G-Cloud IV Services Service Definition Accenture Cloud Security Services 1
Table of contents 1. Scope of our services... 3 2. Approach... 3 3. Assets and tools... 4 4. Capabilities... 5 5. Expected Outcomes... 6 6. Reference... 6 7. Pricing... 7 8. Contacts... 7 9. About Accenture... 8 10. Additional Information... 8 2
1. Scope of our services This document describes Accenture s Cloud Security Services, and should be read in conjunction with the associated Government Cloud IV Services documentation. These services include repeatable processes for identifying security requirements, assessing the security posture and authorising the movement of an application to the cloud. These services are based on enterprise architecture principles and standards (including The Open Government Architecture Framework or TOGAF) but have security as their central focus, reusing principles from Sherwood Applied Business Security Architecture (SABSA). Accenture provides the following Cloud Security services: Support in the selection of a Cloud Services model (SaaS, IaaS or PaaS). Support to understand the risk associated with specific Cloud Service Models and to identify potential impacts and mitigations. Support to understand risk acceptance criteria and prioritisation of risks based on business impact. Identification of contributors to risk and the weak links in systems. Identification of areas to strengthen protection and recommendations for improvements. Identification of security controls necessary for an application (for example): o Integration with Security Gateways to encrypt/tokenise sensitive data before going to the Cloud o Identification of roles and associated privileges o Integration with Identity Management System o Integration with Single Sign-On system o Other integration services Assessment of the security posture of Cloud Service Providers. Formal assessment techniques (for example): o Vulnerability scanning o Penetration testing o Architecture review/assessments o Mapping of technical vulnerability against business impacts and business processes Development of approaches for securing data and applications with Cloud Service Providers. Accenture has 20 years of experience in public sector security including work subject to the Security Policy Framework (SPF) and Good Practice Guidelines from CESG (Communications-Electronics Security Group). These experiences, combined with the most recent thinking and policy from G-Cloud and Government Protective Marking Review is considered through the security assessment. The experience and methods will help G-Cloud clients to strike the right balance between the assurance and the security of the organisation s data assets whilst delivering high performing and cost effective operational services. 2. Approach Accenture s approach includes a series of toolkits and templates for all phases of a cloud implementation and has been developed with clients in numerous industries across the world. These assets and this experience will be reused where appropriate for the Authority and for G-Cloud delivering unparalleled value in the cloud marketplace. The following outlines the process for a Cloud Security involvement. Timelines will vary and will depend on the scope of the services as well as the scale and number of the environments in question. 3
Accenture s Cloud Security Processes 3. Assets and tools Our services are supported by a number of assets and tools applicable at all stages of the process. Historically this is an approach favoured by many of our clients. These assets include formal requirements gathering methods, the Cloud Security Assessment Toolkit, Enterprise Risk Toolkit, among others. These include formal methods and tools for assessing security risks, identifying security vulnerabilities and approaches for developing a road map with the G-Cloud customer for improving cloud security or implementing cloud computing. The following diagram shows some of the tools which support our services in the initial assessment phase: Accenture tools supporting the development of a Cloud Security Assessment 4
After the initial assessment and determination of the scope of the Cloud Security assignment, other toolkits can be employed depending on the needs of the G-Cloud customer. Accenture has toolkits and accelerators for Identity and Access Management, Client Data Protection, Infrastructure Security, among others, that can help ensure the Cloud Security assignment and the integration of other applications with the Cloud application are successful. 4. Capabilities Our Information Security Services help organisations to achieve: Increased shareholder value by reducing risk, costs and complexity Elevated brand positioning and credibility through standards compliance and transparent auditability Improved productivity and business growth as a result of the implementation of flexibly secure, integrityassured, extensible services Increased customer trust and loyalty by reliably safeguarding client and customer information and systems against threats and attacks. We offer three main security Capabilities: Accenture s Security Capabilities Security strategy and risk services: We help clients assess their security posture and risk tolerance, determine the appropriate level of security for various operations, and design a comprehensive strategy that supports the business goals. Application and infrastructure security: Our enterprise security solutions leverage complex packaged applications or custom applications. Our infrastructure security solutions start with getting security right in the network and all other elements of the clients infrastructure from the endpoints to the data centre. Identity and access management: We implement processes and tools that centralise and streamline access within the enterprise and by enhancing clients identification and verification management capabilities we help them enable business opportunities. 5
5. Expected Outcomes Accenture s Cloud Security Services provide the Authority and G-Cloud customers with formal deliverables which provide an overview of the customer s environments and systems in the cloud and how the cloud impacts the client s: Data Protection needs Risk posture and residual risks Existing accreditation status The documentation also allows the customer to prioritise remediation activities using the Accenture road map while recognising the constraints of the architecture in question. Whilst the focus of an assessment is on confidentiality, integrity and continued availability of the organisation s assets, our approach and methodology also enables the Authority or the G-Cloud customer to use the potential outcomes as part of any existing risk management processes as required by HMG standards and processes. Additionally, Accenture aims to provide the G-Cloud customers the ability to make use of state-of-the-art Cloud Services, with all the associated benefits and, at the same time ensuring that adequate security controls are put in place to protect the customer data. Accenture can achieve this by implementing the adequate security controls around the Cloud Services producing the following outcomes for example: Integration with Cloud Security Gateway: ensures compliance with strict data privacy and data residency requirements using state-of-the-art Cloud Security controls. With this integration G-Cloud customer sensitive data can be stored within the client premises and minimise impact in terms of functionality in the Cloud Services. Integration with Identity and Access Management system: allows more granular control on who can access the Cloud Services and specifically what can be accessed. Tailored to the auditing and management needs of the customer. Integration with Single Sign-On system: provides more control in terms of the access of the system, making use of the existing internal security access controls of the customer. Integration with other customer systems: given our experience in the system integration and security fields, Accenture is able to provide integration between the G-Cloud customer systems with the goal of ensuring compliance with the Authority and the strict G-Cloud customer requirements. 6. Reference In order to illustrate what Accenture is able to deliver, we present one of the solutions we have already deployed successfully to some of our clients. In this example, Accenture engaged with the client company, leading data classification, data privacy and data residency requirement gathering sessions to help the company determine the set of information most vital to their business. With this in mind, we selected and deployed a Security Gateway in every sub-organisation of the company with data privacy and data residency concerns. These gateways ensured sensitive data would be protected before they went to the Cloud Service. Sub-organisations which had strict data residency requirements were able to store their sensitive data within their premises. The Security Gateways mediated all the interactions between users and other systems with the Cloud Service. Each Security Gateway used different protection mechanisms and ensured only selected personnel would be able to get the real data in clear text, when accessing the Cloud Service through it. Users were allowed to access the Cloud Service only after authenticating in the company global Single Sign-On system. This ensured a higher level of security. In order to request access to the system, users could place their requests in the 6
company global Identity and Access Management system where, after approval, the account provisioning processes would be triggered to create the account for the user in the Cloud Service. In order to allow all the data contained in the local applications in the sub-organisations to be ported into the Cloud Service, a specific Extract Transform and Load (ETL) system was developed to analyse all the data, remove duplicates and cleansing the data before it went to the Cloud Service. The inputs to this system were flat files exported by the suborganisations and exported to a secure FTP system where the ETL processes were able to gather them. Accenture was fully engaged with the company privacy manager and legal advisors, the Security and Infrastructure teams, the Business and with the counterparts in the sub-organisations to ensure the whole process was compliant with the requirements necessary to allow the use of the Cloud Service and make use of its benefits. With this project we helped defining the roadmap for Cloud Service adoption on the client. Accenture Cloud Security reference 7. Pricing Please refer to the associated Pricing Document relevant for this Service. 8. Contacts Simon Mitchell (Accenture Health & Public Services Sales Lead) Email: sales.support.uk@accenture.com Telephone: ++44 7702 234537 7
9. About Accenture Accenture is a global management consulting, technology services and outsourcing company, with approximately 269,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$27.9 billion for the fiscal year ended Aug. 31, 2012. We have five industry-focused Operating Groups (OGs) including Health & Public Service, Communications Media & Technology, Financial Services, Products and Resources and these are supported by three Growth Platforms: Management Consulting, Technology and Outsourcing. Example: Specifically within the area of cloud security we: Rank as a leader in Forrester Research, Inc. s The Forrester Wave : Information Security and IT Risk Consulting, Q1 2013. Are a Cloud Security Alliance Corporate Member Are standards contributor to the Trusted Cloud Initiative Offer global scope and coverage more than 1,600 security professionals worldwide with 389 Certified Information System Security Professionals (CISSP), 19 Certificate of Cloud Security Knowledge (CCSK) practitioners and 11 Sherwood Applied Business Security Architecture (SABSA) certified architects 10. Additional Information Forrester Research, Inc., Forrester Wave : Information Security and IT Risk Consulting, Q1 2013 Excerpt: Accenture s experience and good value ensure client satisfaction and repeat business. Accenture has excellent technical capabilities and seeks to pragmatically embed security into customers business processes rather than just deliver technology solutions. As an experienced global systems integrator, Accenture demonstrates strong security programme and project management that inspires considerable repeat business. Accenture uses a centre of excellence in India for much of the company s operational client work. Doing this allows Accenture to provide very competitive pricing that customers applauded. Accenture s practice focuses on complex and unusual security transformation projects. 8
Copyright 2013 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Copyright 2012 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. 9