topic Re: Simple effective cloud adoption and strategy in Cloud Security

Simple effective cloud adoption and strategy

rami99 — Mon, 23 Aug 2021 11:14:28 GMT

Hi All,
As line two looking at cloud risk, I want to know what strategy / architecture can be adopted for a customer (banking) who has so far adopted cloud in a fragmented manner with no centralized model (dump things here and there, open tenants here tenants there across AWS, Azure, Google) causing whole painful and time-consuming yet inefficient cloud / tenant reassessment for risk and security teams every time they open a tenant or introduce a cloud service, etc. With the aim to achieve simplification and consistency across cloud controls and ongoing cloud assurance and assessment. I am looking for a recommendation / strategy to rectify what is already in place and avoid ad-hoc ineffective cloud adoption as business initiatives come up. A robust model / approach to address above mentioned challenges. Please also share any article / resources for this matter.
Thank you in advance.

Re: Simple effective cloud adoption and strategy

csjohnng — Mon, 23 Aug 2021 12:05:23 GMT

@rami99

For each big cloud provider, they already have a set of "compliance" check with the industry. You can first look at those, and also understand the share responsibility model depends on the service they provided and what are the responsibility of the CSP and your organisation.

For example as banking (I assume you are in US), you might look at SOX and also mapping your organisation security control with the cloud security control ( eg. looking at CCM).. eg AWS one.

https://d1.awsstatic.com/whitepapers/compliance/CSA_Consensus_Assessments_Initiative_Questionnaire.pdf

Re: Simple effective cloud adoption and strategy

rami99 — Tue, 24 Aug 2021 10:33:57 GMT

Thanks john for taking time to reply. that was not really my question. i know about these things CCM, CAIQ, etc... my query is basically how to have a simple cloud adoption strategy and approach so the amount of time spent doing assessment (looking up CAIQ, do CCM mapping, etc) or invoke entire cloud assessment and assurance activity by line two becomes really less. is there a cloud adoption model that we can follow after which such burden of assessment , mapping and reassessment can get reduced or get slimmer or more efficient? ok i know for a fact that if we stick to the same cloud provider, things may be less headache in terms of assurance and assessment of controls (e.g once comprehensively done for AWS then that's it, i dont have to do the heavy lifting again and again) or if we force all services to for example use the once-assessed-and-approved Federation, SSO or IDAM then bingo i dont have to every time do SSO or identify service reassessemnt, etc. i hope i could clarify it. thanks again in advance for any insight.

Re: Simple effective cloud adoption and strategy

luisantonio — Wed, 20 Oct 2021 08:19:59 GMT

Hi Rami, I know this question is a bit outdated but I consider it is very common and something we all have to face. It's my case, we have deployed resources in Azure, then also in AWS and GCP, and at "business speed".

There is no magic, and I totally agree with you. Going absolutely formal is not going to help!

My approach:

- Probably there is one cloud service that is a bit more mature, from the operational - management perspective of your organization. More policies, more processes and guidelines (written or absolutely informal). IT people (I'm an IT guy) like order and formality. Probably they are following some kind of practice even if it is not written.

- Start there. Prepare the policies (high level) for the mature part.

- Implement them. That is when things go weird. It is easy and cost-effective to use the tools provided by that mature CSP, but your company is multi-cloud. Isn't it? This requires tools and money or the creation of different teams for every cloud. I know people will blame me, but I'm talking about the real world. Second approach is a mess, and only high-level policies will work, but with the appropriate people, it can be an option.

- Extend the policies and processes. Cloud by cloud. If they are based in "agnostic" tools, perfect. If not, different teams and try to consolidate as much as possible.

What companies are not aware of is that multi-cloud is expensive, really expensive, and throwing workloads to the "cheapest" one is good is they assume the risks (and that is also a solution). Do not assume the responsibility. Tools or teams. Probably is not the best and adequate response expected in this kind of board, but I know you are in trouble and need practical help.

I'm sure you will get it to work.

Luis. Security Engineer. IT manager.