Cloud Consulting: Cloud Security Assessment & Validation

Gartner G-Cloud Service Definition
Cloud Consulting: Cloud Security Assessment & Validation
For further information on Gartner support for Cloud initiatives visit:
http://www.gartner.com/technology/research/cloud-computing/services.jsp
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other
authorised recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied,
distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner Service Definition —
Cloud Security Assessment & Validation
Service Description
Key Deliverables (Cont)
Gartner will provide facilitated interactive planning sessions to help
clients understand the security issues, benefits, costs, risks and vendor
landscape for clients considering moving infrastructure components and
services to the Cloud. These sessions have been developed to assist
clients who are tasked with architecting, recommending, or
implementing an organisation’s data security strategy in the Cloud. It
will answer the following questions?
■
■
■
■
■
■
■
Key Benefits
What are the security implications for your data — both at rest and
in transit?
What applications are supported and what service levels are
appropriate and who are the leading vendors?
Rethinking security programmes and processes (monitoring audit,
investigations, policy) when moving Services to the Cloud
Identity management, authentication, authorisation, and federation
Interactive planning sessions which explores the client’s security
options with the client in order to:
■
■
This workshop was developed over many years of in-depth research
and consulting. It exploits Gartner frameworks to provide independent
and detailed analysis of the feasibility, value and risks for your cloud
planning activities.
■
Key Deliverables
■
Gartner will charge a firm fixed price of £32,081 excl. VAT, incl. all
expenses for this service
Kick-off meeting to set requirements, expectations, scope and
schedule
A maximum of four interviews with client stakeholders to gather
information required to tailor the Workshop
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
Drive consensus toward a feasible Cloud security strategy for the
organisation with a high level actionable action plan
Identify at a high level potential gaps between your business
current state and desired state with respect to Cloud security
readiness based on the explored workloads considered in the
sessions
Identify Cloud Security issues clearly and determine how to
prepare for possible migration to Cloud services in an orderly,
well-thought-out approach that does not put the organisation at
undue risk
Price
Cloud Readiness Interactive Planning Session that provides:
■
Two day interactive planning session
Relevant Gartner research and examples
High-level conceptual architecture and strategy report detailing
conclusions, points for development and an action plan for moving
forward
1
Gartner Service Definition —
Cloud Security Assessment & Validation
Deliverables
■ Cloud Readiness Interactive Planning Sessions that provide:
–
Kick-off meeting to set requirements, expectations, scope and schedule — with a maximum of four interviews with client
stakeholders to gather information required to tailor the Workshop
–
Two day interactive planning session:
• Day 1: Structured Training Format — Security Strategies for Cloud Computing
• Day 2: Assess and develop strategies:
- Participants describe their environments via 20 minute ‘mini presentations’ to the group
- Gartner facilitates the develop a high-level conceptual architecture and strategy — if jointly deemed feasible
■ Workshop materials with supporting analysis, research, and other relevant work products
■ Workshop Report detailing Workshop conclusions, high-level conceptual architecture and strategy develop and an action plan for
moving forward
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
2
Gartner Service Definition —
Cloud Security Assessment & Validation
Gartner Project Team Roles
■ Gartner anticipates completion of this engagement within two
weeks
Head
count
Duration
Per SFIA level 6
1
2
Client Project Team Roles
Associate Director
Per SFIA level 4/5
1
8
■ Project Sponsor
Senior Consultant
Per SFIA level 3
1
9
■ Project Manager
Staff
Director
Day rate (as per
rate card)
Project Schedule
Project Approach
■ Key stakeholders
■
Project Benefits
Week 1: Project initiation
■
Conduct 4 key stakeholder interviews
■
Send a self survey with key stakeholders to scheduled
workshop participants in order to capture a snapshot of the
organizations overall IT infrastructure and key applications
in order to tailor the Workshop
■
■
Intensive planning session which explores security options with
the client team in helping to:
■ Drive consensus toward a feasible cloud security strategy for
the client with a high level action plan
■ Identify at a high level potential gaps between the client’s
current and desired state with respect to cloud security
readiness based on the workloads considered in the
workshop
Tailor the Workshop for the client focus areas with relevant
Gartner Security and Risk Management Research, Market
clocks, Hype Cycles and Cloud Vendor Research
Week 2: Workshop Delivery
■
Delivery a two day scheduled session on-site
■
Develop Report conclusions, high-level conceptual
architecture and strategy develop options and the action
plan
■
Present report to executive stakeholders
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
■ Identify Cloud Security issues clearly, and determine how to
prepare for possible migration to cloud services in an orderly,
well-thought-out strategy that does not put the organisation at
undue risk
3
Gartner Service Definition —
Cloud Security Assessment & Validation
Reasons Why Others Use Gartner
Prerequisites
■ Gartner created the IT Research industry 32 years ago, and
our reputation speaks for itself. Gartner Research is the only
IT research informed by both the technology end user and
provider’s perspectives. We use our research as the basis for
our Consulting solutions, methodologies and tools; and, we
leverage our research and our industry-leading analysts, as
needed, throughout our Consulting engagements. So, when
our clients buy Gartner Consulting, they are buying Gartner
Research
■ Gartner will only provide the stated service if the client cloud
transformation project in question is officially approved to
commence and has officially commenced
Any Additional Information
■ There is no additional information related to this service
■ Articulating a clear ICT Value Proposition that is framed such
that cloud opportunities are highlighted appropriately is a
foundational pillar in approving and executing change. Without
evidence to secure informed consent to an updated ICT Value
Proposition there is a danger that Cloud opportunities are
missed, or pursued for inappropriate reasons
■ A clear view of what changes to make to ensure the
organisation is better able to recognise, evaluate, decide and
execute on Cloud initiatives (and the rationale for making
such changes)
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
4
Gartner Service Definition —
Cloud Security Assessment & Validation
■ With the exception of meetings and workshops, Gartner work
will be performed at Gartner locations
Assumptions
■ The client will designate a project manager as primary point of
contact who will work closely with Gartner as needed and will:
(a) approve priorities/task plans/schedules; (b) facilitate
scheduling of interviews with personnel; (c) notify Gartner in
writing of project issues and assist in their resolution
■ Offices, phones, printing/copying and Internet access will be
available to Gartner at client locations
■ Gartner will use Microsoft Office for the production of any
engagement documentation
■ Any requests for additional information and/or
deliverables(beyond the details described in this service
definition) that are made will be considered a change in scope
and will be handled accordingly (see Changes to Scope). This
does not apply to clarification questions
■ Client will review and approve documents within five business
days. If no formal approval/rejection is received within that
time, the deliverable is considered accepted
■ Client personnel will be made available per the schedule
agreed in the kickoff meeting
Changes to Scope
■ The due diligence (as-is) data are reasonably available via
interviews and documentation review
■ The scope of the engagement is defined herein. All client
requests for changes must be set forth and explained in
writing. As soon as practicable, Gartner shall advise of the
cost/schedule implications of requested changes and any
other necessary details to allow both parties to decide whether
to proceed with the requested changes. The parties shall
agree in writing upon any requested changes prior to Gartner
commencing work
■ Client provides timely access to personnel to be interviewed.
These personnel will be able to answer questions, provide
documentation and attend sessions
■ Project pricing assumes that Gartner will conduct 3 remote
interviews and 1 workshops (2 days) over a period of 3 days
and that the client will arrange all sessions with the client’s
personnel
■ As used herein, “changes” are defined as work activities or
work products not originally planned for or specifically defined
by this service definition
■ All data collection/interviews/workshops will take place via
phone or in person as agreed at the project kickoff
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
5
Gartner Service Definition —
Cloud Security Assessment & Validation
Information Assurance
Backup Restore and Disaster Recovery
■ Gartner possesses analysts and consultants with various
security clearances, or we will, within reason, acquire those
clearances as the client demands
■ The Gartner service under discussion does not require
Gartner to manage or store any critical client data. Therefore,
as there is no risk to the client and no break in service that will
affect the client experience, there is no applicable policy
needed in relation to this specific issue
■ Gartner associates are bound by very specific rules around
client confidentiality and security given that our clients reveal
to us their greatest challenges and difficulties in order that we
can help and support them most effectively
Service Migration
■ There is no need for a Service Migration plan given the nature
of the service under discussion. The client is able to complete
and conclude the service without any ongoing process being
required for transfer of service or information to an alternative
provider or successor. At the conclusion of the service
described all deliverables and any supporting information is
handed over to the client
Data Restoration
■ No client data is retained by Gartner as part of the client’s
access to this service and therefore there is no data
restoration process related to this service
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
6
Gartner Service Definition —
Cloud Security Assessment & Validation
Onboarding
Offboarding
■ Gartner does not offer onboarding services, however, Gartner
will hold a kickoff meeting with the client to ensure
understanding of the engagement objectives, scope,
schedule, and milestones, roles, responsibilities and required
resources for Gartner and the client. Gartner will also discuss
anticipated risks and mitigation plans, based on lessons
learned from past experience. Gartner will gather any relevant
background material from the client
■ Gartner does not offer offboarding services, however, Gartner
will close down the engagement, upon conclusion, ensuring
all necessary skills and information are transferred
appropriately and in a timely manner to the client
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
7
Gartner Service Definition —
Cloud Security Assessment & Validation
Pricing
Ordering and Invoicing Process
■ Gartner will charge a firm fixed price of £32,081 excl. VAT,
incl. all expenses for this service
■ Gartner will bill for 100% of the professional fees at contract
signing
Financial Recompense Model
■ All invoices are payable net 30 days from date of invoice.
While Gartner does not itemise billing for professional
services, Gartner agrees and will comply with any reasonable
requests for records substantiating our invoices
■ If a Service does not meet the specifications set out in the
applicable Service Description, the breach will be handled in
accordance with the Liability and Termination terms set out in
the Call-Off Agreement
Termination Terms (by Consumer/by the Supplier)
■ Services may be terminated without cause by the Customer
on at least thirty (30) Working Days notice
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
8
Gartner Service Definition —
Cloud Security Assessment & Validation
Service Management
Service Constraints
■ This is not applicable to this service. The service will be
managed as described under the Statement of Work
component of this Service Definition
■ This is not applicable to this service
Service Levels
■ This is not applicable to this service
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
9
Gartner Service Definition —
Cloud Security Assessment & Validation
Training
Trial Service
■ Gartner will provide Cloud Security Strategy and general
project management coaching to the client's cloud
transformation project manager
■ Gartner does not offer a trial service option in relation to this
service
Consumer Responsibilities
■ Gartner will require access to:
Technical Requirements
■ Provision of the necessary resources, systems and
documentation for review
– Any information requested (some may be potentially
sensitive) regarding the cloud transformation project
electronically and/or in paper format
■ Responsible for managing logistics on client’s site for the
duration of the engagement
– Organizations overall IT Security infrastructure and key
applications information electronically and/or in paper
format
■ Assign a client Project Manager to work as a single point
contact between the Gartner team and the client
■ Identify the right people for the interviews/workshops,
schedule and communicate the intent of the engagement
■ Provide facilities for workshops and Gartner workspace
■ Collate and send all relevant data prior to the meeting
■ Ensure attendance at kickoff meeting and any subsequent
interviews and meetings by Project Sponsor, Project Manager
and other key stakeholders, as determined prior, during and
post kickoff
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
10