How to Create a Cloud Security Strategy that Sells

How to Create a Cloud Security Strategy that Sells ...

You are a cloud-forward information security and risk expert with excellent business intelligence. On your shoulders, there is the difficult task of identifying security issues as early as possible to keep your organization''s risk posture relaxed. You must collaborate with vendors, IT, and compliance teams to ensure security remains intact while business objectives are met.

You recognize the need for a risk-based security strategy in the cloud, but require buy-in and approval from key stakeholders. The challenge, therefore, is ensuring your cloud security strategy is cogent and appealing to the appropriate people.

What is the difference between them?

First, you need to know why developing and selling your cloud security strategy is critical. Then, you should know how to do it and be able to describe the benefits to your organization. You need to have a proven method of successfully implementing the strategy.

Why its important

Moving security forward isn''t easy, particularly if stakeholders consider the controls to be an obstacle to business priorities. This is why a winning strategy offers a roadmap for improving your cloud security posture and directing product development.

One key feature of a successful security strategy is to achieve several objectives:

  • Serves as the building block for developing a risk-based security posture
  • Answer concerns about why and for what you need funding
  • Protects your budget moving forward
  • Creates avenues for additional funding for risk remediation
  • Identifies threats and addresses them within the strategys framework
  • Ensures you are your team are protected in the case of a security incident
  • Demonstrates that the strategy supports business priorities

Using DevSecOps mindset is critical to developing more non-human accounts than ever before. In turn, attacks on non-human identities are increasing significantly. Use a vendor that provides just-in-time (JIT) permission for human and non-human accounts. This is boosting security and gives developers the access they need to deliver efficiently.

It''s time to concentrate on selling your strategy to key stakeholders, with your strategy built and business-oriented opportunities in mind.

Selling your cloud security strategy

Selling a security strategy involves four essential components.

  • Developing a risk framework
  • Getting business buy-in and support
  • Building a customized control framework
  • Using the right solution(s)

Risk framework

One common strategy for identifying potential risks is to develop a risk framework. Here are four types of scenarios:

  • An external party seizes control of your system and initiates a Denial of Service (DoS)
  • An external party steals sensitive data or processes
  • An employee misuses access to mission-critical data
  • An employee leaks customer information

Each scenario requires a thorough evaluation to evaluate and classify the risk probability and impact. Develop a scoring system that assists you and your company''s stakeholders in a rapid understanding of potential outcomes.

Control mapping allows you to understand the controls required to deal with risks. For example, if the kill chain is to gain access to your environment and the threat is credential theft, the security control may be multifactor authorization (MFA), JIT, or improved privileged access management (PAM).

  • Kill chain = gain access
  • Threat = credential theft
  • Controls = MFA, JIT, PAM

Once you have established the risk framework, prioritize and define the actions you need to make improvements to the risk management system.

Business buy-in

Assign the risks that impact on business finances, customers, and reputation. Consider the following scoring system:

5 points

Rating: Very High

Description: Potential existential potential impact

Reputation / Customer: An Extreme Impact on Client Relations

Financial: A significant and/or permanent impact on revenue generation

4 points in total.

Rating: High

Description: A severe, long-term impact

Reputation / Customer: A Major Impact on Client Relations

Financial: Reduced capacity to generate income

3 results

Rating: Moderate

Description: An immediate, long-term result

Reputation / Customer: Material, but recoverable, impact

Financial: Near-term revenue loss

Defining risks, such as:

  • Score: 5
  • Rating: Very High
  • Likelihood: The risk is almost certain to occur

Control frameworks

Adopt one or several of the available security control frameworks. Doing so provides your strategy and stakeholder buy-in with control checklists and is a crucial benchmark system for maintaining a strong cloud security posture.

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • SANS Top 20 Critical Controls
  • ISO 27001 Information Security Management Systems (ISMS)
  • Cloud Security Alliance (CSA) Matrix

Choose the right solution

Your objectives include selecting the appropriate solution(s) for your cloud security strategy.

  • Where are you on your cloud journey?
    • Do you use an on-premise data center and are looking to move to the cloud?
      • Will you maintain a hybrid cloud (on-premise and cloud) environment?
      • Will you adopt a multi-cloud hybrid environment?
    • Are you All-in-Cloud?
      • Do you use a single cloud environment?
      • Will you adopt a multi-cloud environment?
  • Do you use an on-premise data center and are looking to move to the cloud?
    • Will you maintain a hybrid cloud (on-premise and cloud) environment?
    • Will you adopt a multi-cloud hybrid environment?
  • Are you All-in-Cloud?
    • Do you use a single cloud environment?
    • Will you adopt a multi-cloud environment?
  • Will you maintain a hybrid cloud (on-premise and cloud) environment?
  • Will you adopt a multi-cloud hybrid environment?
  • Do you use a single cloud environment?
  • Will you adopt a multi-cloud environment?
  • Do you use an on-premise data center and are looking to move to the cloud?
    • Will you maintain a hybrid cloud (on-premise and cloud) environment?
    • Will you adopt a multi-cloud hybrid environment?
  • Are you All-in-Cloud?
    • Do you use a single cloud environment?
    • Will you adopt a multi-cloud environment?
  • Will you maintain a hybrid cloud (on-premise and cloud) environment?
  • Will you adopt a multi-cloud hybrid environment?
  • Do you use a single cloud environment?
  • Will you adopt a multi-cloud environment?
  • Will you maintain a hybrid cloud (on-premise and cloud) environment?
  • Will you adopt a multi-cloud hybrid environment?
  • Do you use a single cloud environment?
  • Will you adopt a multi-cloud environment?

Regardless of where you live on your cloud journey, your strategy should address today''s challenges and plan for the security risks to hold.

The widespread adoption of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) tools, as well as software-as-a-service (SaaS) applications, has accelerated IT operations and application development. Despite the overwhelming proliferation of cloud identities and privileges, managing and managing the developers as well as their users has been difficult.

It is difficult in the long run to continue managing identities in password-protected Excel spreadsheets, which is common practice with many security operations (secops) and devops teams. Instead, ensuring the security of privileged access in a complex multi-cloud environment will require a fresh approach and new security tools.

Every day, the dynamic nature of the cloud brings changes to administration and configuration tools. Each change comes with a new set of features and functionality that must be integrated into existing security tools. However, administrators and auditors lack adequate visibility into who has a specific level of access to each platform. Here are eight (8) good practices to look for in a platform solution:

  • Grant cloud privileges JIT
  • Assign privileges based on policy
  • Drastically reduce standing privileges for human and nonhuman identities
  • Integrate single-sign-on (SSO) or MFA
  • Extend identity and governance administration (IGA)
  • Feed UEBA / SIEM with privileged cloud activity
  • Cross-cloud visibility and reporting
  • Holistic, cloud-native platform

Risk should be the cornerstone

Risk assessment is critical to your organization. Nevertheless, when it comes to building and selling your cloud security strategy, risk should be the foundation.

Keep your strategy simple, visual, and based on established best practices and frameworks.

You will need a buy-in to successfully sell your strategy to key stakeholders. Demonstrate how your strategy improves your security posture and facilitates business priorities: Because we have provided JIT permissions for human and non-human identities, developers can access the tools they need quickly and safely. This strengthens our posture and accelerates velocity.

Next steps

The first step is identifying team members with whom you can organize a security risk group. Then, list relevant risk scenarios and adopt a risk tolerance strategy that is tailored to your needs and risks. Finally, with an understanding of each department''s priorities and the risks they encounter, develop your strategy overview and make plans to incorporate control scores, risk images, and desired results.

Building and selling a successful cloud security strategy is not easy. However, these recommendations will help you understand the contexts of your organization''s business security priorities.

Art Poghosyan is the CEO of British Columbia.

You may also like: