What you can do to develop a cloud security strategy that sells

What you can do to develop a cloud security strategy that sells ...

Security is essential to maintaining security while meeting business goals as you head of an IT risk and data security team. On your shoulders, the task of investigating security issues as early as possible.

You recognize the necessity of developing a risk-based security strategy in the cloud, but you need buy-in and approval from key stakeholders. This means, you must ensure your cloud security strategy is cogent and appealing to the appropriate people.

What is the problem?

Then you need to understand why developing and selling your cloud security strategy is critical. Then you must also know how to do it and be able to highlight the benefits to your organization. Youll also need to have a proven method of successfully developing the strategy.

Why its important

Moving security forward is not easy, particularly if stakeholders consider the controls as a breach to their business goals. That''s why a winning strategy gives you a roadmap for improving your cloud security posture and driving product development.

The goal of a successful security strategy is to achieve several objectives.

  • Serves as the building block for developing a risk-based security posture
  • Answer concerns about why and for what you need funding
  • Protects your budget moving forward
  • Creates avenues for additional funding for risk remediation
  • Identifies threats and addresses them within the strategys framework
  • Ensures you are your team are protected in the case of a security incident
  • Demonstrates that the strategy supports business priorities

At the same time, cloud forward businesses are increasing significantly in favor of non-human accounts. It''s important to understand that people are aware of those restrictions without limiting your ability to protect them. Find a vendor that has just-in-time (JIT) authorization to human and non-human accounts. This increases security and gives developers the access they need to deliver effectively.

It''s time to focus on selling your strategy to key stakeholders, focusing on your strategy built and business-oriented goals.

Selling your cloud security strategy

A security strategy involves selling four critical components.

  • Developing a risk framework
  • Getting business buy-in and support
  • Building a customized control framework
  • Using the right solution(s)

Risk framework

The identification of a risk framework begins with a risk identification. Here are four common scenarios:

  • An external party seizes control of your system and initiates a Denial of Service (DoS)
  • An external party steals sensitive data or processes
  • An employee misuses access to mission-critical data
  • An employee leaks customer information

Each scenario requires a thorough evaluation to assess and classify the risk likelihood and impact. Develop a scoring system that assists you and your company''s stakeholders in preparing for unexpected outcomes.

Control mapping simplifies the steps necessary to manage risks. For example, if the kill chain wants to gain access to your environment and the threat is credential theft, the security control may be multiple-factor authorization (MFA), JIT, or improved privileged access management.

  • Kill chain = gain access
  • Threat = credential theft
  • Controls = MFA, JIT, PAM

Once you have established the risk framework, prioritize and define the initiatives that are required to improve risk management.

Business buy-in

Assign risks and disadvantages to business finances, customers, and reputation. Consider the following scoring method:

5 points

Rating: Very High

Description: Possibilite existential impact

Reputation / Customer: An extreme impact on client relations

Financial: A significant and/or permanent impact on revenue creation

4 points

Rating: High

Description: A grave and long-term impact

Customer Reputation: A Major Impact on Client Relations

Financial: Reduced capacity to generate income

Three points

Rating: Moderate

Description: A severe, long-term impact

Customer / Material, but recoverable, impact / Reputation

Financial: Near-term income loss

As a result, assign the risks to your assigned organization, such as:

  • Score: 5
  • Rating: Very High
  • Likelihood: The risk is almost certain to occur

Control frameworks

Adopt one or several of the available security control frameworks. This provides your strategy and stakeholder buy-in with control checklists and is a critical benchmark system for maintaining a strong cloud security posture.

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • SANS Top 20 Critical Controls
  • ISO 27001 Information Security Management Systems (ISMS)
  • Cloud Security Alliance (CSA) Matrix

Choose the right solution

The majority of your decisions about your cloud security strategy depend on your objectives.

  • Where are you on your cloud journey?
    • Do you use an on-premise data center and are looking to move to the cloud?
      • Will you maintain a hybrid cloud (on-premise and cloud) environment?
      • Will you adopt a multi-cloud hybrid environment?
    • Are you All-in-Cloud?
      • Do you use a single cloud environment?
      • Will you adopt a multi-cloud environment?
  • Do you use an on-premise data center and are looking to move to the cloud?
    • Will you maintain a hybrid cloud (on-premise and cloud) environment?
    • Will you adopt a multi-cloud hybrid environment?
  • Are you All-in-Cloud?
    • Do you use a single cloud environment?
    • Will you adopt a multi-cloud environment?
  • Will you maintain a hybrid cloud (on-premise and cloud) environment?
  • Will you adopt a multi-cloud hybrid environment?
  • Do you use a single cloud environment?
  • Will you adopt a multi-cloud environment?
  • Do you use an on-premise data center and are looking to move to the cloud?
    • Will you maintain a hybrid cloud (on-premise and cloud) environment?
    • Will you adopt a multi-cloud hybrid environment?
  • Are you All-in-Cloud?
    • Do you use a single cloud environment?
    • Will you adopt a multi-cloud environment?
  • Will you maintain a hybrid cloud (on-premise and cloud) environment?
  • Will you adopt a multi-cloud hybrid environment?
  • Do you use a single cloud environment?
  • Will you adopt a multi-cloud environment?
  • Will you maintain a hybrid cloud (on-premise and cloud) environment?
  • Will you adopt a multi-cloud hybrid environment?
  • Do you use a single cloud environment?
  • Will you adopt a multi-cloud environment?

Regardless of where you are on your cloud journey, your strategy should address today''s challenges and plans for the security challenges in place.

Both the infrastructure-as-a-service (IaaS) and the platform-as-a-service (PaaS) applications, as well as the software-as-a-service (SaaS) applications, have accelerated IT operations and application development. The process of managing and ensuring the result of a massive proliferation of cloud identities and privileges for app developers and their users has been challenging.

It is not possible in the long term to continue managing identities in password-protected Excel spreadsheets, which is common practice with many security operations (secops) and devops teams. Rather, ensuring the security of privileged access in a complex multi-cloud environment will require a fresh mindset as well as new security tools.

Every day, the dynamic nature of the cloud brings change to administration and configuration tools. A set of features and capabilities that must be understood and integrated into existing security tools is also lacking. In this regard, there are eight (8) best practices to consider in a platform solution:

  • Grant cloud privileges JIT
  • Assign privileges based on policy
  • Drastically reduce standing privileges for human and nonhuman identities
  • Integrate single-sign-on (SSO) or MFA
  • Extend identity and governance administration (IGA)
  • Feed UEBA / SIEM with privileged cloud activity
  • Cross-cloud visibility and reporting
  • Holistic, cloud-native platform

Risk should be the cornerstone

Risk assessment is crucial to your organization. Nevertheless, when it comes to building and selling your cloud security strategy, risk should be the cornerstone.

Be sure to keep your strategy simple, visual, and focused on established best practices and frameworks.

You will need a buy-in to successfully sell your strategy to key stakeholders. Demonstrate how your security posture improves and facilitates business priorities: Because we have successfully established JIT authorizations for human and non-human identities, developers have the ability to obtain the tools they need in real time and safely. This increases our posture and accelerates velocity.

Next steps

The first step is identifying team members with whom you may organize a security risk group. Then, list relevant risk scenarios and adopt a risk tolerance framework that is customized to your needs and risk tolerance. Finally, with an understanding of the departments'' priorities and their security risks, you can develop your strategy overview and make plans to include control scores, risk pictures, and desired outcomes.

Building and selling a successful cloud security strategy isn''t easy. However, the recommendations below will help you understand the challenges of your businesses'' business security needs.

Art Poghosyan is the CEO of British Airways.

You may also like: