The benefits of cloud technology have been well publicized. It offers great capabilities for scaling up and down and deploying the latest innovations such as containers and microservices to build modular applications or serverless computing. In combination with the ‘pay-as-you-go’ model there are no upfront major investments, enabling organizations to move from CapEx to OpEx models.
Altogether, these benefits can help businesses reduce their costs, be more flexible and decrease time to market of delivering goods and services to their customers.
The business perspective
While cloud technology offers many advantages there are aspects of governance and security should not be overlooked. Looking from a business risk perspective, a proper process should be in place, based on security and privacy by design. For this purpose, an organised team such as a Cloud Center of Excellence (CCoE) is a useful instrument to support governance and security on the road to the cloud. A CCoE can support in designing and creating a solid solution. The team can focus on issues such as proper guidance, shared responsibilities, cost management and security architecture initiatives like Zero Trust Network Architecture (ZTNA), Cloud Access Security Broker (CASB) and Secure Access Service Edge (SASE); all important ingredients of the journey to the cloud.
Risk-based approach
Once a CCoE team is formed, it is key that the risk and security representatives within the team use a risk-based approach to determine the requirements for the cloud platform environment to build and provide the landing zone. An important topic is to facilitate a secure way to access the landing zone from a control plane perspective. This privileged access is known by some vendors as Cloud Infrastructure Entitlement Management (CIEM).
Importance of automation
The journey to the cloud is a great opportunity to automate the deployment as much as possible. For example, the provisioning of resources in the cloud can be carried out as Infrastructure as Code (IaC), based on CI/CD Tooling and commonly integrated security verification controls and organization defined deployment policies. This supports limiting or restricting certain resources and/or settings as required by company security and compliance policies. Once the landing zone is completed and a hybrid interconnect to the existing on-premises environment is established, it’s time to provision the business solutions. Due to the shift towards Agile/DevOps ways of working in many organizations, those teams are responsible for their own solutions or workloads. They need to be facilitated and guided to ensure the secure deployment of their solutions and operational tasks.
Continuous monitoring
These operational tasks include application lifecycle management, patch and vulnerability management. These are the area of responsibility of the Agile/DevOps team, that owns the workload/solution. The team responsible for the landing zone of the cloud platform is responsible for the shared services and will facilitate those shared services towards the Agile/DevOps teams. One of the major important aspects is the continuous monitoring of alerts and incidents and providing insights in status of applications, workloads and other resources. Because Infrastructure as a Service and Platform as a Service (PaaS) are often served from public cloud environments, the risk could be higher if incorrectly configured.
Improve security posture
So solid policies, guidelines and processes must be defined and followed to identify the risks such as ransomware and other malware. By using threat modeling, risk assessments and a multi-level security controls approach, it is possible to increase the security posture as much as needed. Since security is not a project, but rather a process, the lifecycle of security improvements is a continuous responsibility of the CCoE team and Workload teams.
Finally, the eyes of the organization, i.e. the Security Operation Center (SOC), must be an integrated part of the multi-cloud approach to provide a single pane of glass from the central Security Information and Event Management system. Capabilities such as fast or automatic response are key to avoid further attacks, exposure or risk of data loss by embedding and implementing Security Orchestration, Automation and Response (SOAR).