.png)
Cloud Governance through Security
- Elad Fraidnraih, Cloud Security Consultant
- Mar 3, 2020
- 3 min read
Updated: Aug 28, 2020
Governance is a critical initial building block for Cloud security, but governing Cloud security and privacy in the enterprise is not easy.
As Cloud adoption is a journey, not a destination, Cloud governance creates guardrails that keep the organisation, on a safe path throughout this journey.
IT governance in general is complex. Cloud governance is even more so because the whole point of Cloud is to give up some level of control to developers. That means instead of a small handful of trusted admins performing every action, a wide range of individuals in many different roles may have self service capabilities.
Governance always prioritises simplicity, visibility and compliance. These are especially important to securing multiple environments. By making the Cloud environment simpler and easier to understand for an engineer or architect, the entire security discussion becomes easier to have.
Here are few points to look at when we refer Cloud security governance as a management model that facilitates effective and efficient security management and operations in the Cloud environment, so that an enterprise’s business targets are achieved:
Confirm CSP’s Security Governance framework: practices to physical security, data lifecycle mgmt., internal monitoring/alerting capabilities, Incident Response, MTTR&MTBF SLAs, virtualisation technology, segregation of (staff’s) duties, access control on the SDN (control plane, data, keys), confirm Hardware type (prefer type-1 over type-2) and DataCentres standards/compliance
Ensure CSP provides the relevant tools to securely manage the use of their services, along with CSP's ability to supply the audit recorded needed to monitor the service and who is able to access our data
Before being consumed, ensure CSP's services aligns to the intent of the organisation's Security Standards and Polices, defined within an approved vendor/sourcing contract, with a periodic security assessment review process.
Avoid CSP lock-in (both technical and commercial), already at the design stage
Ensure all relevant components of the CSP services are appropriately incorporated into asset and configuration management (CMDB) processes
Ensure continuously that data is stored/flowing within its approved jurisdictions
Confirm that CSP provides compliance related (certificated) eligibility with relevant services (e.g. PCI-DSS, HIPPA, etc.), but know that this doesn’t make the service/environment automatically compliant, as it needs to be done on a mutual implementation basis
Consider adding dedicated (approved) security technologies, which may not be available by the CSP (e.g. XML FW, SOC function, etc.). NOTE: Validate those can function within the operating Cloud environment
Any use of a CA/Certificate across the Cloud environment, must be reviewed and aligned by the relevant security business function, while considering: business justification, strong authentication capabilities, rotating keys, HA, hierarchy, securing the Root CA, logging, permissions and using Cloud native CA services
Manage Pen-Tests and Threat Modelling accordingly, with considering the relevant CIS (and other relevant) industry Benchmarks
Be sceptical using CSP-managed scripts/code/polices. If used, then ensure a process is in place to validate those continuously
Confirm a Data Lifecycle process is in place across the solution
Identify if there’s a DRM (Data Rights Mgmt.) related material across the environment, and protect it accordingly
Embed, as necessary, Enterprise Risk Management Framework (ERMF) into the operating environment
Consider using distributed datastore tools (e.g. ElasticSearch), for 'security analytics' capabilities, across large sets of data
Ensure projects are implementing only Cloud services and technologies which have been approved to use, by the central Security function in the organisation
Encourage 'Data minimisation' across all developments/deployments. This will enhance data privacy and reduce security overhead by protecting only necessary data
Comments