Cloud Service Risk Assestment
Industry
Superannuation
400k+ members
$65B+ assets
Employees
~1000
Cloud9 Services
- Security Strategy and Advisory
- Program Management
- Security Business Analysis
- Security Architecture
- Security Policy Development
- Change & Communications Management
Cloud Services Risk Assessment
This super fund is dedicated to people working in Australia’s higher education and research sector. With over 400,000 members and over $65 billion in net funds under management, is one
of Australia’s largest super funds.
They recently engaged NetSkope to perform a Cloud Risk assessment, including a report andrecommendations, in preparation for a PwC Cloud Governance internal audit and review. While this audit
has highlighted a large number of cloud services currently being used (2,236), and a largenumber of subsequent critical/high-risk services (1,924), they requested Cloud9 Consulting to assistwith providing further, more detailed context on these findings in order to action the risks according totheir level of actual severity e.g. High, Medium and Low.
They requested Cloud9 to contextualise these findings in line with Technology’s FY19 security priorities and initiatives, 3 key ones being:
1. Cloud Access Brokers (CASB) Solution
2. Privileged Access Management Solution
3. Identity & Access Management Solution
The intention is for Cloud9’s report and recommendations to be shared among the relevant Technologystakeholders, and an Executive Summary prepared for Board Members.
Cloud9 proposes a ‘mini-squad’ team to work on the priorities below:
1. An initial assessment of the actual ‘As-Is’ situation, developed through:
- Review of NetSkope’s Cloud Risk Assessment Report
- Review of PwC’s Internal Audit Report (Cloud Governance and Footprint Review)
- Direct investigations of the technology environment
- Interviews and meetings with key stakeholders
- Review of documentation, policies, reports and other relevant information e.g. FY19 priorities
- An informal discussion with key stakeholders regarding draft findings, culminating in
- A Situation Analysis report summarising the key findings.
2. The formation of a high-level ‘To-Be’ vision of the security objectives, developed through:
- Workshops with key Technology stakeholders
- Validation of the high-level vision with business participants (as appropriate)
- A document depicting the Technology Security Vision at a high-level.
3. The development of a Technology Security Roadmap required to attain the Vision defined above, by
- Leveraging the technical expertise from the broader Cloud9 team
- A draft presentation and working group discussion with nominated stakeholders
- A final presentation of the Roadmap to a defined stakeholder group
- A report collating the three stages outlined here.
Challenges
- Delays in obtaining the 7 months of data due to:
- Active gateway proxies only hold 60 days of log data System (CPU) constraints on bulk extraction of historical log data from the monitoring system (SIEM)
- No backups of log data from the active gateway proxies
- The user access and identity management data we were receiving was in a poorly maintained state that has required a significant amount of manual clean-up by cloud to get it into a usable state
- The engagement with all the Departmental heads was a slow and arduous process to confirm they understood their role in the assessment
- Delays from Netskope (CASB Vendor) to load the log data and re-configure the service to support Business Unit andDepartment fields
Solutions
Cloud9 worked with UniSuperto:
- Set a clear strategic direction for the Cloud Risks Assessment
- Worked with all levels of key senior stakeholders to manage competing priorities
- Execute the delivery of the assessment to Board members
- Elicit business and technical requirements with stakeholders and document end to end outcomes and governance
- Build sustainable architecture standards and patterns
- Consolidate and streamline vendor technologies to ensure maximum value is achieved
- Develop security policies and standards
- Manage the Change & Communications strategy.
Outcome
Cloud9 worked with UniSuperto:
- Contextualised the identified~100 security findingsto UniSuper’s strategic programs of work
- Contextualise UniSuper’s current security maturity
- Stopped people accessing high risk Cloud service applications on the Development and Test networks
- Delivered detailed analysis of departmental Cloud service usage
- Recommended the implementation of a CASB solution to assess, manage and report on the security risk profile of all Cloud service applications accessed on the UniSuper network
- Delivered a roadmap to phase out all access to personal productivity services, including Cloud Storage and Webmail services
- Updated the underlying Active Directory (AD) database to ensure the CASB solution will report accurate security risks by department and business unit