As cloud becomes the new “normal,” we must examine the suitability of using “traditional” on-premises security capabilities in the cloud, as well as learn new cloud security best practices, to ensure cloud services are incorporated into the business in a secure and repeatable process.
Securing cloud services involves more than just implementing security controls extending to strategic consumption, training, and automating and orchestrating security. Security and risk management technical professionals can use this whitepaper to securely consume cloud services at scale.
Process Flow to Implement Security in the Public Cloud
- Strategize
- Establish Cloud Strategy
- Develop Cloud Security Skills
- Design
- Setup Risk Framework
- Assess Risk
- Implement
- Select Cloud provider Native Tools
- Operationalize
- Update Security Monitoring and Incident Response
- Automate and Orchestrate Security
Strategize
Security isn’t only about implementing technical tools to mitigate a risk to the business. Good security starts with understanding what the business requirements are and aligning skilled personnel that can work toward meeting those requirements. Implementing cloud migration processes without a cloud strategy (or even a cloud policy) could mean that any business unit within the organization can select any cloud provider that meets its business need, then hoping for the best in terms of security.
Establish Cloud Security Strategy
Develop a cloud strategy document to help define common goals, risks and other key adoption principles that can be used to standardize cloud adoption. Developing a cloud strategy document will require working with business and IT leaders across the organization.
Develop Cloud Security Skills
This section details training and learning opportunities the organization can formalize to evolve the security skills users and admins will need in the cloud world:
- Formalized third-party training: Third-party training and certification programs will be able to provide objective-based training that will provide the trainee with new techniques and solutions necessary to be able to understand how security capabilities can, and do, operate differently in a cloud environment.
- Formalized cloud provider training: Most, if not all, cloud providers have developed their own cloud security training programs along with certifications strictly focused within this cloud providers offering.
- Informal training opportunities: Informal training will provide opportunities to keep fresh with the latest security processes and capabilities that are coming into the market that might not yet have a formal training course.
Design
With many different cloud providers offering native security tools, along with cloud security vendors offering their own tools to cover specific security gaps, organizations face many options when architecting for cloud security. To successfully secure the multiple different use cases, security must adapt and meet these different architectures as well.
Considerations include:
- Provider control
- Workload protection
- Data protection
Select Risk Framework
Many organizations continue to struggle when selecting which security controls to implement. This is partly because every cloud provider and every organization’s cloud deployment are different. A financial organization will have different security requirements than an organization in the oil and gas field. This can make identifying and selecting security controls very challenging. The reason for this is that every cloud provider implements security differently and every cloud model (IaaS, PaaS or SaaS) has different security control ownership, as well as how those controls will be implemented.
Assess Risk
Security risk assessments are essential for supporting business decisions and ensuring risk meets the organization’s overall risk appetite. It has become common for auditors, regulators, business partners and others to require security risk assessment. Some of these assessments may, in practice, be performed to fulfil only an external requirement, such as an audit. Many regulatory and compliance requirements include the need for a security risk assessment as a mandatory component.
Implement
Although cloud providers are secure, customers must also use them securely. Because of the complexities in the various features that compose cloud provider offerings, leveraging the appropriate set of controls is challenging. This will require organizations to look toward augmenting security by leveraging third-party tools, such as a cloud access security broker and implement security at ease.
Select Cloud Provider Native Tooling
The first step in implementing security in the cloud is to leverage the native security capabilities that your cloud provider of choice offers. Your selection of security controls should focus on the top security challenges that your organization will face when migrating your applications, services and data.
Operationalize
With the increasing complexity of cloud architectures (such as hybrid cloud), evolving threats and the need to coordinate multiple security products, monitoring and incident response can make operationalizing the security of your cloud environment quite challenging. What this means is that there is no single “best practice” for operationalizing cloud security.
Update Security Monitoring and Incident Response
The rapid adoption of cloud services and the various ways the services are being implemented (containerization) and consumed (mobility and the Internet of Things [IoT]) within the organization have led to a change in the threat landscape and an increase in new risks. This means that your current security monitoring and threat detection practices must be updated and enhanced for this new cloud environment.
Cloud security monitoring technology use cases match the traditional ones at a high level:
- Threat detection: Monitor for attacks, unauthorized access and other security issues; detect actionable security events and alert when needed. The alert triage process sits between detection and security incident response processes.
- Security incident response and investigation: Collect the data and enable investigators to sort through the details after a security incident is discovered.
- Regulatory compliance: Deliver other monitoring capabilities prescribed by regulatory compliance frameworks (which may drive detection and investigation, as well as retention and activity review).
Automate and Orchestrate
Security teams are suffering from staff shortages, an increase in the volume of alerts and threats, and the ever-present need to do more with less. This hinders security teams from getting their tools working in concert with each other to solve challenges organizations encounter when migrating into the cloud. This makes trying to automate and orchestrate the security processes and procedures an even more important requirement. While maintaining security can be challenging, it’s not impossible when time and funding are not obstacles.
Kanoo Elite provides leading cloud technology security solutions that are designed with your business in mind. We begin each engagement with a brief review of your existing cloud environment, including reviewing current security controls and data protection measures that you are using. We have extensive experience working in
- Amazon Web Services
- Microsoft Azure
- Other cloud service providers
After our initial security posture review, we work to develop a security strategy that encompasses multiple facets of cloud security. Each strategy focuses on your business and security objectives. Kanoo Elite offers world-class cloud security consulting services for a range of cloud environments. Our cybersecurity staff have extensive experience in providing cloud security consulting for Azure, AWS, Google Cloud, and other cloud platforms. Our team has done work for numerous government entities. Kanoo Elite’s world-class security experts are standing by, ready to help you respond to a security incident, implement new security controls, or to build an information security and access management program around your existing cloud infrastructure.
