest in enhancing
the security controls of their solutions.
* Social security number, personal health
information, personally identifiable information

8. Cloud environments should be secure, trusted and
audit-ready (STAR) to close “the gap”
Secure
A secure cloud environment has the appropriate
controls to protect the confidentiality, availability and
integrity of the systems and data that reside in the
cloud. Appropriate procedural and technical protections
are in place to protect data at rest, in transit and in use.
Trusted
A trusted cloud environment is designed to stand the
test of time. It should demonstrably provide high
availability and resilience to adverse events.
Audit-ready
An audit-ready cloud environment has continuous
compliance is certified to meet specific industry
regulations and legislation. Appropriate procedural and
technical protection is in place and documented, and
compliance can be verified.
Page 8 | Building trust in the cloud
STAR

9. How: how to build trust in the cloud
Page 9 | Building trust in the cloud

10. There are many barriers and risks to achieving a STAR
cloud environment
Loss of control
over data
Page 10 | Building trust in the cloud
Lack of information
isolation
Inadequate compliance
support
Lack of standards and
interoperability
Unclear legal support or
protection
Weak authentication/
authorization controls
Lack of recovery
strategy
Inability to provide
assurances
STAR

11. Cloud consumers must evaluate the maturity of their processes and
controls relative to the cloud service provider (CSP)
Given the risks of venturing in the cloud, should I make the move?
Yes, but …
Page 11 | Building trust in the cloud
Risks
In-house In the cloud
► Before moving to the cloud, we should weigh the risks of operating a technology environment ourselves versus governing a cloud vendor.
► If our requirements are so specific and narrow and our internal capabilities are already very mature, a cloud vendor may not be a viable
or prudent solution.
► However, cloud vendors are in the business of IT and in many cases are more mature than operating in-house.
► Either way, the cloud “make or buy” decision should contemplate six key cloud control domains that define the EY Cloud Trust Model.

12. The type of services you implement changes the
controls you need
Page 12 | Building trust in the cloud
Outsourced
On/off-premise
Deployment model (public/private/hybrid/community cloud)
Infrastructure as a service
(IaaS)
Platform as a service
(PaaS)
Software as a service
(SaaS)
Technology Components
The tradition approach of deploying and
using business software in-house by the
enterprise. System is developed and
installed, supporting infrastructure
hosted internally.
Combining executing operating systems,
storage, messaging, databases, load
balancing, networking, failover,
redundancy, etc., together so that the
customer buys a service rather than
having to architect and specify how such
infrastructure should be configured and
deployed.
Include security, authentication,
authorization, transaction management,
code execution, powerful domain
specific languages, and point-and-click
configuration that replaces traditional
software languages.
Provides the capability to the consumer
to use the provider's applications
running on a cloud infrastructure. The
applications are accessible from various
client devices through a thin client
interface such as a web browser.
Applications
Data
Runtime
Middleware
Virtualization
Servers
Storage
Networking
O/S
Applications
Data
Runtime
Middleware
Virtualization
Servers
Storage
Networking
O/S
Applications
Data
Runtime
Middleware
Virtualization
Servers
Storage
Networking
O/S
Applications
Data
Runtime
Middleware
Virtualization
Servers
Storage
Networking
O/S
In-House
Consumer Cloud
Control
owner
Control
owner
Control
owner
Control
owner

13. The type of cloud you choose matters: it shifts the
controls you need
Cloud ? Consumer
Minimum accepted cloud controls
► Cloud service providers should have a bare minimum of baseline controls in place in order
for cloud consumers to feel comfortable moving to the cloud.
► Examples include logging, monitoring, user authentication and encryption.
Maximum allowable cloud controls
► Certain controls should not (or cannot) be executed by cloud service providers and should
be kept in-house.
► Examples include governance, risk acceptance, policies, standards, user approvals, segregation
of duties and other controls that require unique knowledge of the organization.
Page 13 | Building trust in the cloud
Control owner
Maximum allowable
cloud controls
Minimum accepted
cloud controls
Control ownership varies
depending on agreements
between cloud and consumers

14. The Cloud Trust Model is composed of six cloud control
domains to achieve a STAR environment
Secure
Trusted
Audit-ready
Page 14 | Building trust in the cloud
Technology
Data
Organizational
Operational
Audit and compliance
Governance
Objectives
Cloud control
domains
We aspire
to be …
By focusing
on these …
EY Cloud Trust Model
1 2 3 4 5 6

15. The EY Cloud Trust Model aligns to the Cloud Security
Alliance (CSA) Framework
Technology
Page 15 | Building trust in the cloud
Human resources
Encryption and key management
Identity and access management
Infrastructure and virtualization security
Mobile security
Threat and vulnerability management
Application and interface security
Data security and information life cycle management
Business continuity management and operational resilience
Change control and configuration management
Datacenter security
Interoperability and portability
Audit assurance and compliance
Governance and risk management
Security incident management, e-discovery and cloud forensics
Supply chain management, transparency and accountability
Organizational
Data
Operational
Audit and compliance
Governance
EY Cloud Trust Model
Cloud Security Alliance (CSA) Framework
1
2
3
4
5
6

16. What: what kind of assurance can be provided
Page 16 | Building trust in the cloud

17. EY’s Cloud Trust Services Framework enables a secure,
trusted and audit-ready environment
EY Cloud Trust Services Framework
Page 17 | Building trust in the cloud
Certify and
comply
It aims to evaluate and
periodically examine clients’
current risk profile and help
them develop a plan to
address any key areas of
exposure.
It focus on guiding clients
through a maturity journey
to build trust by developing
new enhanced capabilities.
Its objective is to promote a
compliant and audit-ready
environment for clients via
certification, proactive audits and
agreed-upon procedures.

18. Cloud services are segmented into cloud service
consumers and cloud service providers (CSP)
Page 18 | Building trust in the cloud
Key questions addressed for
cloud service consumers
► How does my risk profile change by moving to the
cloud?
► How do I meet my regulatory mandates after moving
to the cloud?
► What factors can help me evaluate a
trusted provider?
► What do I need to do to confirm my data is safe?
► How do I confirm my providers’ security standards
and policies are sufficient to build trust?
Key questions addressed for
cloud service providers
► How do I build/showcase my security and
compliance capabilities?
► How do I gauge my existing security and compliance
capabilities against my contractual obligations?
► What capabilities do I prioritize for investments
and enhancements?
► How can I adopt industry standards to
raise the maturity of security and
compliance capabilities?
Certify and
comply
Audit-ready

19. Summary
Page 19 | Building trust in the cloud

20. Trust is the foundation on which cloud
environments should be built
Why? How? What?
Page 20 | Building trust in the cloud
 Cloud computing became a mature IT Service Delivery
Model
 The question arises, how it can be made trustworthy
 Trust in the cloud equates to a secured, trusted and audit-ready
(STAR) environment
 There are six key dimensions of cloud trust (Organization,
Technology, Data, Operations, Audit & compliance,
Governance
 Cloud consumers as well as cloud service providers need
a reference model
 The Cloud Trust Model (CTM) provides a modular
framework comprising “assess and monitor,” “improve and
enhance” and “certify and comply”

21. Thank you
Name
Title
Cloud Computing – IT Transformation
Phone: +965 2295 5117
E-Mail: christoph.capellaro@kw.ey.com
Page 21 | Building trust in the cloud