Psychologist Carol Dweck has done research on the concept of “mindset” in humans, and she’s determined that those who seek growth and progress are happier, more fulfilled, and actually achieve more than those focused on quick wins. Turn that idea to the world of cloud security and you’ll see that the same thing applies; a strategy and path centered on growth will ultimately yield better and more sustainable results.
Cloud environments are dynamic and constantly changing, as are other elements of your IT infrastructure. Those responsible for security therefore have a mandate to stay continuously vigilant in identifying and guarding against vulnerabilities. Hackers keep creating new ways to ply their trade, so security efforts can never stop. While that definition may draw parallels to Sisyphus and the boulder he was condemned to keep pushing up a hill, your cloud security and compliance efforts can, with the right approach, show demonstrable progress towards less risk over time and a more controlled overall environment.
The Evident Security Platform (ESP) is continuously monitoring AWS and Azure accounts so you have a picture of your cloud security status. It’s highly visual and you can see how your accounts, regions, controls, and signatures are performing against expectations and best practices. Controls that register in green are passing and therefore being managed correctly. Red controls indicate issues, and automated alerts with remediation steps are immediately delivered to the appropriate people. For those who are struggling with this concept, you want more green than red.
In the cloud, it’s the constant change that prevents you from being always green. But then, to achieve a perfect score would require you to essentially freeze your cloud, and that defeats the whole purpose of operating in a highly connected, agile, and dynamic environment. But if adhere to Professor Dweck’s idea of growth, you can use ESP as a way to constantly improve your security posture and measure progress towards better control. To do that requires that you and your team to apply some discipline and best practices in order to use ESP as both a yardstick for your performance, and a way to ensure you are truly growing in your ability to limit the risk of your cloud and data.
Growth towards a more secure cloud will be unique to each organization, but these are some steps you can take to help you and your team demonstrate growth and progress:
Create an action plan
The first question you need to ask is, “What do you want to achieve as a security team and how can ESP help me get there?” A lot more green is kind of a goal, but it doesn’t address the specifics of your actual environment. Instead, start by prioritizing your risks and move forward with a plan to resolve them according to importance. If you build requirements around these priorities, it will keep you and your team on track and the positive feedback loop you’ll see from ESP report histories should clearly identify the improvement in the overall health of your security posture.
Start with the CIS benchmark
The CIS AWS Foundations Benchmark can be a great starting point as it provides the framework for AWS security best practices that go beyond AWS out-of-the-box controls. These should mostly align with the typical enterprise’s high priority issues, but the standard itself provides a commonly-accepted and understood framework against which your team’s efforts can quickly start to see progress.
S3 bucket fitness
Far too many major enterprise breaches have been caused by poorly configured and managed AWS S3 buckets. With that knowledge, it’s important to recognize how quickly lack of oversight of S3 buckets can create high risk situations. A good way to measure growth towards a more secure cloud is by applying remediation according to AWS S3 bucket fitness reports and measuring progress as controls move from any risk state (high, medium, or even low risk) to a passing score and the coveted green button.
Within the ESP dashboard is the ability to view and identify risk status for all signatures of your cloud as well as custom ones you created. As more of these move from a risk status to a passing status, so too does your organization’s overall security posture become less vulnerable. The signatures reports will constantly change as more are created and adopted; seeing a progression away from signatures that are risky is an important metric towards a desirable cloud.
Track project goals and assign KPIs
While seeing your reds turn to greens is a great way to demonstrate success, we recognize that some controls and signatures are fine with a medium risk score, or some aren’t worthy of any attention beyond their current state. The better way to grow is by attaching KPIs to growth in areas like region, severity, signatures and timeframes. Know what you want to measure, an accepted timeframe for resolution, and then use ESP history reports to identify success in terms of growth and, ultimately, a more secure environment.
There’s long been a notion that the cloud frees IT departments from regular management work. To the contrary, the cloud is complex and requires rigorous oversight and management; it’s the pay off for all its advantages. But that complexity need not prevent an organization from having control over their resources and data. It’s certainly not a one-and-done proposition, but rather, something that is addressed and managed continuously. By approaching it with a growth mindset, you and your team will know what to emphasize, when to work on it, and how to measure progress.