Cloud Security Benchmark Webinar. January 7, :00 AM ET

Cloud  Security  Benchmark  

Webinar

Top  10  Cloud  Service  Providers:  Q4  2014  

January 7, 2015

11:00  AM  ET

Confidential & Proprietary

Disclaimer  

NO  WARRANTY.  CloudeAssurance  makes  this  presentaHon  available  AS-­‐IS,  and   makes  no  warranty  as  to  its  accuracy  or  use.    

The  informaHon  contained  in  this  presentaHon  may  include  inaccuracies  or   typographical  errors,  and  may  not  reflect  the  most  current  developments.    

CloudeAssurance  does  not  represent,  warrant  or  guarantee  that  it  is  complete,   accurate,  or  up-­‐to-­‐date,  nor  does  CloudeAssurance  offer  any  cerHficaHon  or   guarantee  with  respect  to  any  opinions  expressed  herein  or  any  references   provided.    

Changing  circumstances  may  change  the  accuracy  of  the  content  herein.  Opinions   presented  in  this  presentaHon  reflect  judgment  at  the  Hme  of  publicaHon  and  are   subject  to  change.  Any  use  of  the  informaHon  contained  in  this  presentaHon  is  at   the  risk  of  the  user.  CloudeAssurance  assumes  no  responsibility  for  errors,  

omissions,  or  damages  resulHng  from  the  use  of  or  reliance  on  the  informaHon   herein.  CloudeAssurance  reserves  the  right  to  make  changes  at  any  Hme  without   prior  noHce.  

Confidential & Proprietary

Session  Agenda  

•  Study  Goals  and  A  Brief  History  

•  Study  Methodology  

•  CloudeAssurance  Scoring  Algorithm  

•  Study  Scoring  Guidelines  

•  Q4  2014  Results  and  Changes  

•  Q4  2014  Top  10  Control  Gaps    

•  Benefits  of  a  CloudeAssurance  Score  

•  CloudeAssurance  –  What  We  Do    

•  Cloud  Assurance  Assessor  Program  (CAAP)  ValidaHon  Process  

•  Cloud  and  Cybersecurity  

•  AlertApp!  Mobile  ApplicaHon  

•  InteracHve  Poll  and  Results  

Confidential & Proprietary

Taiye  Lambo    

Founder  &  CTO  -­‐  CloudeAssurance               Jordan  Flynn    

Lead  Cloud  Security  Analyst  and                                 Researcher  -­‐  CloudeAssurance  

4

Confidential & Proprietary

The  Need  

5

§  Security  is  the  Number  1  barrier  to  cloud  adop:on.  

Massive Apple iCloud Nude Photo Leak, Celebrities Exposed

Confidential & Proprietary

Study  Goals  

6

Confidential & Proprietary

•  IniHal  research  began  in  September  2012  and  compiled  publicly  available  informaHon  for  

approximately  20  Cloud  Service  Providers  (CSPs).  

•  First  Report  published  on  January  3rd,  2013  covered  Top  10  CSPs  for  Q4  2012.  

•  25  CSPs  assessed  for  Q1  2013,  32  for  Q2  2013,  37  for  Q3  2013,  44  for  Q4  2013,                                    

52  for  Q1  2014,  66  for  Q2  2014,  76  for  Q3  2014  and  87  for  Q4  2014  (same  CSPs  +  new   entries  each  quarter).  

•  Study  split  into  two  separate  documents,  an  ExecuHve  Summary  with  results  and  

Appendix  A-­‐E  discussing  methodology,  scoring  guidelines  and  various  terms  and   definiHons.  

•  Updated  quarterly  and  changes  acHvely  tracked.  

7

Confidential & Proprietary

•  Assessments  created  within  CloudeAssurance  plaiorm  using  publicly  available  

informaHon  for  each  CSP.  

•  Leveraged  CSA  GRC  stack  as  the  standard  which  assessments  were  performed  against  

(CAIQ  +  CCM).    

•  UHlized  CMMI  Maturity  Model  with  objecHvity  established  using  ISO  27001  cerHficaHon  

as  benchmark  and  evidence  of  process  maturity.  

•  Assessments  scored  in  CloudeAssurance  plaiorm  using  proprietary  scoring  algorithm  

(score  is  similar  in  theory  to  a  credit  score).  

8

Confidential & Proprietary

9

Confidential & Proprietary

Study  Scoring  Guidelines    

10

Study limits score to a max of 600  

Confidential & Proprietary

Q4  2014  Study  Results  

Confidential & Proprietary

Q4  2014  Study  Changes  

•  14%  increase  in  sample  size  from  Q3  2014  to  Q4  2014  (from  76  to  87  CSPs).  

•  Despite  increase  in  sample  size  and  CSPs  with  ISO  27001  cerHficaHon,  no  change  in  Top  10  

list  from  Q3  to  Q4  2014.    

•  New  World  TelecommunicaHons  Limited  from  569  (Q3)  to  566  (Q4).    No  change  as  result  of  

change.  

•  Top  10  control  gaps  changed  with  NWT  upgrade  to  CAIQ  v3.0.1  from  v1.1.  

•  RI-­‐01  “Risk  Management  –  Program”  moved  from  #7  to  #10.  

Confidential & Proprietary

Q4  2014  Top  10  Control  Gaps  

#1 #2 #3 #4 #5 #6 #7 #8 #9 #10

14

Confidential & Proprietary

•  Valuable  asset  that  can  be  effecHvely  uHlized  by  a  CSP,  cloud  customer,  cloud  auditor,  

cloud  broker  and  cyber  liability  insurance  underwriters.  

•  Regardless  of  the  score,  it  remains  an  essenHal  benchmark  due  to  revelaHon  of  overall  

cloud  security  posture  and  possible  exposure/control  weakness.  

•  Highlights  areas  in  cloud  environment  that  may  lead  to  a  breach  and  ensures  gap  

idenHficaHon  and  remediaHon.    

•  PotenHal  to  save  millions  of  dollars  in  losses,  remediaHon  costs,  and  generate  addiHonal  

revenue  by  displaying  validaHon  seal  as  market  differenHator.  

15

Confidential & Proprietary

16

Confidential & Proprietary

•  INDEPENDANT  Cloud  Process  =  validaHon  of  cloud  security  /  assurance.  

•  ValidaHon  process  (Step  2)  leverages  cerHficaHons  and  evidence  of  process  maturity  

like  ISO  27001,  PCI-­‐DSS,  FISMA,  FedRAMP  and  SOC  2/SOC  3.  

17

Cloud  Assurance  Assessor  Program  (CAAP)    

Valida:on  Process  

Confidential & Proprietary

•  Cloud  and  Cybersecurity  are  closely  intertwined.    ConversaHons  about  Cybersecurity  

inevitably  lead  to  conversaHons  about  Cloud  security.  

•  Cybersecurity  liability  insurance  is  becoming  more  criHcal  as  businesses  adopt  3rd  party  

cloud.  

•  CloudeAssurance  fills  a  blind  spot  in  Cyber  liability  insurance  through  this  cloud  security  

benchmark  study.  

•  Validated  scores  provides  ongoing  risk  miHgaHon  and  protecHon.  

18

Confidential & Proprietary

19

AlertApp!  Mobile  Applica:on  

–  Consumer  Assurance  Powered  By  CloudeAssurance    

–  Launched  in  August  2014  

–  Free  download  mobile  app  from  app  stores          with  30  day  free  trial  

–  $0.99  per  user  for  annual  subscrip:on  (Android)   $1.99  (iOS)  

Confidential & Proprietary

20

§  According  to  a  recent  industry  study,  cloud  and  social  media  users  had  the  highest  incidence  of  fraud.      

§  Target;  Facebook  (1.2  billion),  Google+  (540  million),  LinkedIn  (300  million),  Twi\er  (274  million).      

Confidential & Proprietary

Interac:ve  Poll  

•  How  many  cloud  services  are  you  currently  using?  

 A.    None        B.    1  –  5    C.  6  –  10    D.  Unknown  

•  How  are  you  currently  assessing  your  cloud  security  risks?  

 A.  Require  independent  cerHficaHon  (ISO  27001,  SSAE16,  PCI-­‐DSS,  etc.)    B.  Perform  onsite  assessments  and  validaHon  

 C.  Send  out  vendor  risk  assessment  quesHonnaires    

 D.  Unknown    

•  Do  you  currently  uHlize  an  automated  assessment,  raHng,  trending  and  benchmarking  sosware  plaiorm  to  

assess  your  cloud  security  risks?      A.  Yes.    

 B.    No.    

 C.  Unknown.  

•  Do  you  currently  receive  real  Hme  alerts  containing  perHnent  informaHon,  related  to  the  safety  and  security  of  

your  cloud  service?      A.  Yes.      B.    No.    

 C.  Unknown.  

21

Confidential & Proprietary

22

Confidential & Proprietary

For  a  Personal  Demo  of  the  CloudeAssurance  Pla_orm  or  

AlertApp!  Mobile  Applica:on    

Please  Contact  Us:    

Jordan  Flynn  

Lead  Cloud  Security  Analyst  

CloudeAssurance  

[email protected]

Phone:  (678)  923-­‐3555    

23

Sign up TODAY for a FREE 30-Day trial at

www.cloudeassurance.com

and receive a complimentary copy of our

study when you register.