Cloud Security Framework and Policy building

Janith

Hi All

I am in the process of building an inhouse Cloud Security Framework for our organizations cloud deployments based on the CSA CCM v4.0 and in parallel creating a Cloud Security Policy as well. As a starting point, my reference was the CSA CCM as i thought that provides a concise collection of controls from different frameworks to choose from.

My plan is to review the 197 or so controls in the CSA CCM and then extract what is relevant to my organization and apply.

My questions are,

1) Is this a suitable approach to building your own customizable Cloud Security Framework?

2) Since the CCM controls are only guidelines, how can they effectively be used/implemented in an organization?

3) How can a separate Cloud Security Policy supplement the framework?

The final goal of this exercise is that cloud strategists/operations/governance teams utilize this framework and policy so that it aligns with the organizations information security standards and cloud best practices.

If you have any other suggestions on how to build a Cloud Security Framework, I would really appreciate your support.

Thank you in advance.

Champika

dcontesti

So the following is MHOO, but would love others to comment.

On question 1. Using a well known framework to build your Cloud (or other system) is as good practice. Instead of trying to start from scratch you are able to follow a guideline. I personally have not used the CSA version but assuming that it provides the basics that you need ( guidelines, best practices, standards, and procedures, then I would use it.

Question 2 is much more difficult to answer without understanding your organisation. However, you need to consider several things during your implementation.

- What is your company's risk appetite?

- What are your organisational objectives?

- Do you need to be compliant with industry regulations? (think FedAMP, HIPAA (US), PCI-DSS, etc.)

- Is the tool Scalable? Are you a large organisation or small to medium one?

- Does it provide Metrics????

Question 3, I believe the policy should integrate into the existing policies.

Again, this is only my opinion and would to hear from others.

d

akkem

Your approach to building an in-house Cloud Security Framework using the CSA CCM v4.0 as a reference is a great starting point. It provides a well-rounded set of controls that you can tailor to meet your organization's specific needs.

For 1: Yes, it is a solid approach. It allows you to pick relevant controls from various frameworks and adapt them to your organization's unique cloud deployment.

For 2: Although the CCM controls are guidelines, they are highly effective when coupled with a structured implementation plan. You could categorize them based on their applicability and apply them to relevant cloud environments.

For 3: The policy should act as a high-level document that defines your organization's overall approach to cloud security, providing governance and setting clear expectations. It will complement the Cloud Security Framework by outlining specific guidelines for cloud usage, security protocols, access controls, and incident response processes, ensuring that the framework is consistently applied across all cloud deployments.

Janith

Thank you @dcontesti for your response.

While it made sense to use what is available from CSA, the real dilemma i have is how to really use that to build my own framework. For each control in the CCM, the applicability is quite broad and based on that one can easily spend time building different documents.

My frank opinion is that the CSA CCM is too broad and I doubt there are organizations that apply all of those controls in place.

Even if you extract the controls you want and need, it must be an operationally ready framework where key stakeholders can look at it and understand what controls must be applied, rather than be confused about what to do next.

This is where i wanted to check if anyone has used the CSA CCM and applied those controls in to their own organization and if so what was the best way to do that.

Thank you

Champika

dcontesti

I have not used CSA CCM, so cannot speak to it but I ha.ve used Mitre's Att&ck framework.

Most frameworks really provide the skeleton that you are able to adjust and implement for your environment. NIST also provides guides on how to.

Regards

d