Professional Documents
Culture Documents
EXECUTIVE BRIEF
Isaac Kinsella
Research Specialist, Security, Risk & Compliance
Info-Tech Research Group
Your cloud security architecture needs to be strategic, realistic, and based on risk.
The NIST approach to cloud security is to include everything security related into your cloud architecture to be deemed secure. However,
you can still have a robust and secure cloud architecture by using a risk-based approach to identify the necessary controls and mitigating
services for your environment. Info-Tech Research Group | 3
Proper cloud security is a balancing act
of responsibility
Cloud security will be a top priority – let your security The cloud is becoming more and more accessible and prevalent as a
business enabler. The cloud transition can bring tremendous value;
reflect that importance. however, it can also bring additional unforeseen risks. Access to new
services and capabilities can be a game changer for organizations of all
kinds. But, as with any change, there is an element of risk, and IT
75% needs to take steps to ensure that any cloud deployments meet security
of all enterprise software will be standards.
75% primarily cloud based by 2030.
The challenge for IT security professionals becomes enabling access to
Source: BVP, 2020 the features and capabilities that cloud services can provide without
putting the organization at undue risk. Swing too far in either direction,
and the cloud deployment will not succeed – either through over-
encumbrance or failure to mitigate crucial security risks.
100
150
200
250
50
0
se
c ur
Cl ity
ou
ds
ec
Se ur
c ur Em ity
Se
ity c ur
ai l
aw se
are ity c ur
ris
ne
ss k ma
ity
Fi
re t rai n
wa n in
ag
em
ll sa g/
se en
nd c ur t
ne ity
xt
ge cu
ne ltu
rat re
In i
t ern on
fir
et
of e wa
Th ll s
i ng
ss
Id Th ec
e nt rea ur
ity
ity ti
nt
in
t el
lig
en
ce
In
Top-Ranked Security Priorities for 2020
sid
Or er
ga th
ni rea
za t
tio
na
ld
Pr es
iv ig
ac n
Ro yr De
bo eg v Se
tic ul
at i c Op
Pr s
Cloud security is a top priority for IT in 2020
on
Having the architecture to properly maintain your cloud
oc co
es
sA mp
ut l i an
om ce
at i
on
No Se
n
Ve
n c ur
eo do ity
ft rm
he an
ab ag
ov em
e( en
sp
e t
ci f
yo
th
ers
)
Info-Tech Research Group | 5
What’s holding back cloud adoption?
While cloud adoption may be a top priority, concerns over data security are
holding back cloud deployments.
Application Code Review Application Code Review Application Code Review Application Code Review – API
Threats Security Incident Management Managed Detection Response Managed Detection Response
1. A structured approach to
SOAR SOAR SOAR
High Complexity
Log Collection / SIEM Log Collection / SIEM Log Collection / SIEM Log Collection / SIEM – API understanding the relevant
Firewalls Secure Application Service Edge Secure Application Service Edge Secure Application Service Edge controls, risks, and
Endpoints
DLP – Endpoint Data Loss Prevention Data Loss Prevention DLP – API Security DLP – API Security mitigating services in the
Virtualization – VDI Security Virtualization Security Virtualization
cloud.
Identity Privileged Access Management Privileged Access Management Privileged Access Management Privileged Access Management
Threats
Threat Intel Services Threat Intel Services Threat Intel Services Threat Intel Services 2. A dynamic tool set that
Unified Threat Management Unified Threat Management Unified Threat Management
Metrics / Reporting /
Cloud Access Security Broker Cloud Access Security Broker
responds to your unique
Medium Complexity
Visualizations
Firewalls
IPS / IDS / IDPS
Access Control List
IPS / IDS / IDPS
Access Control List
IPS / IDS / IDPS
environment and is
Application Segmentation Application Segmentation Application Segmentation customized to your cloud
Endpoints VPN Client Endpoint Detection Response Endpoint Detection Response
movements.
IAM – Directory / Federated Svc IAM – Directory / Federated Svc
Identity
IAM – Role-Based Access IAM – Role-Based Access IAM – Role-Based Access
3. Visually appealing templates
Threat Patch Management Patch Management Patch Management Patch Management
to communicate and
E-Mail Security Gateway E-Mail Security Gateway E-Mail Security Gateway
Network Firewall – API socialize the components of
Low Complexity
Endpoints API
LAYER
Endpoint Protection Endpoint Protection Endpoint Protection Endpoint Protection Endpoint Protection – API
IAM – Multi-Factor IAM – Multi-Factor IAM – Multi-Factor IAM – Multi-Factor IAM – Multi-Factor
Identity Authentication Authentication Authentication Authentication Authentication
IAM – Single Sign-On IAM – Single Sign-On IAM – Single Sign-On IAM – Single Sign-On
Asset Management / Change Management / Configuration Management/Service Desk/Software Development Life Cycle
ADMIN
LAYER
Documentation Library – Policies, Standard Operating Procedures, Knowledge Bases, BCP / DRP
Info-Tech Research Group | 8
Governance / Risk / Compliance, Data Governance, Legal, HR Security, Audit, Risk Management
Info-Tech’s methodology for cloud security architecture
1. Cloud Workload Plan 1. “A” Environment Analysis 1. Cloud Security 1. Cloud Security Strategy
2. Cloud Suitability Questionnaire 2. “B” Environment Analysis Architecture Archive Considerations
3. Cloud Risk Assessment 3. “C” Environment Analysis Document 2. Cloud Security
Phase Steps 4. Cloud Risk & Suitability 4. Prioritized Security Controls 2. Cloud Security Architecture
Analysis 5. Effort & Risk Dashboard Architecture Reference Communication Deck
Model Mapping
Cloud The NIST approach to cloud security is to include everything security related into your cloud architecture to be
deemed “secure.” However, you can still have a robust and secure cloud architecture by using a risk-based
security
approach to identify the necessary controls, and mitigating services for your environment.
as on-
are. Consider the full
based on your risks and still have security based on securing your
spectrum of security
business attributes and responsibilities to most critical assets. Use
including both processes
optimize it from there. address. our reference model to
premises determine a launch point.
and technologies.
security
Your security depends on your deployment Understand the driving force for your move
model
The cloud isn’t a singular entity. Your cloud security Ask yourself what the cloud will accomplish that will
architecture should consider the differences between make this deployment worthwhile? What is the
the services models, and in particular the service levels problem you’re trying to address, and has security
that are most relevant to you. been a part of that consideration?
Resource Pooling
Resources are shared among cloud customers, though tenants
are functionally walled off form one another.
Rapid Elasticity
This is the ability to “pay as you go” and spin things up and
down as needed.
Measured Service
Cloud providers charge with granularity appropriate to the
service model.
• IT can determine whether moving to the cloud is appropriate for • Line of business managers can be confident of their move to the
their needs. cloud having considered both the risk and effort involved in the
deployment.
• IT will have control and visibility over the environment and the
specific controls and risks that will need to be mitigated. • Determine whether the move to the cloud is even warranted;
depending on the workloads you are trying to move, moving to
• IT will no longer have to disallow certain applications and
the cloud may be unrealistic.
services because they are cloud based.
• Gain an in-depth understanding of the governance aspects of
• Access to cloud-based services opens up worlds of productivity
cloud security and interconnectivity.
not available to those confined on premises. A number of new
tools, including productivity suites, ITSM, and ERP, are cloud • Know which services are appropriate for you to implement based
exclusive. on your environmental risks.
Iterative benefit
Over time, experience incremental value from knowing the
components of your architecture. Through continual updates, your
architecture will evolve but with less associated effort and time
Discovery & Assessment
Create multiple
Create multiple3-3-4-hour
to 4-hour
Phase 2: Business-Critical High
1-5 people 2-3 days meetings to
meetings towork
workthrough
throughthe
the gap 4-8 weeks
Workload Analysis Value
environment
analysis tool.analysis.
1-10 hours of security
Phase 3: Cloud Security 1-8 hours of security High
1-2 people 1-2
1 day
days management’s time to map the 1-2 weeks
Architecture Mapping management’s time. Value
security services.
Guided Implementation
DIY Toolkit Workshop Consulting
“Our team has already made this “Our team knows that we need to “We need to hit the ground “Our team does not have the time
critical project a priority, and we fix a process, but we need running and get this project or the knowledge to take this
have the time and capability, but assistance to determine where to kicked off immediately. Our project on. We need assistance
some guidance along the way focus. Some check-ins along the team has the ability to take this through the entirety of this
would be helpful.” way would help keep us on over once we get a framework project.”
track.” and strategy in place.”
Diagnostics and consistent frameworks are used throughout all four options.
1.1 Workload Deployment Plan 2.1 “A” Environment Analysis 3.1 Cloud Security Control 4.1 Cloud Security Strategy 5.1 Complete in-progress
Mapping Considerations deliverables from the
1.2 Cloud Suitability 2.2 “B” Environment Analysis
previous four days.
Activities
1. Determining your workload 1. NIST 800-53 Control 1. Cloud Security 1. Consider additional security 1. Complete Cloud Security
deployment plan Mapping for all three Architecture Archive considerations for the Architecture
Deliverables
2. Determining the suitability environment levels Document with Communication Deck Communication Deck
of the cloud for your documented security
2. Prioritized security controls 2. Start and or finish Cloud
workloads controls and risks
for your environment Security Architecture
3. Risk assessment of 2. Completed Cloud Security Communication Deck
workloads 3. Paired security services to
Architecture Reference
4. Overview of cloud mitigate cloud risks
Model
suitability 4. Effort and Risk Dashboard
Info-Tech Research Group | 19
Executive Brief
Case Study INDUSTRY
Streaming Services
SOURCE
Cloud Security Alliance, Sept. 2020
Disney+
Disney+ suffered a breach of its services back in March 2020. External hackers
via synchronous credential stuffing hijacked several Disney+ accounts and put Impact Statement for Disney+
them up for sale on the black market. This included not only customers’ login
credentials but their network and device types as well. Single accounts and Vulnerabilities:
credentials for pre-existing Disney Store and recreation park accounts made a • A lack of cloud security architecture and strategy: Going live
single point of breach exponentially worse than a standard breach. before having an incident response strategy in place is not advisable.
Having a single account and credentials for Disney Stores parks and
Subsequently, thousands of users were locked out of their accounts, and their Disney+ accounts also makes breaches exponentially worse.
accounts were put up for sale by hackers. Although there was not an imminent
• Insufficient identity and credential management: lack of unique
Disney+ stock price drop at the launch of the new platform, a breach of
passwords and unmandated MFA.
credentials this early in the development can be a deterrent for stakeholders and
potential customers. Additionally, the data breach exposed PII and other Business Impacts:
associated personal data with users’ personal accounts. • Financial: Deterred potential shareholders and users. Financial costs
due to the added operational costs. Increased overhead.
Key Takeaways • Operational: Incident response. Forensics analysis. Enforced
Before the launch of any service, there should be a robust incident downtime.
management framework and cloud security architecture in place. Mitigate the • Compliance: Possibility of identity theft and breach of personal data,
risks before starting; contextualize your environment and risks and identify the regulatory fines, and inquiry.
vulnerabilities in your hosted applicated, systems, and interfaces. • Reputational: Brand image and customer trust can be adversely
affected.
Info-Tech Research Group | 20