Skip to content

Frameworks

Frameworks

Item Description
adidas-devops-maturity-framework Based in the C.A.L.M.S. definition of DevOps, the framework defines a set of capabilities and guidelines that, when adopted, increase efficiency, effectiveness, and happiness of the team

Cloud Security

Item Description
Cloud Security Roadmap
  • A framework to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering, aligned with NIST and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
  • Also refer to the companion blog post "On Establishing a Cloud Security Program"
Cloud Security Orienteering
  • A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment
  • Also refer to the companion blog post, checklist, and talk
Chris Farris
  • Modern Cloud Governance
    • If you break down your cloud program into three core functions (development, security, and finance), you can see how each manages an aspect of your cloud: cost, risk and agility
    • Risk Reduction in Modern Cloud Governance organization needs to focus on realistic cloud security standards, guardrails, and education. Guardrails need to be flexible.
    • A successful cloud strategy needs to bring together the three constituencies into a common conversation to balance the cost, risk, and ability to agilely deliver what the business requires. It requires less of a top-down governance model and more of a bottom up common understanding. Each side must give and take in balance.
  • Creating a Cloud Security Standard
    • High level structure of a custom Cloud Security Standard
  • How the scorecard works
    • Each executive had their own scorecard reflecting their own AWS Accounts
    • It gave them their score on each requirement in the Cloud Security Standard, and in a separate tab, the list of resource IDs that the system determined were non-compliant
  • Mapping CIS Controls to Cloud
    • CIS publishes a list of 20 Critical Security Controls
    • While primarily focused at traditional IT data-center centric organizations, the concepts and the order of the 20 Controls provides a reasonably good road map for anyone looking to start their cloud security journey
Back to top