Quantifying the Cloud Security Readiness
Extending the Practitioner’s guide to Cloud Resources
Is Our Cloud Secure ?
With the myriad of breaches [3], the biggest question CISOs, VPs, Managers, Infosec professionals, IT, DevOps are asking, have we done enough to secure our cloud resources ? Security is very subjective and whatever you do is never enough. Additionally, implementing security tools and controls are very expensive its a multi-million dollar initiative, so what is enough security ?
Different organizations have different definitions of security, for eg a Bank’s security definition may be very different from a Healthcare provider and the security definition for a food delivery service will be different from an automaker or a retailer. We therefore need a methodology to define the security posture for an organization and come up with a way to measure it against a scale.
Cyber security Frameworks
There are several cyber security frameworks and compliance frameworks. The top 4 frameworks are as follows: [2]
- PCI DSS (47%)
- ISO 27001/27002 (35%)
- CIS Critical Security Controls (32%)
- NIST Framework for Improving Critical Infrastructure Security (29%)
Choosing the right framework to define your company’s security posture is an expensive art, and it depends on your business sector, your customers, your stakeholder risk appetite, resources and skillset availability. For a startup or for a new cloud adoption, you can start with a minimum security framework and grow from there or work towards certifications if you are a IPO or a larger corporation. You can define your company’s security posture by borrowing best practices of multiple frameworks like NIST, cloud best practices, CIS etc.. Depending on what framework you decide to choose the costs may vary based on the complexity of the implementation.
Translating the security posture to quantifiable actions
The security posture derived from cyber security framework’s is a dry multi page legal document with several security controls, procedures and remediation steps. The security posture is a very subjective document and open for interpretations. It is a rulebook and is very difficult to quantify the adherence to it.
In my previous blog Practitioner’s guide to Cloud Cyber Security I introduced the Cyber Security Web and the types of security defenses. Following are the steps to map the security posture of your organization to concrete actions to implement the controls and quantify it.
Step 1: Choose a cloud resource
To demonstrate this methodology, we will take a AWS resource S3
Step 2: Define the security posture
We will define our company’s security posture based upon Security Best practices for Amazon S3 [1]
for eg the security posture will look like:
1. Implement least privilege access
2. Consider encryption of data at rest
3. Enforce encryption of data in transit
4. Enable versioning
Step 3: Create the Cyber security framework security scorecard
Form Practitioner’s guide to Cloud Cyber Security create a empty scorecard
Step 4: Map the security posture to Score card
From step 2 categorize each security control to risk levels 1– 4 and type of security defense
Step 5: Publish the score card
Repeat the steps for all the cloud resources, like RDS, EC2, EKS, VPC etc. for each of your cloud projects or accounts. Associate points to each security control to build a security scorecard for your cloud implementation.
Conclusion:
Once you have built out a scorecard, it will give you an easy to view dashboard and understand the security risks and hot spots that you can focus to mitigate to enhance cloud security. You can continue to tune your security posture to be more stringent or less based on your risk profile and budgetary restrictions. The scorecard can be a vey good visualization tool to strategically invest in areas that are considers to be of high risk.
