A 5 + 1 Step Framework for Building Multi-Cloud Cyber Security Capability
I wrote this paper years ago at the conclusion of a few cloud computing engagements. These engagements were strategic in nature. While they required me to think a long term and beyond the complexities in a large enterprise, I longed to be right in there, deal the immediate operational challenges and be able to move needles. I got myself a role just like that and these past three years I was deeply embedded in an operational state where it’s a luxury to think beyond days and weeks. I then longed for scalability and efficiency. All the strategic planning and roadmaps make more sense now.
- Are you an organization that runs business operations with decentralized IT
- Is multi-cloud your strategy to bring businesses onboard to improve IT efficiency?
- What is your security risk in running business IT in the cloud?
- How do you make sure consistent security practice when bringing many businesses to a variety of cloud platforms?
- Are you confident of your operational capabilities to protect business against cyberattacks?
Introduction
While many organizations are adopting a multi-cloud infrastructure strategy to centralize and broker cloud services to their business operations, they are also investing in technologies and tools beyond of CSP offerings to improve efficiency and security across the multi-cloud platform.
This article presents a framework for building multi-cloud cyber security capabilities, leveraging NIST CSF to assess infrastructure security capabilities and assist IT organization in decision makings over their actions to take. The considerations for these actions are described in a series of steps that include enhancing shared services as well as operational capabilities, standardizing security practices, enforcing policies and procedures through shared responsibilities model, and securing business use cases. And these steps should be repeated to continuously improve and achieve cyber security maturity over time.
1. Assess Cyber Security Capability
Conduct an infrastructure cybersecurity assessment using National Institute of Science and Technology (NIST) Cyber Security Framework (CSF). This should be done across the multi-cloud environment encompassing all level of security needs to bring member businesses onboard.
Each of the CSF five core functions, Identify, Prevent, Protect, Detect, Respond and Recover, defines a set of activities that achieve specific cybersecurity outcomes, which through assessment will help you determine the activities most important to assure service delivery and security, such as those in terms of asset and configuration management, vulnerability and threat management, monitoring and incidence response, etc.
In this step you will gain a good understanding where your organization stands. You will discover where your strength, risk and weakness areas are to your cybersecurity capability, which in turn will help you make decisions toward technology and services, policy and processes, operational capabilities to achieve your target capability goal.
NIST CSF is a capability framework, not a security control assessment standard such as NIST 800–53 or ISO 27001. It provides guidance for assessing infrastructure capability and to assist in organizational security decision makings. Regardless of compliance requirements, businesses who onboard the multi-cloud infrastructure should conduct threat and risk analysis over their business IT activities and workloads to ensure comprehensive and in-depth security protection. This will be addressed in Step 5: Secure Business Use Case.
2. Strengthen Shared Services & Operational Capabilities
All CSP’s service offerings come with security capability, which obviously should be fully leveraged. In step 1 the capability assessment will help you learn if CSP provided security capabilities have been fully utilized and prioritize the implementation of new or improvement of existing technologies and tools, i.e. your own investment in security stacks across the multi-cloud platform. In addition to foundational security functions such as secured corporate network connectivity, DNS, or centralized firewall, key considerations should be given to those that create visibility and enable automation, which are critical for multi-cloud management, and will greatly enhance your organization’s resiliency to cyber attacks.
Identity and Access Management (IAM) should be a top consideration as identity is the basis of all security controls. Each CSP provides their own IAM capability based of a certain protocol, the need becomes natural for an IAM solution that can integrate multiple protocols.
Security functions provided through shared services do not rely solely on technologies and tools. Your operational capabilities affect the effectiveness and efficiencies of these functions and they have much to do with policies, processes and procedures as well as skilled resources. The assessment from Step 1 would have discovered insufficiency in these areas as well, hence help you decide where improvement need be made.
3. Standardize Security Practice
All cloud services share common security principles but each cloud service vary in its methods, protocols, specifications and configurations to secure its environment. Principles and CSP specific security measures need be followed not only by the IT organization in their shared services but also by the business that onboards and operates in the cloud platform. This requires a certain level of standardization that is enforceable and/or guided.
Build security principles into configuration baseline
Security principles and CSP recommended configurations should be built into a configuration baseline as minimal requirements and there should be a consistent way to discover changes and a process to approve the changes if necessary. Considering the amount of cloud assets in a multi-cloud environment, it’ll be a strenuous and almost impossible effort to manage the baseline through manual processes. This is also one of the reasons automation should be a key consideration of shared services in Step 1.
Create reusable standard artifacts
Business takes various security responsibilities in the cloud environment where they stand up business system and workload.
To help business follow best security practice, IT organization should establish a catalogue/repository where standard artifacts, such as hardened images, templates and scripts with security configurations, can be stored, customized if necessary, and built into business IT’s DevOps automated process.
All CSP provides security best practice guidelines, which should be adopted as standard and embedded in the reusable artifacts. Doing so IT organization makes sure business is best aligned with CSP security controls. Business can also include additional security controls parameters, such as those they are subject to due to compliance obligation.
4. Enforce Policies and Procedures under Shared Responsibilities Model
In bringing multiple cloud together as a centralized platform for business use, IT organization’s role becomes multi-folded. It is a cloud consumer to the CSP, a broker between a CSP and a business, and a cloud provider to the business. This increases the complexity of the shared responsibilities model between the CSP and the IT organization, as some of the IT organization’s responsibilities will be inevitably shared with or transitioned to onboarded businesses.
IT organization should examine its responsibilities prescribed in the service agreements with the CSPs, its shared service offerings, and its operational processes to outline a shared responsibilities model with the businesses.
In this model, clearly spell out the policies and procedures to be enforced through individual and shared responsibilities. And most importantly, they should be communicated about during business’s onboard process. This is especially true for those related to standard security practice undertaken by businesses.
5. Secure Business Use Case
Putting out an infrastructure with technologies and tools, shared security services and enabling them by smooth operational processes and standardized security practice only build a foundation. The infrastructure is a constantly changing environment where business operation may open up new holes for threats and introduce new risks.
Think about the threats and risks potentially incurred by these business IT activities: full control of a virtual private cloud space by an onboarded business, standing up new or upgrading a system, major application architecture changes, or introducing a new CSP cloud asset into the environment.
Not all of these scenarios warrant a compliance obligation, (in which case a full security assessment would need be conducted), a security analysis over these use case scenarios will fully evaluate potential threats and risks and make sure existing controls are fully functioning and additional needed ones are put in place.
Threat and risk analysis at business use case level is also an opportunity to discover vulnerabilities of a wider scope, which when addressed to the infrastructure level contributes to strengthened cyber security capability across the multi-cloud platform.
+ 1: Continuously Improve to Achieve Maturity
By leveraging the NIST CSF to assess security capabilities across the multi-cloud infrastructure, an understanding of your existing capabilities, strengths, and weaknesses is gained. Decisions toward technology investment are made, steps are taken to strengthen shared services and operational capabilities, to standardize security practice, and to enforce policy and procedures. Finally, when you bring business onboard or stand up a critical business use case, a threat and risk analysis (regardless of compliance requirements) is done to reinforce the security measures in place and ensure additional security needs are supplied.
Being able to measure in specific areas through 5 core security functions, i.e. identify, protect, detect, respond and recover, allows taking solid actions toward a better security posture at your organization. While it is impossible to achieve a perfect state through one round of actions, taking them as a regular exercise, continuously monitor progress, identify areas of lacking, and take actions to improve will gradually take your organization and the multi-cloud infrastructure to matured cyber security posture.
