KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
This talk proposes a data-driven selection of organisational, technical, contractual and assurance requirements, so secure usage of cloud solutions within the enterprise can be guaranteed. The importance of data oriented control selection is outlined and key control domains are introduced.
This talk proposes a data-driven selection of organisational, technical, contractual and assurance requirements, so secure usage of cloud solutions within the enterprise can be guaranteed. The importance of data oriented control selection is outlined and key control domains are introduced.
Maybe you wanna have a seat, we'll have a panel discussion upcoming. I want to ask cover of KPMG to come up and explore plain, please, to us, the perspective that you have discovered in real life consulting from maybe a differently, a little bit different approach yeah. Than We before. Thank you. Thank you very much. Good afternoon, ladies and gentlemen, as a very short introduction, since we don't have that much time, my name is algo Coco. I'm working for KPMG, the Netherlands in information protection services team.
And my work can be best described as performing advisory, giving advice to our clients on information, risk management, identity, next management, and cloud security. And for today's plenary session, indeed, I wanted to share with you our current practical approach on helping our clients to enable cloud solutions with their enterprises. By my background, I'm also a little bit of engineer and engineering is about putting theory into practice. And for two days we've been listening to many tips and tricks on cloud cloud security also then next management.
And of course the question is how best can we do it in daily life and make it efficient, not time consuming, not resource consuming. So let's straight jump into the story about a year ago, to give you a practical example, we receive a request from a client to perform sort of a cloud discovery analysis. Our client was under perception that they're using around 100 cloud solutions. And as yesterday during the Microsoft presentation, we did, we, we learned is that usually in practice organizations tend to have 10 times more cloud solutions.
And that's what we also discovered during our cloud engage discovery engagement. So that particular organization was actually using about 1100 cloud solutions. So it was a sort of a bell for, for the organization. And they're like, yes, could you please help us then to define the process that is very easy and simple to follow, not only for the it to enable cloud solutions, but also for end users. So they stop acquiring cloud solutions by their own. And they actually go to it department and say that we need it please, as soon as possible, enable that.
So we, we said, yeah, sure, definitely. We will help you to, to enable them and without losing oversight of the risks. And as we all know, there are so many different risks associated with cloud usage. I'm not gonna go into detail. You all heard about them ranging from security risks to operational risks, legal, financial name, a few. What was the problem? There is that there were so many different stakeholders that wanted to through the demands on the process, ranging from it, audit risk management, legal and compliance, continuing procurement, to name a few.
And as there's a good saying that too many cooks spoiled this too, it makes the complex, the whole process really complicated. The decision making towards onboarding cloud solutions extremely complicated and difficult. So within this company, basically, they told us that it takes them around nine months on average to enable cloud solution. And imagine if they're talking about some simple cloud application that helps one of the departments to learn Spanish, because one of the abroad departments is based in Columbia.
Why would it take them nine months to enable something that is not really risky? So we wanted to incorporate this view in our process. How do we do that? Jumping into our actual approach? So what we say is that you always should start with yourself, have a look at yourself, how much risk are you willing to take? Are you risk averse? Are you risk taking? Are you risk neutral?
This will help you to really streamline your focus and determining this high level rules regarding cloud solutions that will help you eventually to select better the controls to give you an example like Coca-Cola, I can say, okay, I will not put my Coca-Cola recipe in the cloud. Never meaning that most confidential data business, critical data will never end up in cloud those simple rules. I actually following your risk, taking risk, adverse risk, neutral posture. And that's how we think every company should start when dealing with cloud.
Then I think it was mentioned so many times already yesterday and during today's morning sessions is that security is changing and we should stop thinking about parameters. We should stop. We should start thinking where, what is our most important data? Where do we put that? And so thinking data that will help as well to make a decision, shall I increase my level of control or shall I drop it at this particular moment takes a bit of time. So what could, in terms of data, you can have a look and classify it.
Many companies don't yet have the classification as well as already pointed out simple classification. And knowing prior to enabling cloud solution, are you gonna put personal data there or intellectual property data there almost confidential or highly availability data is something that you should know upfront based on that by knowing your risk appetite and knowing what kind of data you're actually planning to put in a cloud solution. We say you can have four different types of controls controls in four different areas. And there's always something that you can do yourself.
We call it internal controls. So you can make a decision that since the data that I'm gonna put in the cloud is so highly confidential, is that I'm gonna myself think about solutions, how to encrypt it, or how to make internal employees aware of what kind of information they're putting into cloud. There are quite a lot of solutions available on the market that allow companies to do that. In addition to that, you can, of course, you should have a look at the technical controls of cloud providers.
So what kind of encryption they're allowing, what kind of next management controls they're providing, it's always really well described in, on their websites and their contract. So it's something that could be also point of interest for you. Then of course, contracts in SLAs from, for some clients it's really important to see what kind of contract the provider is offering. What is within this contract? Contractors, of course not a silver bullet. You're not gonna protect yourself just with one contract, but this is one way, one of four ways to also increase your trust to future cloud provider.
And of course we should never forget about assurance third party reassurance, independent statements like independent penetration report statements or SOC two. So three reports. They could be also quite helpful for you to realize that, yeah, okay, this cloud provider maybe next coming year is not gonna go bankrupt and well secured. So how does it work in practice? I hear just compiled one particular example is that if you make your analysis and you realize that you're gonna put highly confidential data, this are the type of four controls.
So example per control that you could eventually have and enable within your company. So example of internal control could be that for highly confidential data, you would like to ensure that you have your own tools in place that will allow you to fine grain the user access. And for example, monitoring monitor the users that are accessing this cloud servers. Why not? You of course, will go and check for technical cloud solution controls is that this particular provider is constantly encrypting data, not only motion, but also at trust for contracts and SLS.
You can of course go and check Alay is this third part cloud provider actually allowing monitoring on a constant basis and enabling this data to you via for example, web dashboards, we see more and more that many cloud providers actually having dashboards online, available to so 24 7 can go open it up, check that things are going in control. And in terms of assurance just here, quite the least of things that were highly confidential data, you could actually ask your provider to make visible to you.
So not only to state to you that yeah, we have those reports, but actually provide it to you so we can go and investigate. And what happens is that going back? So once you have those list of controls, per data type that you evaluated, it will help to enable this decision making you can go and select did does this cloud provider actually satisfy all of those controls? And if maybe one of 10, those controls is not applicable, it will help you to make a decision. Okay. Is it so important that one out of 10 is not good? Rest nine is good.
Maybe I should still go to the cloud and should use this cloud solution. Of course the final decision is for the organization, but this way, at least it's so easy to see to compare what's there. What's not, and it's always, you know, it's always based on the data that you put in the cloud and then just how to make it daily life practical.
So in, in consulting, we just always want to help with decision making. So we sort of think in terms of questionnaires and to determine this data type and to determine this risk appetite profile of yours, you can always start with simple questionnaire and this questionnaire will provide some input and input for business will serve as an input for some business logic that will pull you back the list of controls that match the data type, match the risk capital to your company. And then by comparing this requirements with what cloud provider actually offers, you can make your decision.
So in real life, you can make a simple software processing tool. It could be either HDML five application. It could be Excel based process flow. There are so many ways to enable it, but the process flow itself will look something like that. So you will, as an input, have a list of questions.
Of course, together, you need to see it with all the stakeholders, determining the list of corrections. So with legal and compliance with it architect, what's important to, for, for the data what's important for the risk appetite. Then you will have a business logic. And based on that dynamic set of controls to see if this particular cloud solution is actually good or not, and to make a decision. So that's basically it. Thank you Very much.
