We all understand the significance of cloud when it comes to economies of scale, reduced time to market, operational effectiveness and ease with which you can deploy applications to it and most of us are good in leveraging those benefits too. But how well do we manage the cloud risks that come along with those benefits? More often than not, the approach is ad hoc and that's predominantly because there is no cloud security architecture to standardize cloud risk mgmt. The importance of security architecture is even more when you've hybrid landscape where part of your applications are on-cloud while others are on-premise and have several 3rd party integrations to enable specific services.
Ok so how do we go about creating one? The first step towards formulating architecture would be to understand business goals & objectives as this is a primary input to align business and information security. Second step is to understand IT strategy as it is based on business requirements and helps you understand the degree to which cloud adoption is being planned. Third to clearly define what is inside and outside. Anything outside must be based on zero trust model. Fourth to understand internal & external factors that can impact business such as applicable regulatory compliance, competition & industry trends, insider threats, cloud risks etc. (Number of steps may vary depending on your specific business use-case.)
With this understanding you'll now be in the position to document the architecture. Consider following business situations for an example :-
If your business has low risk appetite then ensure you have defense-in-depth model where security controls are incorporated at each layer (e.g. Application, Data, Middleware/API, Infrastructure).
If there are huge legal consequences of data breach then design security across data life cycle from its origin to end including sub-processors. You need to understand the level of data exposure in the multi-tenant cloud environment and leverage encryption, access control and data rights protection as a means to protect your data. Architecture should also include data governance requirements and approach should be comprehensive enough to capture controls when data is being transferred or used or at rest. Remember legal liability of data remains with you despite the fact that it was provider's fault! Consider provision of risk transfer via Cyber Insurance plan to cover for your liabilities.
All cloud service providers (CSP) come with shared security model so understanding your responsibility is imperative. Incorporate data portability requirements to avoid vendor lock-in. Architecture document should detail the need of mentioning security requirements and SLA for the CSP at the contract level too.
If business needs faster time to market, you need to find capabilities such as DevSecOps in your architecture to ensure security without dampening the release velocity. If IT approaches rapid digitization then security should shift left and enable the developers to remediate vulnerabilities in the code right at the development phase, as the code gets further away from dev to production, it takes more time to fix and slows down release velocity. Considering automation will help you catch up with the pace while protecting the workloads.
If the regulator mandates the data restriction within your country then outline the need of local data center in the document.
If you are in fierce competitive environment and reputation matters a lot then outline the need of digital reputation mgmt, brand infringement control, dark web scanning and 3rd party risk mgmt.
If business heavily relies on 3rd party cloud services then having a data protection & uptime biased vendor risk mgmt is an important part of your architecture. Also better understanding of *top threats to cloud will help you setup the defense effectively.
If there are insider threats then architect security to provide better visibility of cloud instances. Effective identity mgmt and access controls coupled with continuous monitoring will help you detect suspicious events across your cloud workload.
So you noticed architecture is a top to down approach where you are going according to your business context. It is also important to understand that the architecture is not a checklist. It is rather a way to align cloud security with your business objectives. It's a living document that continues to evolve from current state to target future state and represents how various components should be securely laid down and their intricate interplay.
*************************************************************************
Reference :-
*Top threats to cloud computing - The Egregious 11 from Cloud Security Alliance
Comments