Tuesday, June 26, 2018


This blog is a MESA Member Point of View.

By Goran Novkovic, MESA Member, CQA, CSQE, ITIL, APM, PMP, PEng

This blog is part of a series called Manufacturing in the Cloud. This series aims to assist manufacturing organizations to evaluate how they can overcome challenges and maximize cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve.

Security in the cloud is always a hot topic. The rapid adoption of cloud computing services globally has been impacted by concerns over data and software security and regulatory compliance. The maturity of a cloud computing environment provides adopting manufacturing organizations with an understanding of the suitability of the cloud services and the level of investments required by the manufacturing organization in order to address any security and regulatory compliance challenges.

To identify, analyse, and manage the responsibilities associated with software and data security and regulatory compliance in the cloud, the manufacturing organization can use the Cloud Responsibility Matrix. This matrix can also be used to define ownership and shared responsibilities between the manufacturing organization as Cloud Service Customer (CSC) and the Cloud Service Provider (CSP), and ensure both parties have a clear understanding of the implications of security and regulatory compliance.


Consider the situation in which a manufacturing organization (as Cloud Security Customer - CSC) decides to build its own virtual network using a public cloud that includes data and software applications that leverage the CSP’s infrastructure (an IaaS configuration). The Cloud Responsibility Matrix shows that data security and governance, risk, and compliance (GRC) are the complete responsibility of the CSC. The CSC is also responsible for application security, with the exception of the SaaS service model, where it may be a shared responsibility between the CSC and CSP. 

In the case of SaaS, one reason is that the CSP is responsible for software applications, but data used or generated by software applications can fall under the responsibility of the CSC. CSCs are still expected to manage data assets in terms of data storage, backup, data encryption, and so on. 

As for platform security: 

a) the CSC is responsible in the case of the IaaS service model 
b) there is a shared responsibility in the case of the PaaS model
c) and, the CSP is responsible for platform security in the case of the SaaS model. 

In terms of infrastructure security, the CSP has full responsibility in the cases of PaaS and SaaS service models, with the exception of the IaaS model, which can be a shared responsibility with the CSC. The CSP has ultimate responsibility for physical security for all cloud service models. 

Does it look simple and clear to you? Please read it as many times as you need to remember! It is critically important to keep the Cloud Responsibility Matrix in mind.

An effective, trusted cloud environment requires a robust security governance that has to be established within every manufacturing organization. This is the platform to successfully manage security of data and software applications in the cloud. 

Goran Novkovic, CQA, CSQE, ITIL, APM, PMP, PEng
Goran is Director in Cyber-Kinetic Security practice with PwC. He is Professional Engineer with 17 years of experience in Operational Technology/ Industrial Control Systems Cybersecurity. Goran provides expertise in OT/ICS cybersecurity management and combines it with IT/OT convergence, industrial intelligence and innovative technology solutions (Big Data. AI, ML, IoT/IIoT, Industrial Analytics). Goran is helping manufacturing organizations to define their cybersecurity goals and objectives, to determine where they currently are and where they want to be in terms of organizational cybersecurity and digital transformation. He is working with manufacturing organizations to successfully manage OT/ICS challenges by establishing strong OT Cybersecurity Governance, defining OT Cybersecurity Frameworks and developing OT Cybersecurity Programs from scratch. His approach to OT/ICS Cybersecurity includes addressing safety and security of information, technology, people and facilities. Goran is helping manufacturing organizations to improve cybersecurity culture by developing and delivering cybersecurity training and awareness programs. Goran takes cybersecurity initiatives as opportunities for optimization, improvement and innovation for every manufacturing organization no matter the size or industry sector.
E-mail contact: goran.novkovic@pwc.com

No comments: