Marco Lancini Cloud Security Strategies |
A collection of articles providing actionable advice for anyone looking to establish a cloud security program aimed at protecting cloud native offerings- On Establishing a Cloud Security Program: A framework to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering, aligned with NIST and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- What to look for when reviewing a company's infrastructure: A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components
|
Cloud Security Orienteering |
- A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment
- Also refer to the companion blog post, checklist, and talk
|
PEACH - a tenant isolation framework for cloud applications |
A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation by reducing your cloud applications' attack surface |
A Roadmap to Zero Trust Architecture |
This roadmap was built by security experts to provide a vendor agnostic Zero Trust architecture and example implementation timeline |
Chris Farris |
- Moving the needle on Cloud Security (Nov 18)
- Have individual accountability: many accounts each with a VP/Senior Director assigned as the Executive Sponsor
- Force all account owners to give the security team audit permissions in all accounts
- Put a Cloud Security Standard down on paper
- The power of the cloud is the API, and the API allows to measure everyone against the Standard
- Have Scorecards: each executive has their own scorecard reflecting their own AWS Accounts. Gaves them their score on each requirement in the Cloud Security Standard, and in a separate tab, the list of resource IDs that the system determined were non-compliant
- How the scorecard works (Nov 18)
- Phase 1: inventory phase
- Phase 2: determine what resources are non-compliant with the Cloud Security Standard
- Phase 3: generate two sets of spreadsheets
- One is individualized to each cloud account owner: shows them their personal score, the risk-weighted (by requirement) score for all the accounts they're responsible for, and the scores for each individual requirement by account
- One enterprise wide scorecard: The first tab shows all the AWS accounts and the score by requirement. The second tab list all of the accounts, the account's overall score and current spend. The final tab lists all of the executive owners and their scores. Risk weight the executive scores by AWS account spend
- Elements of a Successful Cloud Security Program (Apr 23)
- Outcomes of a successful Cloud Security Program:
- Don't get breached
- Don't have audit findings
- Don't move so slowly your company becomes irrelevant
- Don't spend so much you go out of business
- To build a successful program, you want to:
- Know your company's threat model
- Codify your cloud security best practices
- Define your mission
- Establish Cloud Security Key Risk Indicators (KRIs)
- Make friends with your builders
- Focus on outcomes not tools
- Remain focused on outcomes
- Related slides: Walking on Broken Clouds
|