The deployment of cloud solutions, by its nature, is often deemed a technology decision by Cloud Security Posture Management; however, it’s truly a business alignment decision.
Although cloud computing no doubt enables technology to be delivered and utilized uniquely, potentially unleashing multiple benefits, the choice to deploy and consume cloud services should be a business decision, taken in line with the business or organization’s overall strategy
Why is it a business decision, you ask? Two distinct reasons:
- All technology decisions should be made with the overall business direction and strategy at the core.
- When it comes to funding and creating opportunities, these should be made at a business level.
- A cloud transition’s ability to directly support organizational business or mission goals and to express that message in a business manner is the difference between a successful project and a failed project in the eyes of the organization.
The architect is a planner, strategist, and consultant Cloud Security Posture Management who sees the “big picture” of the organization.
He understands current needs, thinks strategically, and plans long into the future.
Perhaps the most important role of the architect today is to understand the business and how to design the systems that the business will require.
This allows the architect to determine which system types, development, and configurations meet the identified business requirements while addressing any security concerns
Enterprise security architecture provides the conceptual design of network security infrastructure and related security mechanisms, policies, and procedures. It links components of the security infrastructure as a cohesive unit to protect corporate information.
Sherwood applied business security architecture
Sherwood Applied Business Security Architecture (SABSA)11 includes the following components, which can be used separately or together:
- Business Requirements Engineering Framework
- Risk and Opportunity Management Framework
- Policy Architecture Framework
- Security Services-Oriented Architecture Framework
- Governance Framework
- Security Domain Framework
- Through-Life Security Service Management and Performance Management Framework
Information Technology Infrastructure Library
Information Technology Infrastructure Library (ITIL)12 is a group of documents that are used in implementing a framework for IT service management.
ITIL forms a customizable framework that defines how cloud security posture management is applied throughout an Architectural Concepts and Design Requirements 1 Cloud Cross-Cutting Aspects 27 organization.
ITIL is organized into a series of five volumes: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.
The Open Group Architecture Framework
The Open Group Architecture Framework (TOGAF)13 is one of many frameworks available to the cloud security professional for developing an enterprise architecture.
TOGAF provides a standardized approach that can be used to address business needs by providing a common lexicon for business communication.
TOGAF is based on open methods and approaches to enterprise architecture, allowing the business to avoid a lock-in scenario from the use of proprietary approaches.
TOGAF also provides for the ability to quantifiably measure return on investment (ROI) so that the business can use resources more efficiently
The Jericho forum now is part of the Open Group Security Forum.14 You can find the Jericho Forum Cloud Cube Model at Jericho/cloud security posture management.
Key Principles of an Enterprise Architecture
The following Cloud Security Posture Management principles should be adhered to at all times:
- Define protections that enable trust in the cloud.
- Develop cross-platform capabilities and patterns for proprietary and open-source providers.
- Facilitate trusted and efficient access, administration, and resiliency to the customer or consumer.
- Provide direction to secure information that is protected by regulations.
- Facilitate proper and efficient identification, authentication, authorization, administration, and auditability.
- Centralize security policy, maintenance operation, and oversight functions.
- Make access to information both secure and easy to obtain.
- Delegate or federate access control where appropriate.
- Ensure ease of adoption and consumption, supporting the design of security patterns.
- Make the architecture elastic, flexible, and resilient, supporting multitenant, multi landlord platforms.
- Ensure the architecture addresses and supports multiple levels of protection, including network, OS, and application security needs.
The NIST Cloud Technology Roadmap
The NIST Cloud Technology Roadmap helps CSPs develop industry-recommended, secure, and interoperable identity, access, and compliance management configurations and practices for Cloud Security Posture Management .
It offers guidance and recommendations for enabling security architects, enterprise architects, and risk-management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and CSPs are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.15
There are several key components that the cloud security professional should comprehensively review and understand to determine which controls and techniques may be required to adequately address the requirements discussed in the following sections.
Interoperability defines how easy it is to move and reuse application components regardless of the provider, platform, OS, infrastructure, location, storage, the format of data or APIs, how well applications work together, and how well new applications work with other solutions present in the business, organization, or provider’s existing architecture.
Standards-based products, processes, and services are essential for entities to ensure the following:
- Investments do not become prematurely technologically obsolete.
- Organizations can easily change CSPs to flexibly and cost-effectively support their mission.
- Organizations can economically acquire commercial and develop private clouds using standards-based products, processes, and services.
Interoperability mandates that those components should be replaceable by new or different components from different providers and continue to work, as should the exchange of data between systems.
Portability is a key aspect to consider when selecting CSPs because it can both help prevent vendor lock-in and deliver business benefits by allowing identical cloud deployments to occur in different CSP solutions, either for DR or for the global deployment of a distributed single solution.
Systems and resource availability define the success or failure of a cloud-based service. As a single point of failure (SPOF) for cloud-based services,
Where the service or cloud deployment loses availability, the customer is unable to access target assets or resources, resulting in downtime.
In many cases, CSPs are required to provide upward of 99.9 percent availability as per the SLA. Failure to do so can result in penalties, reimbursement of fees, loss of customers, loss of confidence, and ultimately brand and reputational damage.
For many customers and potential cloud users, security remains the biggest concern, with security continuing to act as a barrier preventing them from engaging with cloud services.
As with any successful security program, the ability to measure, obtain assurance, and integrate contractual obligations to minimum levels of security are the keys to success.
Many CSPs now list their typical or minimum levels of security but will not list or publicly state-specific security controls for fear of being targeted by attackers who would know necessary to successfully compromise their networks.
Where such contracts and engagements require specific security controls and techniques to be appliedthese are typically seen as extras.
They incur additional costs and require that the relevant nondisclosure agreements (NDAs) be completed before engaging in active discussions.
In many cases, for smaller organizations, a move to cloud-based services significantly enhances their security controls, given that they may not have access to or possess the relevant security capabilities of a large-scale cloud computing provider.
The general rule of thumb for security controls and requirements in cloud-based environments is based on “if you want additional security, an additional cost will be incurred.”
You can have almost whatever you want when it comes to cloud security—just as long as you can find the right provider and you are willing to pay for it.
In the world of cloud computing, privacy presents a major challenge for both customers and providers alike.
The reason for this is simple: no uniform or international privacy directives, laws, regulations, or controls exist, leading to a separate, disparate, and segmented mesh of laws and regulations being applied depending on the geographic location where the information may reside (data at rest) or be transmitted (data in transit)
.Although many of the leading providers of cloud services make provisions to ensure the location and legislative requirements (including contractual obligations) are met, this should never be taken as a given and should be specified within relevant SLAs and contracts.
Given the truly global nature and various international locations of cloud computing data centers, the potential for data to reside in two, three, or more locations around the world at any given time is a real possibility.
For many European entities and organizations, failure to ensure appropriate provisions and controls have been applied can violate EU data protection laws and obligations that can lead to various issues and implications.
Within Europe, privacy is seen as a human right and as such should be treated with the utmost respect. Not bypassing the various state laws across the United States and other geographic locations can make the job of the cloud architect extremely complex, requiring an intricate level of knowledge and controls to ensure that no such violations or breaches of privacy and data protection occur
Cloud resiliency represents the ability of a cloud services data center and its associated components, including servers, storage, and so on, to continue operating in the event of a disruption, which may be equipment failure, power outage, or a natural disaster.
Given that most CSPs have a significantly higher number of devices and redundancy in place than a standard in-house IT team, resiliency should typically be far higher, with equipment and capabilities being ready to failover, multiple layers of redundancy, and enhanced exercises to test such capabilities.
Cloud computing and high performance should go hand in hand at all times. Let’s face it—if the performance is poor, you may not be a customer for very long.
For optimum performance to be experienced through the use of cloud services, provisioning, elasticity, and other associated components should always focus on performance.
The speed at which you can travel by boat depends on the engine and the boat design.
The same applies to performance, which at all times should be focused on the network, the computer, the storage, and the data.
With these four elements influencing the design, integration, and development activities, performance should be boosted and enhanced throughout. It is always harder to refine and amend performance once design and development have been completed.
The term governance relating to processes and decisions looks to define actions, assign responsibilities, and verify performance. The same can be said and adopted for cloud services and environments,
Where the goal is to secure applications and data when in transit and at rest. In many cases, cloud governance is an extension of the existing organizational or traditional business process governance, with a slightly altered risk and controls landscape.
Although governance is required from the commencement of a cloud strategy or cloud migration roadmap, it is seen as a recurring activity and should be performed on an ongoing basis.
A key benefit of many cloud-based services is the ability to access relevant reporting, metrics, and up-to-date statistics related to usage, actions, activities, downtime, outages, updates, and so on.
This may enhance and streamline governance and oversight activities with the addition of scheduled and automated reporting. Note that processes, procedures, and activities may require revision postmigration or movement to a cloud-based environment.
Not all processes remain the same, with segregation of duties, reporting, and incident management forming a sample of processes that may require revision after the cloud migration.
Think of a rulebook and legal contract all rolled into one document—that’s what you have in terms of an SLA. In the SLA, the minimum levels of service, availability, security, controls, processes, communications, support, and many other crucial business elements are stated and agreed upon by both parties.
Many may argue that the SLAs are heavily weighted in favor of the CSP, but there are several key benefits when compared with traditional-based environments or in-house IT.
These include downtime, upgrades, updates, patching, vulnerability testing, application coding, test and development, support, and release management.
Many of these require the provider to take these areas and activities seriously; failing to do so affects their bottom line. Note that not all SLAs cover the areas or focus points with which you may have issues or concerns.
When this is not the case, every effort should be made to obtain clarity before engaging with the CSP services.
Auditability allows for users and the organization to access, report, and obtain evidence of actions, controls, and processes that were performed or run by a specified user.
Similar to standard audit trails and systems logging, systems auditing and reporting is offered as standard by many of the leading CSPs. From a customer perspective, increased confidence and the ability to have evidence to support audits, reviews, or assessments of object-level or systems-level access form key drivers.
From a stakeholder, management, and assessment perspective, auditability provides mechanisms to review, assess, and report user and systems activities. Auditability in non-cloud environments can focus on financial reporting,
Whereas cloud-based auditability focuses on actions and activities of users and systems.
Regulatory compliance is an organization’s requirement to adhere to relevant laws, regulations, guidelines, and specifications relevant to its business, specifically dictated by nature, operations, and functions it provides or utilizes to its customers.
When the organization fails to meet or violates regulatory compliance regulations, punishment can include legal actions, fines, and, in limited cases, halting business operations or practices.
Key regulatory areas that are often included in cloud-based environments include but are not limited to the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), and the Sarbanes-Oxley Act (SOX).