As the head of security at a cloud-forward organization, you are an info security and risk expert with strong business acumen. On your shoulders falls the difficult task of detecting security issues as early as possible to reduce your organization’s risk posture. You must collaborate with devops, IT and compliance teams to ensure security remains strong while business priorities are met.
You recognize the importance of building a risk-based security strategy in the cloud but need buy-in and approval from key stakeholders to receive budget funding. The challenge, then, is ensuring your cloud security strategy is cogent and appeals to the right people.
To start, you must understand why building and selling your cloud security strategy is critical. Then you need to know how to do it and be able to describe the benefits to your organization. You’ll also need to have a proven method of implementing the strategy efficiently and successfully.
Why it’s important
Moving security forward is not easy, particularly if stakeholders consider the controls an impediment to business priorities. That’s why a winning strategy delivers a roadmap for improving your cloud security posture and driving product development.
A successful security strategy accomplishes several objectives:
- Serves as the building block for developing a risk-based security posture
- Answer concerns about why and for what you need funding
- Protects your budget moving forward
- Creates avenues for additional funding for risk remediation
- Identifies threats and addresses them within the strategy’s framework
- Ensures you are your team are protected in the case of a security incident
- Demonstrates that the strategy supports business priorities
Seek opportunities to embrace a DevSecOps mindset. For example, cloud forward businesses are using more non-human accounts than ever to develop products faster. In turn, attacks on non-human identities are rising significantly. You’ll want to protect those accounts without slowing down devops. Find a vendor that provides just-in-time (JIT) permissioning for human and non-human accounts. This elevates security and gives developers the access they need to deliver efficiently.
With your strategy built and business-oriented opportunities in mind, it’s time to focus on selling your strategy to key stakeholders.
Selling your cloud security strategy
Four critical components comprise selling a security strategy.
- Developing a risk framework
- Getting business buy-in and support
- Building a customized control framework
- Using the right solution(s)
A risk framework begins with risk identification. Here are four common scenarios:
- An external party seizes control of your system and initiates a Denial of Service (DoS)
- An external party steals sensitive data or processes
- An employee misuses access to mission-critical data
- An employee leaks customer information
Each scenario requires an assessment to analyze and classify the risk likelihood and impact. Develop a scoring system that helps you and your company’s stakeholders quickly understand potential outcomes.
Control mapping lets you understand the controls needed to address the risks. For example, if the “kill chain” is to gain access to your environment and the “threat” is credential theft, the security control might be multifactor authorization (MFA), JIT, or improved privileged access management (PAM).
- Kill chain = gain access
- Threat = credential theft
- Controls = MFA, JIT, PAM
Once you have established the risk framework, prioritize and define the initiatives needed to improve controls that reduce risk.
Assign the risk’s impact on business finances, customers and reputation. To illustrate, consider the following scoring system:
Rating: Very High
Description: Potential existential impact
Reputation / Customer: Extreme impact on client relations
Financial: Significant and/or permanent impact to revenue generation
Description: Serious, long-term impact
Reputation / Customer: Major impact on client relations
Financial: Reduced ability to generate revenue
Description: Serious, long-term impact
Reputation / Customer: Material, but recoverable, impact
Financial: Near-term revenue loss
Next, assign the risk’s likelihood, such as:
- Score: 5
- Rating: Very High
- Likelihood: The risk is almost certain to occur
Adopt one or several of the available security control frameworks. Doing so provides your strategy and stakeholder buy-in with control checklists and is a critical benchmark system for maintaining a strong cloud security posture.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- SANS Top 20 Critical Controls
- ISO 27001 Information Security Management Systems (ISMS)
- Cloud Security Alliance (CSA) Matrix
Choose the right solution
Choosing the right solution(s) for your cloud security strategy depends on your objectives. Key questions include:
- Where are you on your cloud journey?
- Do you use an on-premises data center and are looking to move to the cloud?
- Will you maintain a hybrid cloud (on-premises and cloud) environment?
- Will you adopt a multi-cloud hybrid environment?
- Are you All-in-Cloud?
- Do you use a single cloud environment?
- Will you adopt a multi-cloud environment?
Regardless of where you are on your cloud journey, your strategy should address today’s challenges and plan for the security risks in store.
Broad adoption of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) tools, as well as software-as-a-service (SaaS) applications, have accelerated IT operations and application development. Managing and securing the resulting massive proliferation of cloud identities and privileges for both app developers and their users has been challenging.
It is not feasible in the long term to continue managing identities in password-protected Excel spreadsheets, which is common practice with many security operations (secops) and devops teams. Rather, ensuring the security of privileged access in a complex multi-cloud environment will require both a new mindset and new security tools.
The dynamic nature of the cloud brings changes to administration and configuration tools daily. With each change comes another set of features and functionality that needs to be understood and integrated into existing security tools. Ultimately, administrators and auditors lack adequate visibility into who has what level of access to each platform. As such, here are eight (8) best practices to look for in a platform solution:
- Grant cloud privileges JIT
- Assign privileges based on policy
- Drastically reduce standing privileges for human and nonhuman identities
- Integrate single-sign-on (SSO) or MFA
- Extend identity and governance administration (IGA)
- Feed UEBA / SIEM with privileged cloud activity
- Cross-cloud visibility and reporting
- Holistic, cloud-native platform
Risk should be the cornerstone
Assessing risk is specific to your organization. However, when it comes to building and selling your cloud security strategy, risk should be the cornerstone.
Be sure to keep your strategy simple, visual and based on established best practices and frameworks.
To successfully sell your strategy to key stakeholders, you will need their buy-in. Demonstrate how your strategy improves your security posture and facilitates business priorities: “Because we’ve deployed JIT permissions for human and non-human identities, developers can access the tools they need quickly and safely. This elevates our posture and accelerates velocity.”
The first step is identifying team members with whom you can form a security risk group. Next, identify the key stakeholders in the various business departments of your organization. Then, list relevant risk scenarios and adopt a control framework that is customized to your needs and risk tolerance. Finally, with an understanding of the priorities of each department and the security risks they face, develop your strategy overview, and make plans to incorporate control scores, risk pictures and desired outcomes.
Building and selling a successful cloud security strategy is not easy. But the recommendations here will help you grasp the circumstances of your organization’s business security priorities.