Professional Documents
Culture Documents
2
Presentation Rules
3
PwCs Cloud Capabilities at a Glance
Diverse team
Cloud practitioners across our global network, across Key strategic partnerships
industry segments Cloud providers (e.g. GCP, Azure, AWS)
Cloud Tax, Assurance, and Risk & Regulatory services Cloud management Vendors (e.g. Cloud Genera)
in addition to our Advisory capabilities Services partners (e.g. CTP, CSC)
PwC 4
PwCs Cloud Security Offerings 1. Strategy, Governance & 5. Information & Privacy
Management Protection
Cloud Security Strategy Asset Inventory (Business, Systems
Sponsorship & Org Development / Re- and Applications )
alignment Sensitive Data Ownership &
Training & Awareness Classification (Data flows &
Security Metrics & SLA Monitoring Contextual Attributes)
Data Detection, Loss Prevention and
2. Security Architecture & Digital Rights Management for Cloud
Services Privacy and jurisdictional review and
Common Cloud Security Reference requirements for data transfer and
Architecture access
6. Incident & Crisis Management
Infrastructure Virtualization & SaaS
Application Security Configuration & Change Management
Encryption & Key Management Cloud Forensics
Mobile Security Security Incident Response
Secure API Management, Secure Provider / Consumer Continuity and
Development Lifecycle, DevSecOps Recovery
Security Audit Logging & Monitoring
3. Threat, Intelligence & & Predictive Analytics
Vulnerability Management
Logging & Audit 7. Risk & Compliance Management
Vulnerability Identification & Cloud Risk Assessments
Remediation Business & IT Cloud Security Policies,
Event Correlation & Monitoring for Standards & Guidelines
Cloud (including cloud to cloud Regulatory compliance for cloud (PCI,
4. Identity & Access Management ISO, HIPAA, SOX, GLBA, etc.)
Cloud Vendor Risk Assessment &
Cloud Identity Integrated Lifecycle
Management (Supply Chain)
Management (Registration,
Provisioning, Deprovisioning) Cloud Security Sourcing & Contract
Management
Cloud Access Management (SSO,
Federation, Multi Factor Auth) 8. Emerging Trends & Innovation
Secure Gateway (API security, XML Emerging protocols and standards
based Firewall protection)
Cloud to cloud integration security
Privileged Access Management
Internet of Things (IoT)
PwC Identity Audit and Review 5
Agenda
Introduction to CCSP
Moving to the cloud
Domain overview: Cloud platform and infrastructure security
Q&A
6
Introduction to CCSP
Role of the CCSP
The CCSP credential denotes professionals with deep-seated knowledge
and competency derived from hands-on experience with information
security and cloud computing. CCSPs help you achieve the highest
standard for cloud security expertise and enable your organization to
benefit from the power of cloud computing while keeping sensitive data
secure.
8
CCSP Domains
Domain 5: Operations
10
The CCSP Exam
Computer based testing
125 questions covering
the 6 CCSP CBK domains
Four-hour exam (multiple choice)
Passing grade required is a scaled score of 700
out of a possible 1,000 points
For additional information and to register for the
exam, go to www.ISC2.org/CBT
11
Training Tips
Flashcards
Practice exams
12
Moving to the cloud
Why Move to Cloud?
14
ROI
Return on
Model Example Cloud Computing KPIs
Investment (ROI) Speed of
Optimizing
time to
Availability (Key Performance
model time
deliver / Time vs Recovery
Indicators)
reduction SLA
execution
Workload Workload
CAPEX vs
Predictable Variable
OPEX costs
Speed of Optimizing Optimizing Costs Costs
Workload vs
cost cost of Ownership Cost Utilization %
reduction Capacity Use Workload Instance to
type Ecosystem
Asset ratio
allocations
Optimizing SLA
cost to Green costs Intelligent
deliver / of Cloud
Quality Experiential Response
automation
error rate
execution
Market
Optimizing Revenue
Margin
Margin Efficiencies
Disruption
rate
15
Cloud Computing Adoption Lifecycle
1. Cloud Proof of 2. Cloud Strategy 3. Cloud Modeling 4. Cloud
Concept/Pilot and Roadmap and Architecture Implementation
Project Stage Adoption Adoption Planning
7. Cloud
5. Cloud 8. Cloud
6. Cloud Expansion Integration and
Implementation Collaboration
Interoperability
9. Cloud Steady
State
16
Cloud Computing Transitions
Domain Transition From Transition To
Security framework Infrastructure-centric Data-centric
Application development Tightly coupled Loosely coupled
Data Mostly unstructured Mostly structured
Business processes Mostly serial Mostly parallel
Security controls Enterprise responsibility Shared responsibility
Economic model Mostly CAPEX Mostly OPEX
Infrastructure Mostly physical Mostly virtual
IT operations Mostly manual Mostly automated
Technology operational scope Local/regional International/global
17
Cloud Platform and Infrastructure
Security
Domain 3
Cloud Infrastructure
Storage and
Compute Virtualization Management
Networking
Nodes Software Layer
Hardware
24
Data Center Design
25
Network Functionality
27
Software-Defined Networking (SDN)
28
Compute
29
Virtualization
30
Key Drivers for Virtualization
31
Scalability
32
The Hypervisor Question! Difference
between type 1 & type
2
Works directly on
Software installed
the hardware of the
Bare-metal, Shares and manages on the host OS; Dependent on the
host and can
embedded, or hardware resources supports guest host OS for its
monitor OSs that
native between guest OSs. OSs running on it operations
run above the
as VMs
hypervisor.
33
Risks and Challenges
35
Storage
Traditional computer network storage typically consists of a storage area network
(SAN) or network-attached storage (NAS). Cloud offers additional off-premise
option.
Volume Storage
Similar to traditional storage, allocated on a VM and configured as a virtual
hard drive.
Appears to be dedicated resource
Logical UNits (LUNs) assigned to VM
Object Storage
Data stored on separate system
Storage access through API calls, network
36
requests or web interface
Allows dedicated resources for managing object storage system to optimize
Management Plane
37
38
Supply Chain Management
39
Supply Chain Risk
A risk review includes:
Supplier dependencies
o List all dependencies on third parties
o Identify key suppliers
o Regularly update documentation
Single points of failure
o Challenge, fix and mitigate
Engage with key suppliers
o Contracts should cover risks
o Consider a right-to-audit clause
40
Vendors
Understand vendor
capabilities and policies
Establish emergency
communication paths
Test communication
paths
41
Customers
42
Service-Level Agreements (SLAs)
Appropriate SLAs should be in place to manage all services being
consumed by each customer segment.
Some metrics that SLAs may specify include:
o What percentage of the time services will be available
o The number of users that can be served simultaneously
o Specific performance benchmarks to which actual performance will be
periodically compared
o The schedule for notification in advance of network changes that may affect
users
o Help/service desk response time for various classes of problems
o Usage statistics that will be provided
43
Partners
Communications paths must be established with all partners that will
consume or support cloud services in the enterprise.
44
Regulators
45
Compliance Regimes
The AICPA established three SOC reports to provide a framework to help
examine controls and related risks at service organizations.
Service Organization Controls 1 (SOC 1)
Service Organization Controls 2 (SOC 2)
o Type 1
o Type 2
Service Organization Controls 3 (SOC 3)
ISO 27001
Question! Which
FedRAMP standard requires x,y,z?
ITAR
FIPS Publication 140-2
CSA
MPAA 46
Cloud Service Brokers (CSBs)
47
Cloud Ecosystem
A term used to describe the complex system of interdependent
components that work together to enable cloud services.
Converting clouds considerable benefits into business opportunities
requires:
Determining the type of cloud environment best suited for your
organization
Developing your cloud adoption vision
Establishing use cases and a detailed plan
Understanding implications of adopting specific cloud service
Understanding layers
o IaaS, PaaS, SaaS
48
Cloud Security Ecosystems
52
Cloud Controls Matrix by CSA
Evidence that controls are actually operational.
Essential to audits
53
Questions & answers!
Thank you!
Vijay Luiz
vijay.x.luiz@hk.pwc.com
www.linkedin.com/in/vijay-luiz/
@vijayluiz