Cloud Governance ISACA KPMG 2017

Cloud
Governance
ISACA Information Security & Risk Conference

Halifax NS
November 2017
1
© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”),
a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 1
Cloud Challenges
and Benefits
2
Cloud adoption and innovation is a
top priority for our clients
Industry So what?
Social Information verticals as the — Our clients are dealing
Cloud Mobility
networks explosion 3rd Cloud with the question of how
platform to adopt cloud.
Significant portion of
their budgets will go
21% 82% 100% 66% 35% towards cloud.
Estimated CAGR of Sales teams growth every of mobile apps High value
in SaaS market will adopt public two years, developed in the industry
— Cloud architectures are
through 2018 social networks reaching 44 next 3 years will solutions will changing business
by 2016 zettabytes by be integrated become the 3rd models and require
2020 with Enterprise platform for different thinking and
Apps (Oracle, cloud expansion. solutions.
Microsoft, SAP) (health, energy,
Govt.) — Product, corporate IT,
and business are
transforming around
40% of enterprises IT dollars will be spent outside of IT by 2016 – Gartner cloud-based models.
— Security, risk, and
compliance are top
$1 of every $4 spent on applications will be consumed via the cloud by 2018 – IDC concerns.
30% of all new business software purchases will be service-enabled by 2018 – IDC
70% of the G2000 will still have 75% of IT resources running onsite by 2018 – IDC
Desire for Cloud Benefits is Driving
More Investment
What are your top three reasons for using cloud technology?
Improve agility and responsiveness

CIOs Planning ‘Significant Investment’ in Cloud:
Improve availability and resiliency
IaaS PaaS SaaS
Accelerate product innovation
Save money 1642
Best solution available
Shift CapEx to OpEx
2019
1039
Simplified management 1240
2016
Better enable the mobile workforce 670
Data center modernization

838 1307
Support global shared services
Improve alignment with customers
= 5% of
respondents
Source: KPMG CIO Survey 2016
…Leads to A Number of Challenges
Vendor Pressure Organic Cloud Expansion
Vendors are overstating need External (vendor) and internal
to end support for on-premise (business unit) demands tend to focus
solutions while pursuing on one-off solutions and ignore
market share requirements of the enterprise
Economies of Scale Cost Transparency
Piecemeal cloud projects prevent Inability to fairly compare cloud Return on Investment
legacy installations from being and internal cost prevents Multi-year implementation plans
retired and stranded IT costs from creation of a compelling and long payback periods make the
being removed from balance sheets; economic case for cloud business case for cloud migration
an enterprise roadmap is needed migration harder to sell
Support Model Business Executive Support

Reliance on third party services Efforts by central IT to execute
makes picking the right Cloud Service an enterprise-level cloud
Provider (CSP) a crucial component Complexity & Risk strategy can struggle to get the
for successful cloud adoption Complex regulatory, security, and senior business support needed
Organizational Impact information protection to overcome conflicts, reinforcing
Choice of cloud model could considerations, especially for the status quo
greatly impact, or eliminate the multi-national corporations
need for, members of the IT
organization
Resulting in the following risks
— Do I know where my data is located in the cloud?
— Has data been classified as per company policies and secured accordingly?
— Am I aware of the compliance requirements to be met?
— Is member data appropriately isolated, segregated and masked?
— What accounts do I have in the cloud and is access to confidential data
logged and monitored?
Data and
Regulatory
— How do I account for spending in Compliance
the cloud and by who? — Have I integrated the cloud
— What is my financial exposure? environment to leverage existing
— Is there a consistent approach to Financial
IT and technology services?
Technology
defining the business case for Mgmt — Are my production and
Integration
leveraging cloud solutions? development environment
— Is there a clear process to predict Business Risks
appropriately segregated?
and manage spending on cloud — Do I have a process to monitor for
solutions? evolving technology?
Governance
Vendor Mgmt
— Is there a clear process to manage cloud & Operations
procurement?
— Does the vendor have the required certifications?
— Is the cloud strategy operationalized across the
— How stable is the provider? organization through a governance model and
— Have expected contract terms and conditions, including exception management?
SLA, been defined for cloud vendors? — Is my cloud application backed up appropriately?
— Is there monitoring of cloud vendors to ensure they — Is there DR in place?
meet compliance requirements and controls?
— Do I have a process to monitor SLA compliance?
— Is there a defined exit strategy?
A business challenge
Cloud services adoption and operations is fundamentally changing all aspects of the digital business ecosystem; while stakeholders
have distinct challenges – a common set of security capabilities are needed
Economic buyer priorities & concerns…
CIO/CTO CISO Internal audit & legal

“How do we maintain
“All in on “Where do I compliance and privacy across
cloud” start?” infrastructure, SaaS, and
Economic buyer concerns
PaaS type services?”

“My data center is
disappearing – how do “How do we stay on
secure what’s not in top of cloud-related
our data center?” risks when things
are moving so fast?”
“We need flexible “How do I stay relevant

security architectures and protect the business
“How can I leverage “How do we audit
and services to when it’s moving so fast
cloud to get more and ensure compliance
drive innovation” and not consulting me?”
“Identifying cloud risks out of my budget?” across our vendors and
“How do I make sure
we strike the right is easy; what do we do implementations?”
balance of security about them? How do I
and enablement”? “operate” securely?”
…are driving demand for common cloud security capabilities

Cloud security capabilities
1. Securing move to cloud 1. Cloud security strategy & 1. Privacy, risk, and compliance
infrastructure: Azure & AWS architecture for IaaS, SaaS, and 2. Cloud vendor risk management
2. Securing move to cloud apps and PaaS
3. Auditing cloud use
services: O365, SFDC, Google, 2. Implementing security solutions
ServiceNow, Workday, etc. – for and as cloud
3. Enable secure engineering and 3. Security operations for and as
Security DevOps cloud
4. Privacy, risk, and compliance
Cloud Governance
Maturity Model
8
Cloud Maturity Model
Organizations need to take a comprehensive view of IT capabilities and understand the
implications of cloud on the IT organization. While many traditional IT capabilities can
be leveraged, many will need to be enhanced to work in a cloud environment:
Enterprise • Cloud Architecture linked with Business and IT Strategy

Architecture • Risk-based reference architecture for cloud
Financial
• Mature cost forecasting and business case models
Management • Continuous monitoring and adjustment
• Fully integrated security model with cloud solutions

Security and Privacy
Maturity Operational • Defined SLA by workload and automated management

Elements Management • Reducing cost of operations as a percentage of total IT spend
Talent Management • Cloud talent strategy tie-in with HR strategy and workforce planning
Risk and Compliance • Cloud decision framework incorporates Risk and Compliance
Vendor • Cloud decision framework

Management • Alignment of business, IT and procurement across the vendor lifecycle
• Contracts align to relevant risks
Cloud Maturity Model
Cloud governance requires all the elements to be built and in place – most organizations are
still creating or tailoring these elements to a cloud first world:
Enterprise
Cloud Assurance
Architecture
Advanced
Financial Architecture driven by
Management business strategy, mature cost
forecasting, forward looking GRC,
strategic vendor relationships.
Security and Privacy
Mature
Maturity Operational Cloud reference architecture,
Elements Management automated SIEM, cost monitoring,
integrated GRC, centralized
contract management.
Talent Management Basic
Ad-hoc architecture, manual
SLA and vendor
Risk and Compliance management, basic security
in place.
Maturity level
Vendor
Management
Cloud security point of view
Compounding security challenges as
a result of cloud
As cloud services are introduced to the environment, security risks are compounded as a larger and more complex security perimeter is
exposed to increased threat vectors
New models, architectures, and relationships New and existing threats

Threat actor Threat objective
Organized
Public, — Financial Gain
crime
Private,
Hybrid — Corporate
Vendor SaaS, PaaS, espionage
management IaaS
— Financial Gain
Nation state Competitor

— Competitive
Data Advantage
Multi-cloud
Decommis- Dependencies
sioning
Cloud — Economic
Advantage
— Financial Gain
Secure API Architecture
— Intelligence
development &
deployment — Fame
Hacker
Software — Notoriety
Data
Defined
Protection — Embarrassment
Perimeters
— Financial Gain
As organizations adopt cloud technologies and services, security leaders will need to revisit how they secure their
environments to sustain their security posture and reduce exposure to new and existing threats.
Key Cloud security risks
Most organizations already have robust IT Security capabilities and tools in place. However, the unique attributes of Cloud require a new
framework and approach. We see six top cloud-related risks driving a majority of security discussions:
Data security and compliance across

System and application vulnerabilities Cloud to Cloud
Cloud
How do I address application How do I securely build and operate How do I detect, respond, and
vulnerabilities and risks when my when services are built on other protect what’s already in the cloud
applications live outside my cloud services? How do I manage my across heterogeneous cloud
organization and they broker other risks in an inter-dependent cloud environments?
cloud services? world?
Shadow IT and
Malicious insider threat Secure cloud development
Cloud governance
We can’t protect what we don’t All service models IaaS, PaaS and How do I bake security into my
know. How do I detect and govern SaaS are vulnerable to attacks by continuous development and release
shadow IT’s use of cloud without malicious insiders. How do I lifecycles? How do I securely develop
impeding innovation? monitor, protect and prevent across cloud APIs?
unauthorized actions on my data?
The framework for addressing these issues must to be in place before Cloud planning and implementation can begin. As the
organization continues to transform, the principles developed for the cloud must be integrated into the larger IT Security
framework.
Guiding principles for cloud security
Although cloud technologies have provided organizations powerful tools along with the ability to decrease IT costs, it has increased the
potential risks and threats to the organizations. Ensure your organizations security by assessing its security posture.
Security must Security must Security must

Security Security must Security must
1 2 be risk 3 4 5 be business 6 enforce
must adapt be flexible invest smart
focused focused compliance
While security Security must Security Legacy Business Security

fundamentals still “enable” and architecture investments are mindset: capabilities
apply – security provide and solutions not enough; Operate as should exist to
technology, solutions to should address agile, business risk reduce inherit
process, people, reduce risks to security across API-driven and advisors who risk from
and delivery acceptable multiple clouds purpose-built understand regulatory or
models must levels and use cases solutions for technology; not compliance
adapt to enable (IaaS, PaaS, cloud are as requirements
cloud adoption SaaS, etc.) required technologists
and operations (e.g., Security who dabble in
as a service) the business.
Leading practices to implementing a
secure cloud
API-based security: Traditional security solutions (e.g., heavy, on premise, UI-based) solutions impede adoption and
often times are unable to natively integrate with cloud services. Organizations need integrated, native-cloud
API-based security solutions (e.g., identity, data protection, logging, configuration checks, etc.) to unlock the
innovation and flexibility cloud offers.
Incident response: Organizations should develop detailed response plans to mitigate different types of security
threats that could affect them. Policies should be established and resources should be allocated for the response
team and periodic drills should be implemented to ascertain any gaps in the policies
Federated identity and access management: Organizations should extend their existing Identity Management model
to the cloud service; mapping roles, entitlements, and user-base and ensure existing policies can be enforced and
procedures can be followed. An isolated domain leads to limited context and a higher potential for access control
errors.
Data-centric security: For SaaS and PaaS models, securing the perimeter is the responsibility of the provider; thus for
consumers to have confidence they must protect the data directly. Organizations are adopting native-cloud
encryption and digital rights management solutions to provide reliable, data-centric protections in the cloud.
Secured perimeter that spans the entire stack: The software-defined nature of cloud-based networks means
perimeter security is critical and challenging. Perimeter security will need to be re-evaluated based on the new cloud
services being introduced into the environment. The network architecture must allow for complex segmentation and
filtering without increasing time to configuration.
Integrated security monitoring and operations: Secure Cloud adoption can underscore the challenges of obtaining
actionable intelligence. Organizations should implement smart logging, threat intelligence, and monitoring tuned to
business, architecture, and data-specific contexts and that integrates with native cloud platforms.
Taking a multi-dimensional approach
to securing the Cloud
CSA Capability wheel
We combine our experience with leading control and regulatory frameworks, our cloud implementation and operations experience, with our deep
cybersecurity and risk management insight to help organizations securely adopt and operate in the cloud.
Governance and compliance — Cloud Security Strategy (Capability Gap

Assessment, Roadmap, Business Case)
— Application performance monitoring — Sponsorship & Org
— Vendor management Development/Re-alignment
— Training & Awareness
— Security Metrics & SLA Monitoring,
— Human Resources, People & Skills
Management,
— 3rd Party Risk Management — Common Cloud – Security Reference
— Cloud Risk Assessments Architecture
— Business & IT Cloud Security Policies, — Infrastructure Virtualization & SaaS
Standards & Guidelines Strategy, Application Security
— Regulatory compliance for cloud Delivery and
governance & — End point security, network filtering (NIDS),
(e.g., PCI, ISO, HIPAA, SOX, GLBA) operations
management content filtering, encryption, behavioral
malware protection
— Mobile Security
Risk & SaaS Security — Secure API Management, Secure
compliance architecture & Development LifeCycle, DevSecOps
management PaaS services
— Configuration & Change Management — Logging & Audit

— Cloud Forensic IaaS — Vulnerability Identification & Remediation
— Security Incident Response — Event Correlation & Monitoring for Cloud
— Disaster recovery/Business Continuity (including cloud to cloud)
Incident & Threat & — Application security (Secure code review)
and Recovery
crisis vulnerability
— Security Audit Logging & Monitoring &
management management
Predictive Analytics — Cloud Identity Integrated Lifecycle
Management (Registration, Provisioning,
— Asset Inventory (Business, Systems
Decommissioning)
and Applications) Information & Identity &
— Cloud Access Management (SSO,
— Sensitive Data Ownership & privacy access
Federation, Multi Factor Authentication)
Classification (Data flows &Contextual protection management
— Secure Gateway (API security, XML based
Attributes)
Firewall protection)
— Data Detection, Loss Prevention and
— Privileged Access Management
Digital Rights Management for Cloud
— Identity Audit and Review
for Data at Rest, Data in transit and
— Authentication services (SSO, multi factor,
Data in use
SAML, CASB)
— Privacy and jurisdictional review and
— Authorization services (XACML, entitlement
requirements for data transfer and
Solutions and operations review, policy enforcement)
access
Not all workloads require same
security capability Restricted Workloads
(few apps & highly secured)
HR Systems
Maximum security
Prod Code Build
Baseline
Code Signing
Bug Reporting
Confidential Workloads
(moderate number & moderately secured)
Automation Code Payment

Systems Messaging Systems
Revenue Reporting
Authentication/Authorization
Level of Security Control
All Non-Sensitive Workloads

(many apps & minimally secured)
Engineering Dev/QA Minimum security

Engineering Lab Baseline
Non-Sensitive Production Apps
Level of Data Sensitivity
5 Steps toward a posture to enable
and protect cloud adoption
Develop a cloud security reference architecture and strategy to enable and protect the business across your
1 SaaS, IaaS, and PaaS journey and migrations
Discover and protect sensitive and high value cloud data and files already in the cloud using purpose built tools
2 and integration with existing security and operational processes
Develop cloud governance and monitoring policy, process, and technology to detect, help prevent, and respond
3 to cloud service misuse
Understand your adversaries – including their motives, resources, and methods of attack to help reduce the time
4 from detect to respond
Assess cybersecurity of third parties and supply chain partners, and ensure they adhere to your security policies
5 and practices and address common cloud gaps
Cloud Governance
and Reference
Architecture
19
Cloud platform security overview
Program drivers & Align with security Integration with other

Risk assessments
business alignment strategy & operations security architecture
Security IT
Cloud security fabric

App developer Enterprise
(Emphasis on Detective Controls)
Homegrown Apps
ISV Cloud Apps   …
API API
DLP/ Configuration Encryption Apps User Behavior
Any App Content Security Management Firewall Analytics
Classification
API
IDaaS SaaS PaaS and IaaS
End – User
Cloud architecture & control alignment
Cloud arch layer Definition CSA domains
Customer access Hosts, end users and Application & Identity &
all the end points Encryption &
Audit, Assurance & Compliance(Applicable across all layers)

Interface Access
SIEM, E-discovery & Forensics(Applicable across all layers)

accessing the cloud Key Mgmt.
Governance & Risk Mgmt. (Applicable across all layers)

security Management
services
Data security & Application & Identity &
Apps & data Customer application Encryption &
Info Lifecycle Interface Access
security and data layer Key Mgmt.
Mgmt. security Management
Cloud Abstraction layer Identity &

orchestration referring to cloud Change control
Access
orchestration services & config
Management
to manage a single
cloud or multiple
clouds Infra & Identity &
Interoperability Encryption &
Virtualization Access
Cloud provider Abstraction layer & Portability Key Mgmt.
security Management
management representing the native
(Native provider) cloud provider services Infra & Identity &
Encryption & Business
Virtualization Access
Virtualized Security services Key Mgmt. continuity
security Management
resources provided for Compute, mgmt. and
Network, Storage and Threat & operational
Change control
OS images at Vulnerability resilience
& config
virtualization level Mgmt.
Provider Hardware, data centers N/A

physical – Network, storage and
resources images
Level 1 – Legend
Cloud layers Applicable security controls Description
Customer Encryption & key mgmt. — End point encryption

access — Device encryption
Application & interface — Cloud API security – API access

security — Customer access models
Identity & access mgmt. — End-point access control processes
Apps & data Datasec & info Lifecycle — Data security – Data and asset classification
sec mgmt. — Data protection
— DLP
— Information lifecycle management
Encryption & key mgmt. — Data encryption (at rest and transit) and tokenization,
— Key generation
— Key storage
— Key entitlement and lifecycle management
Application & interface — API security

security — SDLC
— Application security
Identity & access mgmt. — Identity and access management of customer data and applications
Cloud Identity & access mgmt. — Access control
orchestration — Audit logging and RBAC policies for admin users who are logging into console and
managing cloud services
Change control & config — Change control and configuration tracking of any console/API activities
Cloud provider Identity & access mgmt. — User management and access management (authentication, 2FA, privileged access,
management authorization policies to restrict access, RBAC) for admin users accessing console or
API’s
Interoperability & portability — Platform and VM portability,

— Information portability
Level 1 – Legend (continued)
Cloud layers Applicable security controls Description
Cloud provider Infra & virtualization security — Audit logging,

management — Change detection,
(continued) — Capacity/resource planning,
— Infrastructure automation security
Virtualized Encryption & key mgmt. — Encryption of virtualized resources
resources — HSM
Infra & virtualization Security — OS hardening

— VM security
— Virtual networks
— Segmentation
— Storage
— Network security
Threat & vulnerability mgmt. — Antivirus/Malware software

— Patch management
Business continuity mgmt. & — Data backups

operational resilience. — Archiving and retention
— Redundancy and recovery
Change control & config — Detect unauthorized installations

— Production changes (tracking changes)
— Configuration changes
Identity & access mgmt. — Restricted/authorized access to storage

— Network
— VM and other virtualized resources
— Periodic review of access
Provider N/A N/A
physical
resources
Level 1 – Legend – Common controls
across all Cloud layers
Security controls Description
Governance & risk mgmt. — Develop, document, maintain, execute, audit and review information security
management program
— Information security policy framework
— Risk management program
— Risk framework and related cloud security governance documents and frameworks
Audit, assurance & compliance — Meet industry and regulatory compliance requirements
— Conduct third party audits
Security incident management, e-discovery & — Develop, document, maintain, execute, audit and review the incident response plan
cloud forensics — Incident management framework
— Forensic procedures
Cloud control maturity approach
This Cloud Security Assessment incorporates information from the Cloud Security Alliance, and industry leading experience. Each control is mapped across technical characteristics and relevant regulatory guidance, and
assessed based on our industry leading framework.
All controls are mapped to the Cloud Relevant control questions describe
Security Framework each security control
KPMG Cloud security framework domain KPMG Cloud security control ID Cloud security control Control questions
Information and Privacy Protection IPP-03 Sensitive Data Protection/Encryption Does policy, procedure, technology exist to ensure sensitive data is encrypted at
rest and in transit as per regulatory, legal, and corporate policy?
CSA Cloud controls AICPA

IaaS PaaS SaaS matrix area OCC bulletin Cobit 5.0 2014 TSC FFIEC handbook FedRAMP security controls … PCI DSS v3.0
X X X Encryption & Key OCC-064 APO09.01/2/3 CC5.6 FFIEC-005, NIST SP 800-53 R3 AC-1 … 6, 6.5
Management APO13.01 FFIEC-003 NIST SP 800-53 R3 SC-1
DSS05.02 NIST SP 800-53 R3 SC-13
DSS06.06
MEA03.01/2
Relevance of each control Cloud security control is

Each security control is mapped to leading practices Controls are mapped across
mapped to deployment mapped to the relevant CSA
for future remediation steps 30+ regulatory frameworks
method area
1) Policy/ Leading Cloud tools

governance 2) Process 3) Technology Current state observations
— TrendMicro SecureCloud
readiness readiness readiness 1 – Governance readiness comments
(None, partial, (None, partial, (None, partial, 2 – Process readiness comments
full) full) full) 3 – Technology readiness comments Leading practices for Cloud adoption
Full Partial None 1. Policy exists that states sensitive data 1. Specify the levels of encryption that should be used at all phases of the
Emerging Cloud tools
should be encrypted “Information security information lifecycle. For example, require all transmissions to use SSL, all
classification, handling and labelling” back-ups to be encrypted, and specific user attributes (such as email — CipherCloud
2. No data encryption standard processes addresses) to be encrypted at all times. — HyTrust Cloud Control
observed; encryption is not enforced. DLP 2. Specify controls on the handling, storage and archiving of keys used in the — SafeNet ProtectV
for email encryption exists; no processes encryption process. — Vormetric Transparent
observed for cloud environments. 3. (IaaS only) Data encryption without the need to modify applications is a Encryption
NERC/FERC/SOX requirements adhered to key requirement in this environment to remove the custodial risk of IaaS
but other data encryption is not followed infrastructure personnel accessing sensitive data.
3. No tech enforces encryption policy. In place 4. Employees handling data in this cloud service that require encryption on a
with email, RSA DLP licenses exist outside regular basis should be trained in encryption best practices
of it; considering web sense proxy DLP 5. Comply with industry standards (AES 256-bit encryption)
Controls are evaluated across Policy, Process Observations and assessments are captured in detail Leading and emerging tools that support
and Technology Readiness across assessment areas achieving the tool are provided for each control.
FOR INTERNAL USE ONLY
Questions
26
© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 26
Thank you
KPMG’s Cyber Team works with organizations to prevent,

detect and respond to cyber threats.
We can help your organization be cyber resilient in the face of
challenging conditions.
Contact us
Darren Jones
Director, Cyber Security Services
T: 416 777-3737
M: 647 580-7399
E: darrenjones@kpmg.ca
27
© 2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. 27

Cloud Governance ISACA KPMG 2017

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cloud Governance ISACA KPMG 2017

Загружено:

Авторское право:

Доступные форматы

Cloud

ISACA Information Security & Risk Conference

Improve agility and responsiveness

Accelerate product innovation

Save money 1642

Best solution available

Shift CapEx to OpEx

Data center modernization

Improve alignment with customers

Support Model Business Executive Support

CIO/CTO CISO Internal audit & legal

PaaS type services?”

“We need flexible “How do I stay relevant

…are driving demand for common cloud security capabilities

Enterprise • Cloud Architecture linked with Business and IT Strategy

• Fully integrated security model with cloud solutions

Maturity Operational • Defined SLA by workload and automated management

Vendor • Cloud decision framework

New models, architectures, and relationships New and existing threats

Nation state Competitor

Data security and compliance across

Security must Security must Security must

While security Security must Security Legacy Business Security

Governance and compliance — Cloud Security Strategy (Capability Gap

— Configuration & Change Management — Logging & Audit

Automation Code Payment

All Non-Sensitive Workloads

Engineering Dev/QA Minimum security

Level of Data Sensitivity

Program drivers & Align with security Integration with other

Cloud security fabric

IDaaS SaaS PaaS and IaaS

Audit, Assurance & Compliance(Applicable across all layers)

SIEM, E-discovery & Forensics(Applicable across all layers)

Governance & Risk Mgmt. (Applicable across all layers)

Cloud Abstraction layer Identity &

Provider Hardware, data centers N/A

Customer Encryption & key mgmt. — End point encryption

Application & interface — Cloud API security – API access

Application & interface — API security

Interoperability & portability — Platform and VM portability,

Cloud provider Infra & virtualization security — Audit logging,

Infra & virtualization Security — OS hardening

Threat & vulnerability mgmt. — Antivirus/Malware software

Business continuity mgmt. & — Data backups

Change control & config — Detect unauthorized installations

Identity & access mgmt. — Restricted/authorized access to storage

CSA Cloud controls AICPA

Relevance of each control Cloud security control is

1) Policy/ Leading Cloud tools

FOR INTERNAL USE ONLY

KPMG’s Cyber Team works with organizations to prevent,

Вам также может понравиться