Use NIST Risk Management and Cybersecurity Frameworks to understand and manage business risk as you extend the network to public cloud or move data outside the datacentre perimeter.
Axa Assurance Maroc - Insurer Innovation Award 2024
Risk Management for Public Cloud Projects
1. Microsoft Cloud User Group – London
Get Your Cloud Project Past IT Security
Alex Magnay
@AlexMags
2. About us
CONSULT CREATE CHANGE ADVANCE
A series of thorough
discovery and consultation
sessions enables the KA2
team to understand your
precise business and
technology change
programme requirements.
We cannot do this without
you.
Close collaboration, together
with unrivalled expertise and
fresh thinking enables KA2 to
create customised, future-
proofed technology change
driven programmes that
meet your needs. It is all
about you.
Rigorous end-to-end
programme management
throughout the entire
transformation journey
ensures the implementation
process is fast and efficient.
We will take good care of
you.
With innovation at the core
of everything we do, our
clients can embrace the
future, safe in the knowledge
their businesses will
seamlessly adapt to
whatever is thrown at them.
Your success is our success.
https://ka2.io
contact@ka2.io
21. Our two secret weapons!
1. NIST Risk Management Framework
This is aligned with
2. Product release roadmap
which implements
3. NIST Cyber Security Framework Controls
22. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
23. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
24. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
25. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
26. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
27. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
28. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
29. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
30. • What data is moving to public cloud and when?
Product Release roadmap
34. NIST CyberSecurity Framework
• Identify - who/what you’re protecting
• Protect - the data/system
• Detect - problems
• Respond– know who to tell, what to do
• Recover – have a plan
https://www.nist.gov/cyberframework
36. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
Categorise system
• How many users?
• Who are they?
• What data?
38. Example
NIST Function NIST Category Your Risks Your Controls Your Work items
Multifactor authentication (PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
Misconfiguration results in
unauthorised access
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Critical data is uploaded before
environment is ready
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Data is not protected Classifiy data (PR.DS) Implement AIP
Maintenance software vulnerabilities OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology Malware results in outage,
unauthorised access or data loss
antimalware (PR.PT) Enable Windows Defender ATP
(PR.IP) Block inbound internet access
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect
Service account password and API keys rotated
Unauthorised access is obtained
Data loss from attack or
accidental disclosure
39. Completed controls reduce risk
Sprint1
PR.AC MFA
PR.AC Rotate keys
Sprint2
PR.AC RBAC
PR.IP Block internet
Sprint3
PR.AC AAD PIM
PR.IP Azure firewall
PR.PR Defender ATP
PR.MA Auto update
41. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
Assess Controls
• Do they work?
• Can they be circumvented?
• How much residual risk remains?
42. NIST Function NIST Category Your Risks Your Controls Your Work items
Multifactor authentication (PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
Misconfiguration results in
unauthorised access
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Critical data is uploaded before
environment is ready
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Data is not protected Classifiy data (PR.DS) Implement AIP
Maintenance software vulnerabilities OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology Malware results in outage,
unauthorised access or data loss
antimalware (PR.PT) Enable Windows Defender ATP
(PR.IP) Block inbound internet access
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect
Service account password and API keys rotated
Unauthorised access is obtained
Data loss from attack or
accidental disclosure
44. Categorise
system
and data
Select
controls to
reduce risk
Implement
controls
Assess
controls
Authorise.
Risk is
acceptable
Monitor
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management Framework
45. Risk based approach to
Infra as a Service
(IaaS)
Virtual Datacentre example
(Check this: http://aka.ms/VDC)
48. • It’s waterfall (build then run)
• Visualisation of the end goal
• Clear interdependencies
http://www.infrastructures.org/papers/bootstrap/bootstrap.htm
49.
50. NIST Function Your Risks NIST Category Your Controls Work items
Multifactor authentication
(PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Classifiy data (PR.DS) Implement AIP
(PR.IP) Block inbound internet access
(PR.IP) Block outbound internet access
(PR.IP) Implement proxy URL filtering
(PR.IP) Implement proxy DLP
Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology antimalware (PR.PT) Enable Windows Defender ATP
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect Unauthorised access is obtained
Data loss from attack or
accidental disclosure
Service account password and API keys rotated
Malware results in outage,
unauthorised access or data loss
Categoris
e system
and data
Select
controls
to reduce
risk
Impleme
nt
controls
Assess
controls
Authorise
. Risk is
acceptabl
e
Monitor
Categoris
e system
and data
Select
controls
to reduce
risk
Impleme
nt
controls
Assess
controls
Authorise
. Risk is
acceptabl
e
Monitor
Categoris
e system
and data
Select
controls
to reduce
risk
Impleme
nt
controls
Assess
controls
Authorise
. Risk is
acceptabl
e
Monitor
Categoris
e system
and data
Select
controls
to reduce
risk
Impleme
nt
controls
Assess
controls
Authorise
. Risk is
acceptabl
e
Monitor
NIST Function Your Risks NIST Category Your Controls Work items
Multifactor authentication
(PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Classifiy data (PR.DS) Implement AIP
(PR.IP) Block inbound internet access
(PR.IP) Block outbound internet access
(PR.IP) Implement proxy URL filtering
(PR.IP) Implement proxy DLP
Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology antimalware (PR.PT) Enable Windows Defender ATP
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect Unauthorised access is obtained
Data loss from attack or
accidental disclosure
Service account password and API keys rotated
Malware results in outage,
unauthorised access or data loss
NIST Function Your Risks NIST Category Your Controls Work items
Multifactor authentication
(PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Classifiy data (PR.DS) Implement AIP
(PR.IP) Block inbound internet access
(PR.IP) Block outbound internet access
(PR.IP) Implement proxy URL filtering
(PR.IP) Implement proxy DLP
Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology antimalware (PR.PT) Enable Windows Defender ATP
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect Unauthorised access is obtained
Data loss from attack or
accidental disclosure
Service account password and API keys rotated
Malware results in outage,
unauthorised access or data loss
51.
52.
53.
54.
55. NIST Function Your Risks NIST Category Your Controls Work items
Multifactor authentication
(PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Classifiy data (PR.DS) Implement AIP
(PR.IP) Block inbound internet access
(PR.IP) Block outbound internet access
(PR.IP) Implement proxy URL filtering
(PR.IP) Implement proxy DLP
Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology antimalware (PR.PT) Enable Windows Defender ATP
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect Unauthorised access is obtained
Data loss from attack or
accidental disclosure
Service account password and API keys rotated
Malware results in outage,
unauthorised access or data loss
Categoris
e system
and data
Select
controls
to reduce
risk
Impleme
nt
controls
Assess
controls
Authorise
. Risk is
acceptabl
e
Monitor
Categoris
e system
and data
Select
controls
to reduce
risk
Impleme
nt
controls
Assess
controls
Authorise
. Risk is
acceptabl
e
Monitor
Categoris
e system
and data
Select
controls
to reduce
risk
Impleme
nt
controls
Assess
controls
Authorise
. Risk is
acceptabl
e
Monitor
Categoris
e system
and data
Select
controls
to reduce
risk
Impleme
nt
controls
Assess
controls
Authorise
. Risk is
acceptabl
e
Monitor
NIST Function Your Risks NIST Category Your Controls Work items
Multifactor authentication
(PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Classifiy data (PR.DS) Implement AIP
(PR.IP) Block inbound internet access
(PR.IP) Block outbound internet access
(PR.IP) Implement proxy URL filtering
(PR.IP) Implement proxy DLP
Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology antimalware (PR.PT) Enable Windows Defender ATP
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect Unauthorised access is obtained
Data loss from attack or
accidental disclosure
Service account password and API keys rotated
Malware results in outage,
unauthorised access or data loss
NIST Function Your Risks NIST Category Your Controls Work items
Multifactor authentication
(PR.AC) Enable MFA
Priv Identity Management (PR.AC) Enable AAD PIM
Admin roles follow least rights privileged (PR.AC) Implement RBAC
Encrypt communications containing credentails (PR.AC) Disable basic auth
(PR.AC) Rotate service passwords
(PR.AC) Rotate API Keys
IT admins complete training module before access (PR.AT) Cloud Admin course tracking
Users sign up to terms of use (no business data) (PR.AT) Enable AAD Conditional Access ToS
Data Security Classifiy data (PR.DS) Implement AIP
(PR.IP) Block inbound internet access
(PR.IP) Block outbound internet access
(PR.IP) Implement proxy URL filtering
(PR.IP) Implement proxy DLP
Maintenance OS and application secuirty patching (PR.MA) Enforce auto updates
Protective Technology antimalware (PR.PT) Enable Windows Defender ATP
Identity Management
and Access Control
Awareness and Training
Information Protection
Processes and
Procedures
Data loss protection
Protect Unauthorised access is obtained
Data loss from attack or
accidental disclosure
Service account password and API keys rotated
Malware results in outage,
unauthorised access or data loss
56. Shortcuts
• Embed someone from InfoSec in your team (DevSecOps)
They can review controls as they’re implemented
• Learning by doing takes time…
Work with a cloud migration specialist
Inherit their code and security controls
Jump ahead to IAM v7, landing zone v9 etc..
• Be a chameleon. Fold into existing governance
• Call your team the Cloud Adoption Team (CAT)
57.
58.
59. Thanks!
KA2 is an expert technology change consultancy specialising in financial services, the insurance
industry and public sector. The company provides expert services across the entire technology
change spectrum including; cloud migration, target operating models and digital transformation
strategies; the modern workplace; service management; enterprise architecture; network design;
enterprise security and voice and unified communications. The team includes highly skilled and
experienced programme leaders, technical architects, solutions consultants and business analysts
who all bring a proven track record in delivering successful technology change programmes for a
wide range of blue-chip organisations.
Email: contact@ka2.io
Notas del editor
A problem my consultancy hit on a recent cloud migration engagement, whats happening now and hopefully you’ll be able to make use of this too.
Last seen working at public cloud service provider Hentsu spinning up infra for new hedge funds and migrating hedge funds to public cloud
Background engineering teams investment banking, asset managementregulatory compliance, high security, high availability, high tech
Industry cert certifications & scout computer badge!!
Loaded up with Historical cargo
CEO of Infor at AWS Summit 2014
Building a computer room/dc is kind of interesting
Keeping it running is a burden
Huge distraction from working on stuff the business or the customer actually cares about
Move dcs to public cloud and refocus on more important stuff that’s going to make company money/customers happy
Building and maintaining DCs does keep you busy, doesn't make you valuable
Azure datacenters are positioned on laylines of tremendous connectivityIf you’re an international organization , investigate if you can ditch your point to point international lease lines and use public cloud provider as a hub to link your offices and datacenters.
When comparing the cost of on prem vs public cloud
You assemble a team of mercenaries/contractors
Infosec Fortress
Cyber defence 1976
Administration – who has access to what (from where), rbac, how you operate the service, still you
AWS – same deal, still up to you to secure the data
Where’s the magic dial?
1 A way of discussing risk with infosec and getting approvals
2. Release roadmap, what we’re going to do in stages
3. Helps us figure out risks and what to do about them
Click through
Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
Describe the risk – what bad things could happen with this system / this data
Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. Technical/processNIST Cyber Framework can help with this
Implement the controls and describe how the controls are employed within the system and its environment of operation.
Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.
Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
Describe the risk – what bad things could happen with this system / this data
Click to releases
Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.
Implement the controls and describe how the controls are employed within the system and its environment of operation.
Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.
Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
Secret weapon number 3
Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. Technical/process
Implement the controls and describe how the controls are employed within the system and its environment of operation.
Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.
Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
Risk – whats the bad thing that could happenControl – what makes it unlikely or lower impact
Work items – well defined so people can crack on
Talk with infosec, which risks and controls will get you to next stage on your roadmap?
Categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
Select an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. Technical/process
Implement the controls and describe how the controls are employed within the system and its environment of operation.
Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.
Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
50% green
Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
Excuse the GFX, it was 1998, on unix, we’re lucky it’s not ASCII art!
High risk – don’t put anything important here!
Getting better, safer…
Time for low value apps….
Party time, upload the business critical data
High risk – don’t put anything important here!
Getting better, safer…
Time for low value apps….
Party time, upload the business critical data
Bootstrap – POCs look like this often
Central ID and RBAC
App ready
Data ready
High risk – don’t put anything important here!
Getting better, safer…
Time for low value apps….
Party time, upload the business critical data
But the burners on
Stop fighting with IT Security
Find that common ground, common language. Agree a plan, execute the plan and keep talking throughout.
May your quests by really successful!
A problem my consultancy hit on a recent cloud migration engagement, whats happening now and hopefully you’ll be able to make use of this too.