Marco Lancini Cloud Security Strategies |
A collection of articles providing actionable advice for anyone looking to establish a cloud security program aimed at protecting cloud native offerings- On Establishing a Cloud Security Program: A framework to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering, aligned with NIST and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- What to look for when reviewing a company's infrastructure: A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components
|
Cloud Security Orienteering |
- A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment
- Also refer to the companion blog post, checklist, and talk
|
PEACH - a tenant isolation framework for cloud applications |
A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation by reducing your cloud applications' attack surface |
A Roadmap to Zero Trust Architecture |
This roadmap was built by security experts to provide a vendor agnostic Zero Trust architecture and example implementation timeline |
Chris Farris |
- Moving the needle on Cloud Security (Nov 18)
- Have individual accountability: many accounts each with a VP/Senior Director assigned as the Executive Sponsor
- Force all account owners to give the security team audit permissions in all accounts
- Put a Cloud Security Standard down on paper
- The power of the cloud is the API, and the API allows to measure everyone against the Standard
- Have Scorecards: each executive has their own scorecard reflecting their own AWS Accounts. Gaves them their score on each requirement in the Cloud Security Standard, and in a separate tab, the list of resource IDs that the system determined were non-compliant
- How the scorecard works (Nov 18)
- Phase 1: inventory phase
- Phase 2: determine what resources are non-compliant with the Cloud Security Standard
- Phase 3: generate two sets of spreadsheets
- One is individualized to each cloud account owner: shows them their personal score, the risk-weighted (by requirement) score for all the accounts they're responsible for, and the scores for each individual requirement by account
- One enterprise wide scorecard: The first tab shows all the AWS accounts and the score by requirement. The second tab list all of the accounts, the account's overall score and current spend. The final tab lists all of the executive owners and their scores. Risk weight the executive scores by AWS account spend
- Creating a Cloud Security Standard (Mar 19)
- High level structure of a custom Cloud Security Standard
- Our first major decision was not to have a single standard for the three public clouds we operate in. The differences between AWS, GCP and Azure are major, and creating a document that addressed configuration in the abstract would create confusion
- Modern Cloud Governance (July 20)
- If you break down your cloud program into three core functions, you can see how each manages an aspect of your cloud
Function | Aspect | Development | Cost | Security | Risk | Finance | Agility |
- Risk Reduction in Modern Cloud Governance organization needs to focus on realistic cloud security standards, guardrails, and education
- Guardrails need to be flexible. Not all workloads have the same level of risk tolerance
- A successful cloud strategy needs to bring together the three constituencies into a common conversation to balance the cost, risk, and ability to agilely deliver what the business requires. It requires less of a top-down governance model and more of a bottom up common understanding. Each side must give and take in balance.
- Mapping CIS Controls to Cloud (Oct 20)
- An overview of the Critical Security Controls published by CIS
- Elements of a Successful Cloud Security Program (Apr 23)
- Outcomes of a successful Cloud Security Program:
- Don't get breached
- Don't have audit findings
- Don't move so slowly your company becomes irrelevant
- Don't spend so much you go out of business
- To build a successful program, you want to:
- Know your company's threat model
- Codify your cloud security best practices
- Define your mission
- Establish Cloud Security Key Risk Indicators (KRIs)
- Make friends with your builders
- Focus on outcomes not tools
- Remain focused on outcomes
- Related slides: Walking on Broken Clouds
|