Fast forwarding

your cloud security

strategy
As the cloud moves from mainstream to
mainstay, now is the time to get smart on
your cloud strategy

EY Engage 1
As we emerge from the global pandemic, ongoing digital
transformation and work anywhere policies are accelerating cloud
adoption. At the same time, cyber security continues to be a major
cause of concern. Given that a “no cloud” strategy in five years will
feel like a “no internet” strategy today, it’s vital not to leave trust to
chance. Organizations should start now to implement cloud strategies
that enable their business and address security concerns.

What are the Biggest Cloud

Security Concerns?
• Data loss or leakage;
• Data privacy and confidentiality;
• Accidental exposure of credentials.

What are the Benefits of Cloud?

• Speed to market and agility;
• Cost optimisation;
• Productivity and scalability.

2 · Fast forwarding your cloud security strategy

Our Company Focus
Partnering with a knowledgeable external partner can help. At EY, we People Process
aim to take the burden of compliance and risk out of the client’s cloud Risk, Compliance
journey. From design, build and operation. With that we strive to be and Control
the nr 1 cloud security services provider for regulated industry within
the next couple of years.

• Embrace cloud-native technology and principles to enable Decommission Identify

ubiquitous security. Cloud Operations Security

• Shift left to consider security at every stage of the cloud lifecycle.

Strategy, Resource,
• Establish a culture of excellence with key internal talent and strong Organisational
external partners. Management and
Continual
Whether you’re an early or late adopter, now’s time to get cloud Improvement
smart.

Broad, innovative and integrated solutions Cloud Service Data

Our Cloud Governance Framework spans across people, process Provider Architecture and
and technology to promote consistency, transparency, efficiencies Management Infrastructure
and oversight across all stages of the cloud management lifecycle.
By leveraging this framework, EY will assess and analyse current
processes benchmarked against leading industry practices and Manage Configure
provide focused recommendations for improvement. Finance
Managements

Technology Governance

Migrate

3 · Fast forwarding your cloud security strategy

Cloud Governance Framework

Risk, Compliance & Control Security Data, Architecture & Infrastructure

Regulatory Alignment Legal Management Identity & Access Management Data Protection & Privacy Policy Management Data Architecture

Compliance Management IT Risk Management Security Operations General Cloud Security Data Architecture Integration / Interoperability

Vendor / Third Party Risk Best Practices Emerging Tech & Innovation Data Governance & Data Management

Governance to align improvements to strategy, report corrective actions, resource management and organizational change

Strategy, Resource, Organizational Management & Continual Improvement

Resource Management Organizational Change Management Portfolio/Program Management Continual Service & Capability Improvement

Contract Governance & Service Management Availability Management

Consumption Model Total Cost Ownership Model Project Change Management
Management Integration
BCP & DR
Benefits Realization Adoption Costs Cloud Vendor Management Monitoring & Measurement Capacity Mgmt. & Scalability
Resiliency

FinOps Real Time Alerting Service Level Management Operations Management AI & Insights

Finance Management Cloud Service Provider Management Operations

4 · Fast forwarding your cloud security strategy

Cloud Controls Framework:
Alignment with Other Standards
The Cloud Controls Framework is an alignment of internationally Kevin Mallia
recognised standards such as CSA, ISO and NIST. 1 Risk, Compliance and Control Consulting Partner
EY Malta
Cloud Security Alliance [email protected]
• The Cloud Security Alliance (CSA) is the world’s leading 2 Security
organization dedicated to defining and raising awareness of best
practices to help ensure a secure cloud computing environment.
• The cloud security appliance (CSA) CCM lists key controls and 3 Data, Architecture and Infrastructure
considerations for cloud security.
• The controls align to various industry standards and guidance. Joseph P Galea
4 Director of Business
Finance Managements
International Organization for Standardization and IT Risk Consulting
• ISO 27001 – Information security policy. EY Malta
• ISO 27017 – Information security controls for cloud services. [email protected]
• ISO 27018 – Protection of PII in public clouds acting as PII 5 Cloud Service Provider Management
processors.

NIST 800-53 v4 6 Operations

• NIST outlines various considerations, guidelines and Michael Azzopardi
recommendations for cloud computing. Senior Manager,
Strategy, Resource, Organizational Technology Consulting Lead
7
Microsoft Azure Security Practices Management and Continual Improvement EY Malta
• Public cloud vendors publish best security practices for levering [email protected]
their platforms and define a shared responsibility model for
security.

Local Regulations
• Applicable industry and local laws and regulations.

Figure: Cloud Controls Framework

5 · Fast forwarding your cloud security strategy

Building a better working world

EY exists to build a better working world, helping create long-term value

for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries

provide trust through assurance and help clients grow, transform and
operate.

Working across assurance, consulting, law, strategy, tax and transactions,

EY teams ask better questions to find new answers for the complex issues
facing our world today.

EY refers to the global organization, and may refer to one or more, of the
member firms of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. Information about how EY
collects and uses personal data and a description of the rights individuals
have under data protection legislation are available via ey.com/privacy. EY
member firms do not practice law where prohibited by local laws. For more
information about our organization, please visit ey.com.

In Consulting, we are building a better working world by transforming

businesses through the power of people, technology and innovation. It’s
our ambition to become the world’s leading transformation consultants.

The diversity and skills of 70,000+ people will help clients realize
transformation by putting humans at the center, delivering technology
at speed and leveraging innovation at scale. These core drivers of
“Transformation Realized” will create long-term value for people, clients
and society.

For more information about our Consulting organization, please visit

ey.com/consulting.

© 2022 Ernst & Young Ltd.

All Rights Reserved.

This material has been prepared for general informational purposes only
and is not intended to be relied upon as accounting, tax, legal or other
professional advice. Please refer to your advisors for specific advice.

https://www.ey.com/en_mt