Our world is obsessed with measurement, and I blame Moneyball. Once it became a bestseller, everyone wanted to use statistics to evaluate everything. How bad is your mother-in-law? Well she scored <6.7 in nine different categories related to emotional smothering; you know, that kind of thing.
I actually really loved the book, but I also subscribe to W. Edwards Deming’s apocryphal comment, “In God we trust. All others bring data.” That’s not a bad mantra for cloud security where it is critical to always know the status of your security posture and measure it against previous performance, and with with the foresight to aim at rigorous goals.
The cloud presents a unique environment in which to pull metrics and determine success or failure. Much like Heraclitus’ river, you’re never dealing with the same cloud environment for very long, so it makes measurement difficult. For example, you may open an S3 bucket in your environment, configure it, and supply it with rigorous access controls. But then maybe that bucket gets accessed by an admin who doesn’t know about these controls and he inadvertently removes the credentials, or perhaps posts them to a Github repository for future reference by his team. Unless you have a tool to measure efficacy of your security policies, you’ll never know if you’re getting a passing or failing score on S3 bucket risk.
The sad reality is that in most organization’s instances of the cloud, they simply don’t know what they don’t know. It’s wildly eye-opening to find out how many major organizations operate under a presumption of security until they are breached. A bad policy and one that often results from lack of measurement.
Thankfully there are tools and frameworks to help you measure your cloud so your organization’s and customer’s data is protected. While the flexible nature of the cloud precludes a specified silver bullet checklist, organizations can be astute about how they pursue cloud security measurement with these steps:
Step 1: Identify all your cloud activity and access
Some organizations have centrally controlled IT environments while others are distributed. Many companies offer liberal admin rights at all levels across the organization in order to facilitate DevOps processes and expedite testing; many groups give developers authorization to create new buckets and virtual databases as needed. If you don’t have a snapshot of your entire cloud landscape and where activity exists, you need to first do that if you want to measure activity and performance.
It’s important not just to know where services and resources exist, but who manages them, the purposes they’re used for, admin rights for them, and what (if any) security policies by which they abide. This exercise may begin in a spreadsheet or checklist, but will eventually become a critical catalog for you you apply solutions to help you identify, monitor, and remediate security and compliance issues.
Step 2: Understand your current security policies
This might take you weeks of detail work, or it might take 30 minutes; it all depends on how you’ve approached security thus far. While cloud security is complex, don’t worry if you’ve been operating just on AWS or Azure out-of-the-box configurations. As best practices, they take a reasonable approach to things like least privilege for access, resource configurations, and handling third-party assets like APIs.
This step is not meant to be comprehensive. Rather, it’s intended as a way to level-set so you know roughly where you are so you can predict how far you have to go. If you have strict policies (and they’re being followed), then you’re probably in a state where you can accurately measure progress. But if you’ve been loose in your governance then you may need to initiate some structure as you move forward. The key is to know where you stand and anticipate how far you have to go.
Step 3: Apply necessary measurement
Fortunately there are a variety of cloud-specific security and compliance frameworks that give you policies and guidelines for how to construct your security posture. For example, the CIS AWS Foundations Benchmark, developed by the Center for Internet Security, can help you remove the guesswork because it provides a cost effective and commonly accepted path to deploy and assess your AWS security measures with confidence. The CIS benchmarks represent consensus-based security best practices for organizations of all types—government, business, and industry.
For organizations doing business with the federal government, the NIST Cybersecurity Framework and related standards like NIST 800-53 and NIST 800-171 offer comprehensive frameworks that strictly lay the foundation and ongoing compliance for strict security policies. There are a variety of different types of security and compliance guidelines like PCI for payments, HIPAA for healthcare data, and a host of others, all intended to be foundational for your cloud activities and something that can be measured against.
Step 4: Initiate continuous security automation
A cloud environment never stops changing, and security simply never stops, so continuous awareness and knowledge of what’s happening in your environment is critical. It’s also humanly impossible to do manually. Using a tool that automates the continuous monitoring of your environment provides visibility into all your security controls and policies, and provides both a scorecard and a built-in measuring instrument so you can identify problem areas, track successes, and report on overall security performance when needed to fulfill SLAs and KPIs.
One of the reasons that so many organizations neglect to create a strict discipline around security is because baselining their current security stance, and then performing ongoing measurement is nearly impossible. As a result, continuous tools have been built to align with AWS and Azure controls, and for specific types of controls and signatures like those found in standards like NIST, PCI, HIPAA, and others.
Step 5: Continuous measurement
With the enormity of deployments in the cloud, it isn’t unusual for organizations to have millions of data points that need to be evaluated. After implementing a strategy like we’ve outlined here, you can begin to get a handle on all your cloud data in real time and rely on a sound infrastructure to rapidly isolate any security variation or deviation from known states. The key is that this needs to be continuous; the advantages are both that you identify issues when they occur, and you can begin to track your success (and failures) over time. Knowing this will help you apply the right level of attention to areas where vulnerabilities exist.
Teams need to be able to measure and demonstrate security and compliance progress daily, not just during the yearly audit. With the right platform, you should be able to view your past and present security and compliance stances at the push of a button.
Deming is also credited for having said, “A rule should suit the purpose.” Cloud security will always be governed by rules – those created within your organization, by standards bodies, by the government, or any of a number of groups who aim to make people and data safer. Heeding Deming’s advice means that measuring against those rules will help you define your purpose and identify the goals you need to hit.