Define a cloud security policy and cloud security standards and guidelines for the target state.
Design core cloud security patterns that comply with the policy and standards.
Design core cloud security to detect violations of fundamental security design principles.
Implement reference architectures based on the security patterns.
Make the patterns available to the business and technology teams. The patterns serve as guardrails for secure adoption of cloud-native tools and services.
Build and implement operational processes for DevSecOps and the CI/CD pipelines that encompass the security patterns.
Embrace cloud-native security tools and services, and the security needs for the new code and application build/delivery model.
Enable the capability to perform static and dynamic code scanning and penetration testing using a self-service approach, especially focusing on the vulnerabilities that can really be exploited at runtime.
Identity and Access Management: IAM includes identity federation; naming and tagging; root account protection; invocation and access to public and privately accessible APIs; and privileged access management, including vaulting of passwords and keys, cross account access, identity store or identity provider, and master role inheritance.
Network security: Includes Direct Connect (DC) private and public interfaces; DMZ, VPC, and VNet endpoints; transit gateways; load balancers; and DNS.
Data Security: Encrypt data in transit and at rest, S3 bucket data (at rest), and EBS root volume and dynamo db.
Core Cloud Native Services: Consists of core cloud services (e.g., S3, RDS, CloudFront, Inspector, Security Hub, Security Center, and Azure Log Analytics).
Monitoring: Threat modeling, native API, application and services monitoring, integration with native logging capabilities (e.g., CloudWatch, CloudTrail and Security Center), server infrastructure monitoring, server vulnerability monitoring, and business applications monitoring.
Third-party Access: Monitoring third-party access to console.
Operational Activity: ACL creation and updates, all operational changes in the context of DevSecOps processes and CI/CD pipelines (e.g., code build, deployment, and promotion to production).
Infrastructure as Code: Enable infrastructure-as-code to implement the needed guardrails to secure cloud native services and applications (e.g., Service Control Policy’s (SCP) in AWS, and Azure Policy in Azure).
Design and implement application-specific security patterns.
Design and implement patterns for new service requirements.
Create an archetype specification for each application type.
Develop operational processes to ensure that the application security patterns build upon the core security patterns.
Build processes that ensure the new applications utilize the core security patterns.
Leverage application monitoring use cases and detect pattern violations.
Create or simulate violations to test application monitoring capability.
Refine the application monitoring use cases.
Ensure that the processes exist to make this cloud application security process evergreen.
Build governance to ensure the evergreen processes have appropriate reporting capabilities.