For each big cloud provider, they already have a set of "compliance" check with the industry. You can first look at those, and also understand the share responsibility model depends on the service they provided and what are the responsibility of the CSP and your organisation.
For example as banking (I assume you are in US), you might look at SOX and also mapping your organisation security control with the cloud security control ( eg. looking at CCM).. eg AWS one.
Thanks john for taking time to reply. that was not really my question. i know about these things CCM, CAIQ, etc... my query is basically how to have a simple cloud adoption strategy and approach so the amount of time spent doing assessment (looking up CAIQ, do CCM mapping, etc) or invoke entire cloud assessment and assurance activity by line two becomes really less. is there a cloud adoption model that we can follow after which such burden of assessment , mapping and reassessment can get reduced or get slimmer or more efficient? ok i know for a fact that if we stick to the same cloud provider, things may be less headache in terms of assurance and assessment of controls (e.g once comprehensively done for AWS then that's it, i dont have to do the heavy lifting again and again) or if we force all services to for example use the once-assessed-and-approved Federation, SSO or IDAM then bingo i dont have to every time do SSO or identify service reassessemnt, etc. i hope i could clarify it. thanks again in advance for any insight.
Hi Rami, I know this question is a bit outdated but I consider it is very common and something we all have to face. It's my case, we have deployed resources in Azure, then also in AWS and GCP, and at "business speed".
There is no magic, and I totally agree with you. Going absolutely formal is not going to help!
My approach:
- Probably there is one cloud service that is a bit more mature, from the operational - management perspective of your organization. More policies, more processes and guidelines (written or absolutely informal). IT people (I'm an IT guy) like order and formality. Probably they are following some kind of practice even if it is not written.
- Start there. Prepare the policies (high level) for the mature part.
- Implement them. That is when things go weird. It is easy and cost-effective to use the tools provided by that mature CSP, but your company is multi-cloud. Isn't it? This requires tools and money or the creation of different teams for every cloud. I know people will blame me, but I'm talking about the real world. Second approach is a mess, and only high-level policies will work, but with the appropriate people, it can be an option.
- Extend the policies and processes. Cloud by cloud. If they are based in "agnostic" tools, perfect. If not, different teams and try to consolidate as much as possible.
What companies are not aware of is that multi-cloud is expensive, really expensive, and throwing workloads to the "cheapest" one is good is they assume the risks (and that is also a solution). Do not assume the responsibility. Tools or teams. Probably is not the best and adequate response expected in this kind of board, but I know you are in trouble and need practical help.
I'm sure you will get it to work.
Luis. Security Engineer. IT manager.