We spend a lot of time talking to cloud security professionals, basically trying to figure out the best ways to get their jobs done in largely uncharted territory. Cloud technology is evolving at an unprecedented rate, empowering line of business users to move fast and not ask permission from IT or Security. Of course this can result in an unmanaged environment, with many traditional governance models rendered useless by the accessibility and ease of using the cloud. This is what we call cloud chaos.
Giving up and waiting for your assessor to figure out the resulting anarchy is a bad answer. So in this series we map out a path from chaos to control using a concept we call the Cloud Security Center of Excellence, a group established to enable the organization to embrace fast-moving technologies like cloud and DevOps without putting corporate data at risk.
Key to this concept are two requirements which go hand in hand:
- Accountability: Ultimately the CS CoE team must accept accountability for ensuring the integrity of data and applications moved to the cloud. That means the team must have a view of the entirety of the cloud infrastructure, and offer guidelines and best practices for securing those environments.
- Empowerment: But all the accountability in the world doesn’t help if the team is not empowered to make changes or pull down applications or infrastructure that presents too much risk. That’s right — we’re saying to be successful in cloud security the Security team must be able to make changes in the cloud environment.
During the series we will dig into why these two requirements mean the difference between success and failure in cloud security. Just to map it out, here is what the series will look like:
- Post 1: CS CoE Organization Models — Let’s just say we’ve seen a lot of models that don’t work very well in practice. So we’ll map out a set of organizational structures and reporting hierarchies that set you up for success. To be clear, you can still be successful with a sub-optimal org structure, but it’s a lot harder.
- Post 2: Scaling Change — It’s nice to aspire to have the CS CoE team make appropriate changes in the environment to enforce security best practices. But how do you do that for dozens of best practices to be enforced in hundreds of cloud accounts across multiple regions? It’s safe to say it’s not by having more hands on keyboards. We’ll talk about the role of automation in the CS CoE in this post.
- Post 3: Continuous Control — We’ll wrap up this series by talking about the need to ensure that defined policies are enforced at all times. High velocity is a hallmark of cloud and DevOps, so things change every day, and probably every hour. So how do you maintain a view of the entire cloud infrastructure at all times to ensure best practices are continuously enforced? We have got some ideas.