Marco Lancini Cloud Security Strategies |
A collection of articles providing actionable advice for anyone looking to establish a cloud security program aimed at protecting cloud native offerings- On Establishing a Cloud Security Program: A framework to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering, aligned with NIST and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- What to look for when reviewing a company's infrastructure: A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components
|
Cloud Security Orienteering |
- A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment
- Also refer to the companion blog post, checklist, and talk
|
PEACH - a tenant isolation framework for cloud applications |
A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation by reducing your cloud applications’ attack surface |
A Roadmap to Zero Trust Architecture |
This roadmap was built by security experts to provide a vendor agnostic Zero Trust architecture and example implementation timeline |
Chris Farris |
- Modern Cloud Governance
- If you break down your cloud program into three core functions (development, security, and finance), you can see how each manages an aspect of your cloud: cost, risk and agility
- Risk Reduction in Modern Cloud Governance organization needs to focus on realistic cloud security standards, guardrails, and education. Guardrails need to be flexible.
- A successful cloud strategy needs to bring together the three constituencies into a common conversation to balance the cost, risk, and ability to agilely deliver what the business requires. It requires less of a top-down governance model and more of a bottom up common understanding. Each side must give and take in balance.
- Creating a Cloud Security Standard
- High level structure of a custom Cloud Security Standard
- How the scorecard works
- Each executive had their own scorecard reflecting their own AWS Accounts
- It gave them their score on each requirement in the Cloud Security Standard, and in a separate tab, the list of resource IDs that the system determined were non-compliant
- Mapping CIS Controls to Cloud
- CIS publishes a list of 20 Critical Security Controls
- While primarily focused at traditional IT data-center centric organizations, the concepts and the order of the 20 Controls provides a reasonably good road map for anyone looking to start their cloud security journey
|