Architecture, Cloud, Strategy

A roadmap for developing a secure enterprise cloud operating model

June 4, 2021
Today’s columnist, Raj Badhwar of Voya Financial, says to prevent cloud-based breaches like the one that happened to Capital One in 2019, security teams need to develop an enterprise cloud operating model based on a cloud-first approach. danreed! CreativeCommons CC BY-NC 2.0
  • Define a cloud security policy and cloud security standards and guidelines for the target state.
  • Design core cloud security patterns that comply with the policy and standards.
  • Design core cloud security to detect violations of fundamental security design principles.
  • Implement reference architectures based on the security patterns.
  • Make the patterns available to the business and technology teams. The patterns serve as guardrails for secure adoption of cloud-native tools and services.
  • Build and implement operational processes for DevSecOps and the CI/CD pipelines that encompass the security patterns.
  •  Embrace cloud-native security tools and services, and the security needs for the new code and application build/delivery model.
  • Enable the capability to perform static and dynamic code scanning and penetration testing using a self-service approach, especially focusing on the vulnerabilities that can really be exploited at runtime.
  • Identity and Access Management: IAM includes identity federation; naming and tagging; root account protection; invocation and access to public and privately accessible APIs; and privileged access management, including vaulting of passwords and keys, cross account access, identity store or identity provider, and master role inheritance.
  • Network security: Includes Direct Connect (DC) private and public interfaces; DMZ, VPC, and VNet endpoints; transit gateways; load balancers; and DNS.
  • Data Security: Encrypt data in transit and at rest, S3 bucket data (at rest), and EBS root volume and dynamo db.
  • Core Cloud Native Services: Consists of core cloud services (e.g., S3, RDS, CloudFront, Inspector, Security Hub, Security Center, and Azure Log Analytics).
  • Monitoring: Threat modeling, native API, application and services monitoring, integration with native logging capabilities (e.g., CloudWatch, CloudTrail and Security Center), server infrastructure monitoring, server vulnerability monitoring, and business applications monitoring.
  • Third-party Access: Monitoring third-party access to console.
  • Operational Activity: ACL creation and updates, all operational changes in the context of DevSecOps processes and CI/CD pipelines (e.g., code build, deployment, and promotion to production).
  • Infrastructure as Code: Enable infrastructure-as-code to implement the needed guardrails to secure cloud native services and applications (e.g., Service Control Policy’s (SCP) in AWS, and Azure Policy in Azure).
  • Design and implement application-specific security patterns.
  • Design and implement patterns for new service requirements.
  • Create an archetype specification for each application type.
  • Develop operational processes to ensure that the application security patterns build upon the core security patterns.
  • Build processes that ensure the new applications utilize the core security patterns.
  • Leverage application monitoring use cases and detect pattern violations.
  • Create or simulate violations to test application monitoring capability.
  • Refine the application monitoring use cases.
  • Ensure that the processes exist to make this cloud application security process evergreen.
  • Build governance to ensure the evergreen processes have appropriate reporting capabilities.
prestitial ad