Okay, thank you. Yeah. Hi everyone. I have an ungrateful role standing between you and lunch, but let's make this as an interesting appetizer. So we have a nice lunch after my talk.
So yeah, I said, I'm going to talk today about the CSA perspective on cloud risk management to go quickly through a bit of introduction background. And why should you care about all of that? And I'm going to put out five key questions we should think about when talking about risk management in the cloud and make a conclusion just before lunch. So quickly about me as I already had an intro DVI, I'm originally based from Lu Slovenia. Currently living in Barcelona. Spain started my career back in 2004 UI.
Couple of those certifications you can see here on the screen, like CSAT, the cloud security alliances, a certificate of cloud security knowledge ISO 27 0 1.
I started with CSA actually even before 2014 as a volunteer. As Daniel earlier mentioned before we have many volunteers all around the world. I started as one in 2014, I joined CSA and I actually have worked until just two months ago on Daniella's team, in the CTO team as a program manager and senior Analyst. Currently I'm a CSA research fellow and I'm looking forward to new challenges that 2020 is going to bring as a year of changes.
But yeah, one of the things that 2020 is also going to bring is a September a new event that CSA is going to organize. So call for papers is due just in few days from now. So if you have anything interesting to share, we are more than happy to have you talk about it at the September event, which is going to take place in September later this year.
So, as I promised you an introduction, we've heard about cloud today and how we use cloud, how we use traditional it. So in one of the recent studies, actually from last year, IDC has stated that in Q3 2018 was like the tipping point where the spending of organizations around the world on cloud has actually surpassed the spending on traditional it infrastructure, which is obviously, you know, a milestone. And furthermore, they're also estimating by 2023, this is going to grow.
And the traditional it infrastructure represen less than 43%, meaning that cloud is becoming, you know, unaccepted enterprise delivery and operation of technology model. And in many cases like as a hybrid with the traditional it that we still are using. So looking into this is okay, but you know, we, as the users, or let's say the, the companies that are using the cloud, you know, we have certain concerns regarding things like privacy, security and compliance.
Can we really look into the cloud? How do we do that? How do we do proper risk management?
As we heard earlier in, in the sessions today, we need to manage our risks. If we use external services, we still are accountable about the data, the processes that we are running in the cloud. So this is very important because basically talking about risk management, like the approach doesn't change, we still do risk management as we've been doing for the last 30 or so years. But when it comes to tactics, when it comes to implementation, there can be significant differences because cloud really elevates the risk management.
From what, in many cases, it was addressed as a, you know, a traditional siloed approach, departmental exercise. It, it needs to become as a top level enterprise process that looks at more than just operational hazards that we would be looking at traditionally.
So in that sense, you know, if you are asking yourself, you know, like why should I care?
You know, like what's, what's really in it for me. It's like, you know, when we look at things like, you know, the cloud and like, it really brings with it, the unique risks that are related to data security, availability, storage, segregation, integrity, and recovery. So we have been thinking about risks before, let's say in the traditional it, but some of those may not have been addressed before. So when moving to the cloud, we really need to think about those risks that have been created now that we might not be aware of.
And then when we talk about compliance, which is very important for every organization, it's a basic part of how we do business and being non-compliant can be very expensive for us. It can affect our good will, you know, we can lose business on that.
So we really need to make sure because how we address the risk in the cloud. And then when we talk about the cloud as such, we need to understand like 10 years ago, or more than 10 year, let's say in 2008, public cloud computing was like around 6 billion euros or 5.8 billion us dollars back then. And for 2020, it's almost 260 billion us dollars.
So as the market has significantly grown in last 12 years, also the risk risks are growing. So in that sense, you know, the cloud is serving more sophisticated users. The regulatory oversight is higher and also the customer expectations grow as well.
So in, in that sense, it's very important to understand that. And also when we talk about the mitigation, we really need to understand that we need to learn from what we know we need to like actually continue learning and like what the new technologies are bringing.
We need to apply the lessons learned and build on an intelligent knowledge base and actually work how to, how to address actually how to put the preventive measures. And when they fail, you know, how do we, how do we address in order to, to let's say, mitigate the unmitigated risks that have been realized and such.
So moving to those five key questions that I promised. So just to make it clear, the objective of today's presentation is not to provide a definitive answer, but rather to contribute food for thought for all of us, that we can take to lunch, think about it and then have a discussion as a whole community as such. So moving to question number one, what really, what really matters is how do we, how do we think about, you know, the existing risk management methodologies?
And if that, if they are adequate to, to manage a risk in the cloud, because when applying effective risk management concepts and protocols to the world of, we really need to carefully balance between the technology specific risks that are created by unique components of the cloud, the platforms and technologies we are using.
And also the business related risks that are created by dependents on untrusted. Third parties, as Martin mention mentioned earlier in, in the opening keynote with zero trust.
And also one of the things are also technical and organizational risk that are introduced by DevOps, philosophy and automation. That's something that cloud brings as well, that earlier in the traditional it, we might not be aware of.
So yeah, you know, that's, that's something really important. And also understanding like, you know, in the start, when the cloud let's say became popular and we saw the benefits of the cloud and many successful deployments are out there.
We, as I already mentioned, the, the market grew, the client's expectations grew as well. And today many, many organizations are using cloud for many advanced, let's say usage such as big data solution, machine learning, artificial intelligence, IOT, you know, like many new, new products and services that have not been around in the early years of cloud adoption.
So this is, this is all really, really very important.
And when we talk about cloud, we need to understand like, you know, what are the changes in the scope and the scale when we talk about cloud and, you know, it brings a global footprint, there's this supply chain expansion that comes with the cloud, the explosion of devices, infrastructure, data, their like new business models, shared responsibility as was already mentioned today, diminished visibility of the processes, the assets, the incident. We don't know how the data risk is managed.
Cloud configuration compliance is very important, continuous assurance, continuous compliance requirements that we might have as an organization, an introduction of privacy regulation, imposing stronger accountability, as well as we know with the GDPR, for instance. So as such, this also has a big impact on the it function, which really needs to reinvent itself.
There's a, a need for a reorganization or redesign and reas reassess, what are the data governance needs?
What are the relevant it security and privacy policies that we have in place? Do we have cloud usage policies? What are some potential skills or competence gaps, and really like reassess, like what is the security need for cloud native or cloud first approach? So all of that, I, I believe a lot of food for thought how to address that.
So moving to question number two, where talking about shared responsibility, like is this shared responsibility paradigm that Daniella has also mentioned earlier, and this morning, does it appropriately reflect the risk management processes and programs that we have in, in our organizations? Because, because, you know, there's always a distinction between the control that our responsibility of cloud service providers and the controls security controls their responsibility of the customers.
So we now, all of a sudden we need to share risk identification, assessment measurement, and the control design with the CSP.
So all of those are non-trivial non-trivial exercises and, you know, people who do that need to have proper skills, proper experience. So this is, this is really important for our organizations as such. So with that, with two hard questions, let's go to the third one. So with the companies talking about risk management in the cloud, are they really aware of the implications on governance or by, by the idea of indirect control?
Because with the public cloud, we all know it brought the idea of loss of direct control of our it service. As Daniel mentioned earlier, before you don't have your server server under the table, but, you know, for instance, just to give you an example, cloud service providers usually prohibit security, scanning, penetration testing, or first party audit by contract.
You know, so things like business continuity, disaster, recovery testing, it's often not possible customer security and privacy policies, including, you know, the standards, the procedures such as hardening may be in conflict with the effort that CSP is doing.
So we access to key logs or visibility to alert, you know, may not be available to us. So SLAs have already been mentioned today. They might not be available, or we don't know how they are measured. Are they transparent, transparently measured?
Like, you know, what's, what's the visibility of those. So this risk of loss of control, when we talk about risk management, the risk management approach should really reinforce the focus on the sources of informations that are used to analyze and assess the cybersecurity risk. So when we receive, or let's say, when we get some SLAs offered, we really need to understand what are the sources of information, you know, like how accurate are those SLAs and the evidence that we are able to get, you know, to support the third party, audit the certification that the organizations might have.
So in that sense, it's really important to, to understand how we can manage risk with this idea of the loss of the direct control over the cloud.
So moving to question number four, it's actually a supply chain complexity factor that cloud brings. And how do we address it with the risk management approach? So here it's really important that there are some challenges that cloud security and privacy risk management brings.
And, you know, are we sure that, you know, when we have a contractual relationship between us and usually let's say a software as a service provider, how do they manage all of the requirements that we might have with their sub let's say, subprocess or sub providers that they're using? We don't have visibility into their supply chain. And it raises a very simple question. How can a cloud customer perform a proper assessment of the security and privacy risks without having access to complete information? We talk about accountability here.
So because cloud customers, we are usually accountable for security and privacy matters, but are we in the position to really fully evaluate that?
So in that sense, you know, like with the GDPR, it, it helps us a lot. Also European banking authority has given the guidelines on outsourcing arrangements when they talk about cloud supply chain. So we have some help there. Luckily moving to the last question.
And this last question I believe is also very important that if our current practices are there adequate to effectively and clearly communicate risk to members of the board, because usually, you know, we've seen like recently we had some high profile breaches, you know, we've saw that CSU executive have been aware of cloud, but usually, you know, when we talk about the, the board members, the chief technology officers or chief information officers would be responsible for communicating and briefing on technology topics.
But what's really important is that all let's say, yeah, entire executive team is well versed and, you know, understands the business, operational, financial, legal, HR compliance, and all the other impacts that cloud has. So that's, that's very important to address. So as I'm running out of time, I just want to sum up the conclusion before the lunch.
When we talk about risk management in the cloud, we should think about things about that are changing. And those things are scale and scope.
You know, what happens with the concentration risks? When we go in the cloud about resilience, you know, how resilience can replace, let's say recovery. And then when we talk about the complexity, as we said, innovation drives technology, but then technology also drives complexity. And we really need to be aware of that shared responsibility model was already mentioned.
And then there's Al always this when obtaining proper information, we should have this desire to obtain information, to have this auditor mindset, which is really important to address the idea of indirect control over the it, when we use cloud services, supply chain already mentioned accountability, board awareness and consciousness of the organization about cloud. So with that, I'll leave you to go for lunch. You can have I'm, I'm happy to get, to answer some questions. Also adding some contact information, I'll be, I'll be available. And I'm happy to talk to you on the topics.
And just to mention, CSA is going to publish a white paper and this exact topic, more into details where in the future, you will be able to, to find more answers and maybe suggestions, how to address those questions.
