Governance Foundations in the Cloud
Getting security controls in place from the ground up
Free Content on Jobs in Cybersecurity | Sign up for the Email List
One of my psots on Cloud Governance.
Last week I wrote a bit about cloud governance. This week I’ve been re-vamping my cloud security class. That includes rearranging the content a bit because I want to provide a more comprehensive solution. That starts with actually building your account the right way from the ground up. That involves both understanding what tools are available and how to use them effectively.
Beyond simply talking about the tools, it’s helpful to have someone walk you through setting them up correctly. That’s something I’ll be doing more extensively in my class revisions. I’ve been at organizations where effective governance did not exist for over two years. I’ve also worked at an organization where I architected and oversaw a team that implemented governance from the ground up. I’d like to help companies do the latter and more quickly by providing concrete information you can immediately take back and use.
Cloud Governance Tools
Whether you use AWS, Azure, or Google Cloud Platform (GCP), the cloud providers give you a lot of guidance on governance. Many tools exist to help ensure that people are following your internal and external rules. There are some (not all) of the tools you may want to employ as you get started with your account architecture at the organizational level. That’s before we even get into encryption, networking, and application security.
AWS offers Control Tower, Organizations, Service Control Policies, IAM Policies, Resource Policies, Trust Policies, SSO, Organizational Units, AWS Service Catalog, CloudTrail, CloudWatch, SecurityHub, Audit Manager, Resource Access Manager, Tags, the Well-Architected Framework, and other organizational-level security controls.
Azure offers Azure AD, role-based access control (RBAC), Organizational Units, Management Groups, Subscriptions, Policy, Security Center, Monitor, Blueprints, Resource Manager, Managed Applications, tags, and other organizational level and automation tools to help ensure your configurations comply with internal and regulated security rules.
Google Cloud Platform (GCP) governance includes of Resource Manager, Organizations, Projects and Folders with permissions managed by Cloud IAM, Policies, Anthos Config Management, and Security Command Center, Labels, and blueprints to name a few of their features and services that can help with governance.
Data Governance
Moving beyond the cloud platform controls, organizations need to consider data governance. How do you track where your data lives, why it exists, when it should be deleted, who should have access to it, and how it is protected?
Governance in your CI/CD Pipeline
The other part of governance organizations need to consider are rules around software and cloud infrastructure deployments. How do you ensure something unwanted gets prevented before it gets into your cloud. Automation and a well-architected deployment pipeline are key to preventing unwanted cloud configurations, in addition to the architecture and implementation of cloud infrastructure itself.
Monitoring After Deployment
Though you can try to prevent non-compliant configurations, software, and data from entering your cloud production environment, it may get there. Security, governance, and risk-management teams need a way to monitor for non-compliant configurations, systems, actions, and data. They also need to react quickly to resolve any issues. That could include auto-remediation. Organizations need to consider tools and processes that need to be in place for monitoring deployments when budgeting for and architecting cloud environments and applications.
Building Governance In From the Ground Up
The problem many organizations face is that governance is an afterthought. The best approach is to get governance built into your architecture from the start. Trying to tack on governance after the fact will be time-consuming. It also has a high potential to leave gaps if not implemented correctly. Although getting governance in from the start is ideal, we’ll still have cases where an organization needs to add governance and security controls after the fact. This class will address that scenario as well.
Getting a Running Start
Although there’s a lot of documentation, it can take a lot of time to read it all and apply it. Having someone who’s done it before walk you through can help you get up and running faster. That’s what my new class aims to do. If you are an individual interested in signing up for this new class when it becomes available please follow this blog for updates. For organizations with ten or more students, you can reserve a spot in advance. Contact me on LinkedIn to find out how to schedule a class. You can also schedule a security consulting call with me through IANS Research if you need immediate guidance.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2021
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab