How to Use SOSTAC to Build Your Security Strategy

some people go to great lengths to find things to disagree about, but i think there’s one thing all of us can agree on: cloud security keeps us on our toes . that’s because the cloud requires a fundamental change in the way we approach security challenges. as the scale and complexity of cloud environments increase, traditional tools and tactics become less and less effective, and security gaps widen. that is, if you don’t have a sound security strategy in place.

with so much fud (fear, uncertainty, and doubt) flying around, there is actually some good news about cloud security today: considering that 93 percent of companies are now using cloud technology, it professionals can finally shift their focus from cloud adoption to building a proper cloud security strategy around their cloud environments.

so if you’re on board with the idea that it’s time to develop a real cloud security strategy for your organization, we have a great template called sostac® that you can leverage in your own strategy. keep reading for a guided tour.

a strategic template for today’s security needs

so what the heck is sostac, you ask? well, it’s a system that was developed in the ‘90s and originally used by companies to build and organize their marketing programs. however, we think its components provide a very useful way to map cloud security strategies too. to understand how, let’s start by breaking down the sostac acronym:

• situation – where are we now?
• objectives – where do we want to be?
• strategy – how do we get there?
• tactics – how exactly do we get there?
• action – what is our plan?
• control – did we get there?

these are all really good questions to ask yourself as you set out to develop a comprehensive cloud security strategy. it’s important to identify not just where you want to end up but where you are now . after all, no one starts out with a completely blank slate.

going a layer deeper, let’s examine how you can apply sostac to today’s cloud security challenges.

1. situation: taking inventory of your organization’s security practices

the first step is to examine your current cloud security posture. this is a good time to take an inventory of the security tools you are using, including everything from antivirus to firewalls to malware protection and beyond. if you have all of these and more, great. none of them? that’s okay too. that’s why you’re building out a strategy now. it will be easier to figure out what your future strategy needs to look like when you understand where you stand today.

here are a few examples of what you should evaluate in order to determine your current cloud security posture:

• what processes do we have in place for security today?
• what must we absolutely protect above all else?
• what technologies are we currently using for security? is there overlap or redundancy?
• what kinds of attacks are we most vulnerable to?

2. objectives: avoiding a "one-size-fits-all" approach

next, you need to determine your objectives. it’s important to note that objectives are not one-size-fits-all, meaning that what works for one company may not work for yours, and vice versa. to determine the most effective objectives for your organization, you need to identify the biggest areas of concern for your industry, company, size, customer type, and business model. and it’s not enough to simply say you want to "secure the cloud." you actually need to define specific objectives around the following eight functions:

1. workload security
2. infrastructure security
3. network security
4. application security
5. vulnerability scanning
6. threat intelligence
7. data security
8. reporting

to get started, here are a few examples of good cloud security objectives:

• meet hipaa compliance
• catch credit card fraud attempts
• protect customers’ sensitive banking information

3. strategy: getting it on paper for accountability

now, you need to put your strategy on paper, showing exactly how you’ll get from where you are now (situation) to where you want to be (objectives). although it’s the least technical part of this process, the exercise of writing down your strategy is a good opportunity to make sure that all your stakeholders are on board with your plans and that they’ve all given their input before you get started.

even more, having one document that all key stakeholders can reference when needed will ensure that you’re on the same page and that protocols are clear. and if things fall through the cracks, you’ll know why and whose responsibility it is.

4. tactics: implementing the defense line

in this step, you lay out your tactics. for the purpose of security, this means building organizational processes and protocols, like alerting and baselining, that protect against specific vulnerabilities and types of attacks. here’s an example use case:

in our popular (and free) cloud security playbook , we demonstrate what the best practice cloud security tactics are and how to map them to the infamous cyber kill chain, as well as exemplify what a complete defense looks like in action. as they say, the best offense is a good defense, so getting this part right is worth the read .

5. action: determining your detection and response capabilities

the cloud security software you choose will make a big difference in how well you’re able to execute on the strategy you develop, determining how effectively you’re able to detect problems and how quickly you can respond.

while the technology platform you select will ultimately depend on your goals, environment, threats, compliance regulations, and stakeholder requirements, you should be sure to cover the eight key functions (mentioned above in objectives ) in relation to the technology you choose. not only does each of these categories solve for a critical area of security, but when implemented together, they make for a complete cloud security framework.

6. control: evaluating and iterating

remember that cloud security isn’t a "set it and forget it" proposition. for one thing, security threats evolve constantly, meaning that you need to continually adapt your security approach to stay ahead. moreover, if you’re a high-growth company, it’s a good idea to reevaluate your risks and strategy periodically. to effectively meet your evolving security needs, we recommend that you test your strategy once it’s developed, and from there, schedule regular check-ins that can help determine whether you are meeting the goals you set.

after all, even the best intentions won’t do any good if you aren’t measuring real-world outcomes to see if your strategy actually works.

putting it all together

when you consider today’s volatile threat landscape , it’s clear we can’t keep operating by the seat of our pants. developing a clear strategy will help you avoid the pitfalls of legacy approaches, save you time and resources in the long run, minimize the holes in your security process, and provide guidance as you grow and evolve. using sostac as a template enables you to build processes and invest in security platforms that support all your goals and protect your entire infrastructure.

our cloud security playbook details even more about each of these six areas of your cloud strategy, as well as real examples and printable worksheets to kickstart your own strategy creation.