Today’s computing environments and frameworks are more complex than they’ve ever been. And not just for large enterprises, but also small and mid-sized companies where you normally find a mix of on-premise, public clouds, and sometimes private clouds depending on the nature of the business. Even cloud-only environments are complex and can quickly spiral out of control if not managed reasonably. This is why, no matter what sized the business, whoever is responsible for securing these systems has to have a way to understand the fluid nature of these environments and how to best put into place the proper security governance frameworks, security processes, and defenses.
The best way to approach this is to have some type of security framework to gauge one’s maturity. A cloud security framework helps any sized organization better understand its environment, the nature of its systems, and where it’s most important data resides. It will also help the organization to understand the risks they’re accepting, how to mitigate those risks to an acceptable level, and the security defenses and controls required to reach a state of security that the organization can comfortably tolerate.
Without such a framework in place any organization is essentially guessing how to best secure its systems.
Yet, for organizations that do implement such a framework, they have a far more straightforward path to reach the right level of security. Additionally, those who are responsible for security or run the enterprise cloud systems will be able to make better risk decisions, help business leadership understand risk, and make better decisions themselves. This will also provide a foundation on which to support business objectives.
What does this mean in a nutshell? It means security frameworks make it possible to build a risk management strategy that is right for the organization, how to best put into practice that strategy, and then monitor compliance to that policy and measure effectiveness over time. It’s that simple, and that challenging, all at the same time.
Examples of cloud security frameworks include the Cloud Security Alliance Guidance v3.0 (.pdf) and the Security Controls and Assessment Procedures for Federal Information Systems and Organizations NIST Special Publication 800-53.
When we talk of security policies, what do we mean? We mean policies that define what the right level of risk should look like. This helps to inform all types of things about the states of systems, such as what a secure cloud server looks like in production, how it is managed; or what tests an application or new software function needs to pass before it is shipped into production. It can include what secure system configurations look like, where critical business data may, or may not reside, and what an organization’s passwords should look like. Of course, it’s also more complex than that, but this provides you a good idea of what security policies will cover and look like.
Now, good security policies that are painstakingly defined with the help of a security framework are essential to effective security. But the best crafted policies aren’t worth a whole heck of a lot without the ability to enforce them. And this is an area where organizations today are at a great advantage over enterprises five, ten years ago.
This is because, especially in cloud environments, the tools are there to continuously monitor the environment to identify systems and environmental configurations that may fall out of policy compliance. This highlights the importance of looking for security tools that are designed specifically for cloud and avoid security technologies that were designed for legacy systems, which primarily focus on building a strong perimeter and to protect relatively static systems. The cloud environment has changed the game and it continues to evolve, and security needs to adapt accordingly.