| Cloud Security Roadmap |
- A framework to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering, aligned with NIST and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- Also refer to the companion blog post "On Establishing a Cloud Security Program"
|
| Cloud Security Orienteering |
- A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment
- Also refer to the companion blog post, checklist, and talk
|
| Chris Farris |
- Modern Cloud Governance
- If you break down your cloud program into three core functions (development, security, and finance), you can see how each manages an aspect of your cloud: cost, risk and agility
- Risk Reduction in Modern Cloud Governance organization needs to focus on realistic cloud security standards, guardrails, and education. Guardrails need to be flexible.
- A successful cloud strategy needs to bring together the three constituencies into a common conversation to balance the cost, risk, and ability to agilely deliver what the business requires. It requires less of a top-down governance model and more of a bottom up common understanding. Each side must give and take in balance.
- Creating a Cloud Security Standard
- High level structure of a custom Cloud Security Standard
- How the scorecard works
- Each executive had their own scorecard reflecting their own AWS Accounts
- It gave them their score on each requirement in the Cloud Security Standard, and in a separate tab, the list of resource IDs that the system determined were non-compliant
- Mapping CIS Controls to Cloud
- CIS publishes a list of 20 Critical Security Controls
- While primarily focused at traditional IT data-center centric organizations, the concepts and the order of the 20 Controls provides a reasonably good road map for anyone looking to start their cloud security journey
|