Cloud security is a sprint and a marathon. A sprint in that security teams must quickly put the right defenses in place to address zero-day attacks and persistent threats in the short term, and a marathon in that an organization's security posture needs to be regularly evaluated and improved on over the long term to address new and evolving threats and compliance regulations.
While security is a top-level concern for most organizations running in the cloud, it’s important to approach the development of a cloud security strategy the right way. A number of elements—from stakeholders to technologies to compliance regulations—must be taken into account individually and in relation to each other before a full-fledged strategy can be rolled out effectively.
In this post, we cover six areas that companies should analyze in order to define their current security posture. With a clear picture of where an organization’s security stands today, it can then form an understanding of where it needs to be in the future — and build an effective strategy to bridge the gap.
Depending on the technologies used, the processes implemented, and the budgets required, different stakeholders might be involved in enabling different parts of the cloud security strategy. That is, as long as you can get their buy-in.
To understand where your organization currently stands with security from a human resources perspective, ask the following questions:
- Who are the key stakeholders involved in security at the organization today?
- What are their responsibilities? Is there any confusion about who does what? Overlap?
- Are all stakeholders communicating about security in a fluid, coherent, and effective manner?
- What opportunities exist to simplify or streamline responsibilities?
- What roles are unfilled?
- Do you need to hire more people, or outsource some aspects of your security strategy?
In addition to taking these stakeholders into account as you assess the current state of your security team, you should take them into account going forward as you go about building a strategy, selecting the right cloud security solution, and defining processes to implement, operate, and maintain the security strategy. For more on how to go about getting stakeholder buy-in, have a look at this post.
Next on the docket is taking inventory of the security vulnerabilities your company has today. These can vary based on your industry, organization, customers, and data. Having a clear understanding of your vulnerabilities can help to define how you will shape your organization’s cloud security efforts in the future, including the technologies and processes that need to be put in place.
Here are a few questions you can ask to begin defining your organization's vulnerabilities:
- How vulnerable is the organization today? How do you know?
- What kinds of attacks is the organization most vulnerable to?
- What vulnerabilities is your industry as a whole dealing with right now?
- What types of security issues have cropped up in the last year or so that were unexpected?
- What types of threats are you unprepared for?
Because they differ widely from company-to-company and industry-to-industry, having an approach that’s tailored to managing your specific vulnerabilities is fundamental to an effective cloud security strategy.
Numerous compliance standards or regulations are in use today, including HIPAA, SOX, ISO, SOC2, and others, and it’s essential that you know which regulations you need to uphold — if any. Understanding your organization's compliance needs will help you determine a number of fundamental elements in your security strategy, including workflows, reporting, underlying technologies, and more.
Here are some questions you can ask to assess where your organization currently stands with compliance:
- What compliance mandates is the organization beholden to?
- What is being done to ensure compliance with those mandates today?
- How is compliance being reported at present?
- Where is it falling behind?
- Have you faced any sanctions or repercussions related to compliance?
This assessment will help to identify any gaps or areas for improvement so you can systematically solve them using the appropriate security technologies and processes. Going forward, you can effectively integrate compliance issues into your overarching security strategy. (For a discussion of how to streamline the task of becoming compliant, have a look at Creating a Framework to Enable Compliance in the Cloud.)
4. Priorities & Goals
Once stakeholders, vulnerabilities, and compliance requirements have been examined, the next step is prioritizing the organization’s security goals and requirements to keep the strategy focused and effective. This will make selecting the right technologies and processes a lot easier.
Answer these questions to help assess your current and future security priorities:
- What are the organization's business drivers behind security (e.g. customer data protection)?
- What types of data or information must absolutely be protected above all else? Are they being protected adequately today?
- What security failures would put the company in the most danger?
- What are the organization’s current goals related to cloud security?
- Are we meeting those goals?
- How do we expect those goals to shift in the next year? Three years? Five?
Understanding priorities will help ensure that all the bases are covered in your cloud security strategy and that the most at risk areas are dealt with before less critical issues.
As an organization's cloud security requirements continuously shift and evolve, it’s essential to evaluate whether the technology that enables cloud security is keeping up. It’s also important to recognize when too many point solutions are being used, leading to overlapping functions, gaps between systems, bloated expenses, and alert fatigue.
To start inventorying the current security stack across your organization, answer the following:
- What technologies are we already using for security today?
- Which ones are working? Which aren’t?
- Is there overlap or redundancy?
- Are these tools scaling well? Do they still fit the organization's needs?
- Does the security team (and any other stakeholders involved) like using these tools?
- Can information from multiple systems be easily correlated?
- Have you considered an all-in-one, integrated platform?
The answers to these questions will help determine which technologies to keep, which to weed out, and where gaps need to be filled.
Security processes tie efforts to outcomes. Taking a hard look at your organization’s existing security processes can help identify opportunities for improved efficiency.
In particular, you should ask:
- What processes are currently in place for security?
- Are they working? Why or why not?
- Are the right people involved in incident detection and response?
- How much time are people spending on security? (Too much? Too little?)
- Can any areas be streamlined?
Solving for procedural issues will also help streamline the implementation and operation of new technologies, at the same time that it will make the job of each stakeholder more clear and straightforward.
One more thing: When examining processes, look beyond security itself to ask whether security processes are integrated with Dev and Ops to ensure that all three areas are working together so your organization can grow and operate securely at cloud speed.
Implementing a Successful Cloud Security Strategy
The best way to assess an organization’s security posture is to methodically create a clear and detailed picture by evaluating each of the six areas covered in this post. By the end of this exercise, security teams will know where the organization stands with security compared to where it should be, so they can implement an encompassing strategy that covers all of the security bases while integrating effectively with Dev and Ops.
To learn more about how to implement a successful cloud security strategy tailored to your organization’s unique needs, check out our Cloud Security Playbook.