CISO Summit No 18: Cloud Security: Impact on Risks, Control and Security

The perception of cloud services has changed dramatically: in the beginning, there were statements from national administrations that deeply distrusted cloud services and dis-encourage organisations to move their data and operations to cloud service providers. Today the largest banks closed a deal for their highly sensitive data with a cloud provider: the world has changed.

The gap may be explained by changes within the cloud architectures including options to use strong customer-managed encryption keys to ensure ownership and privacy for the application and data.
A purey one-to-one relation between cloud providers and organizations may be reality for some at the moment. However, a multi-cloud approach is more likely to be adopted by a majority of organizations to mitigate systemic risks, use differentiated services and optimize costs. Not a core topic, but inte- resting for us as individuals, we relate to multiple cloud providers (e.g. WhatsApp, Twitter, Skype, etc.) even when we are unaware of it.

We can conclude that cloud usage is today a preferred model to profit from the economy of scale effects of hardware and operating system maintenance, but even more from the highly sophisticated security management: The larger the cloud provider is, the more people work in security engineering, security operations and therefore provide a service on higher level. The numbers in the background are enormous and can be between 50 to 5.000 professional security engineers. Happily, organizations can select from a variety of service providers, such that after a contractual period, a change is feasible. But what are the exit scenarios, what needs to be prepared when already when entering the contract?

Andrew Hutchison (T-Systems) will present some of the key challenges for a hybrid cloud environ- ment from a security perspective. Rolf Becker (UBS) will elaborate on UBS’s approach considering the requirements of one of the most sensitive cloud user groups. These keynotes will introduce and stimulate the discussion with questions such as how do we negotiate with cloud providers to use of private encryption keys, how to test security concepts and how to create preparedness for switching between cloud providers.