Cloud Security Decision Frameworks
To be successful, the modern information security organization must be able to protect a hybrid, multi-cloud IT environment. Since cloud security is one of Security Architects Partners areas of expertise, I’m working to develop a cloud security decision framework. This framework will help security teams make the architectural or strategic choices that will define cloud security for their organizations.
A Purely Security Focus
I put this question on decision frameworks out for discussion on the Linked In Security Architecture group. So far, a colleague has suggested that cloud security frameworks might focus on three primary areas:
- The data – How critical is it? What are the regulatory requirements? How will it be protected? Where can it be hosted geographically?
- The network – How will different types of cloud facilities be accessed? From any device anywhere, or only from within a controlled network or proxy (aka CASB)?
- The access controls – How will people, applications, and device access different types of cloud facilities? How will administrative or access privileges bec controlled? What is the governance process for who uses which cloud services?
And what about monitoring, vendor management and other security-related aspects of cloud governance? But before getting deeper into these areas, let’s highlight another problem.
Dependency on the Overarching IT Cloud Strategy
What does an architect do when asked to develop a cloud security strategy for an organization that has no overarching cloud computing strategy? I can tell you this cart-before-the-horse situation isn’t uncommon. How does cloud security work in your organization?
How can the security architect coax IT stakeholders to provide the required input and assumptions to a cloud security strategy so that clear architecture patterns can emerge in standards and guidance?
I’m working on developing a “cloud security decision framework” which will make it easier for stakeholders to provide the necessary input and assumptions to security architects. As well as asking security questions, the framework could start to capture alternatives and decision criteria on the IT cloud strategy. For example:
- Do we build a private cloud? What kind?
- When do we host applications in the private cloud versus the public cloud?
- How do we network and integrate the multi-cloud environment?
What other questions would you have for the business or IT leadership? Put together a list of stakeholders, or key people in the organization that can represent them, and find out the answers to these and other questions. Then your cloud security strategy will be cooking with gas.