Part 1: Plan (or Review)

You must first design (or evaluate) your strategy and roadmap in order to secure your cloud trip. Assessing your IT and cloud security maturity (across business and technical needs) is the first step in doing this.

For such an evaluation, the Cloud Controls Matrix from the Cloud Security Alliance is a useful tool. Its 197 control objectives can serve as a useful reference for identifying security controls that need to be implemented if your company has not yet implemented the cloud. Organisations may also utilise a cloud security posture management tool to assess the compliance of their resource setup for current cloud deployments.

What’s Right for You?

You must first determine your intended target state after evaluating your existing state maturity. Based on your organization’s risk tolerance, regulatory and compliance needs, as well as more general company goals and objectives, this should be done.

The skills and procedures needed to get your organisation to the maturity level you want can then be determined. An action plan outlining the steps you must take to reach your desired condition should be the final product of the planning process. The planning phase serves as a reset for businesses that are already running in a steady state environment. It enables you to assess your cloud security maturity and modify your strategy and roadmap as necessary.

Part 2: Build (or Design and Build)

The specifics of the next step depend on the outcome of your planning (or review) phase and the roadmap you made. Next, you should begin a program of work to achieve your desired target state.

Depending on where you are in your cloud adoption journey, your roadmap will be unique to you. For example, if you are early in your cloud adoption journey, your roadmap may include defining your cloud security policies and requirements, defining your security architecture principles, architecting your secure landing zone and creating hardened configurations for your cloud infrastructure.

Whereas, if you are already operating in the cloud, your build phase may include activities for remediation of identified gaps from your cloud security posture assessment and/or augmentation of existing cloud security controls based on new requirements.

The key during your build phase is to ensure you integrate security by design. In other words, your security controls should be automatically provisioned to meet your corporate and regulatory compliance requirements. Whilst this was a stretch a few years ago, the advent of technologies such as Infrastructure-as-Code (IaC) has made this a very achievable outcome.

Part 3: Run (Optimize)

As you close your final roadmap of activities, you must now start preparing for the transition to steady state. Ideally, by now you would have built and augmented your cloud security controls and processes across each of the below areas (at a minimum)

Governance and Resources

Developed a security organization model suited for operating in the cloud, along with a team of skilled resources supporting it.

Identity and Access Management (IAM)

Developed an IAM strategy for your hybrid or fully cloud-native environment. Built, deployed and operationalized IAM services such as single sign-on/federation (with multifactor authentication) across your environments; and have properly tested and configured IAM security policies to ensure authentication and access control is maintained according to a least privilege model.

Infrastructure Security

Created hardened IaC templates for your cloud resources. At this stage, you should have enabled secure connections to and from your cloud and on-prem tools. You should also have a secure landing zone for migrating your on-prem apps and data to the cloud.

Application Security

Created and operationalized a well-defined DevSecOps process that includes security touch points (code reviews, static application security testing/dynamic application security testing scans and smoke tests). These should be built into the various phases of your continuous integration/continuous deployment pipeline. You should also have deployed and enabled runtime safeguards for web security, such as distributed denial-of-service (DDoS) protection,
firewalls, application programming interface gateways and application load balancers.

Data Protection

Defined data encryption policies and guidelines that guide your data at rest and data in transit encryption requirements. Deployed capabilities for data loss prevention, data encryption and key lifecycle management in line with your regulatory and compliance needs.

Logging and Monitoring

Enabled logging of security events, and network flows from across your environment. Perform vulnerability scanning / continuous compliance monitoring of your on-prem / cloud resources and a have single pane of glass to centralize security visibility.

Cloud Incident Response

Developed a cyber incident response (IR) plan with defined playbooks to cater to a variety of cloud security incidents. Perform table-top testing of your IR plan at least on an annual basis.
Making Your Cloud Security Transformation Journey Smoother
Whilst there are many challenges to achieving a successful cloud security transformation, opting for a strategic Systems Integrator (SI) and Managed Security Services provider like Cloudlogically Security can certainly help make the journey smoother.

Systems Integrators bring in a wealth of experience and know-how of having delivered transformations, and also provide seasoned security resources and skills that can accelerate your transformation journey. For more information on how Cloudlogically Security can help secure your cloud journey, please visit Cloudlogically Security – Cloud Security Solutions.