DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. How to Use SOSTAC to Build Your Security Strategy

How to Use SOSTAC to Build Your Security Strategy

SOSTAC stands for Situation Analysis, Objectives, Strategy, Tactics, Actions, and Control. Read on to learn how to use it when building your security strategy.

Venkat Pothamsetty user avatar by
Venkat Pothamsetty
·
May. 12, 16 · Analysis
Like (1)
Save
Tweet
Share
1.77K Views

Join the DZone community and get the full member experience.

Join For Free

some people go to great lengths to find things to disagree about, but i think there’s one thing all of us can agree on: cloud security keeps us on our toes . that’s because the cloud requires a fundamental change in the way we approach security challenges. as the scale and complexity of cloud environments increase, traditional tools and tactics become less and less effective, and security gaps widen. that is, if you don’t have a sound security strategy in place.

with so much fud (fear, uncertainty, and doubt) flying around, there is actually some good news about cloud security today: considering that 93 percent of companies are now using cloud technology, it professionals can finally shift their focus from cloud adoption to building a proper cloud security strategy around their cloud environments.

so if you’re on board with the idea that it’s time to develop a real cloud security strategy for your organization, we have a great template called sostac® that you can leverage in your own strategy. keep reading for a guided tour.

a strategic template for today’s security needs

so what the heck is sostac, you ask? well, it’s a system that was developed in the ‘90s and originally used by companies to build and organize their marketing programs. however, we think its components provide a very useful way to map cloud security strategies too. to understand how, let’s start by breaking down the sostac acronym:

  • situation – where are we now? soastac-methodology.png
  • objectives – where do we want to be?
  • strategy – how do we get there?
  • tactics – how exactly do we get there?
  • action – what is our plan?
  • control – did we get there?

these are all really good questions to ask yourself as you set out to develop a comprehensive cloud security strategy. it’s important to identify not just where you want to end up but where you are now . after all, no one starts out with a completely blank slate.

going a layer deeper, let’s examine how you can apply sostac to today’s cloud security challenges.

1. situation: taking inventory of your organization’s security practices

the first step is to examine your current cloud security posture. this is a good time to take an inventory of the security tools you are using, including everything from antivirus to firewalls to malware protection and beyond. if you have all of these and more, great. none of them? that’s okay too. that’s why you’re building out a strategy now. it will be easier to figure out what your future strategy needs to look like when you understand where you stand today.

here are a few examples of what you should evaluate in order to determine your current cloud security posture:

  • what processes do we have in place for security today?
  • what must we absolutely protect above all else?
  • what technologies are we currently using for security? is there overlap or redundancy?
  • what kinds of attacks are we most vulnerable to?

2. objectives: avoiding a "one-size-fits-all" approach

next, you need to determine your objectives. it’s important to note that objectives are not one-size-fits-all, meaning that what works for one company may not work for yours, and vice versa. to determine the most effective objectives for your organization, you need to identify the biggest areas of concern for your industry, company, size, customer type, and business model. and it’s not enough to simply say you want to "secure the cloud." you actually need to define specific objectives around the following eight functions:

  1. workload security
  2. infrastructure security
  3. network security
  4. application security
  5. vulnerability scanning
  6. threat intelligence
  7. data security
  8. reporting

to get started, here are a few examples of good cloud security objectives:

  • meet hipaa compliance
  • catch credit card fraud attempts
  • protect customers’ sensitive banking information

3. strategy: getting it on paper for accountability

now, you need to put your strategy on paper, showing exactly how you’ll get from where you are now (situation) to where you want to be (objectives). although it’s the least technical part of this process, the exercise of writing down your strategy is a good opportunity to make sure that all your stakeholders are on board with your plans and that they’ve all given their input before you get started.

even more, having one document that all key stakeholders can reference when needed will ensure that you’re on the same page and that protocols are clear. and if things fall through the cracks, you’ll know why and whose responsibility it is.

4. tactics: implementing the defense line

in this step, you lay out your tactics. for the purpose of security, this means building organizational processes and protocols, like alerting and baselining, that protect against specific vulnerabilities and types of attacks. here’s an example use case:

security-workflow.png

in our popular (and free) cloud security playbook , we demonstrate what the best practice cloud security tactics are and how to map them to the infamous cyber kill chain, as well as exemplify what a complete defense looks like in action. as they say, the best offense is a good defense, so getting this part right is worth the read .

5. action: determining your detection and response capabilities

the cloud security software you choose will make a big difference in how well you’re able to execute on the strategy you develop, determining how effectively you’re able to detect problems and how quickly you can respond.

while the technology platform you select will ultimately depend on your goals, environment, threats, compliance regulations, and stakeholder requirements, you should be sure to cover the eight key functions (mentioned above in objectives ) in relation to the technology you choose. not only does each of these categories solve for a critical area of security, but when implemented together, they make for a complete cloud security framework.

6. control: evaluating and iterating

remember that cloud security isn’t a "set it and forget it" proposition. for one thing, security threats evolve constantly, meaning that you need to continually adapt your security approach to stay ahead. moreover, if you’re a high-growth company, it’s a good idea to reevaluate your risks and strategy periodically. to effectively meet your evolving security needs, we recommend that you test your strategy once it’s developed, and from there, schedule regular check-ins that can help determine whether you are meeting the goals you set.

after all, even the best intentions won’t do any good if you aren’t measuring real-world outcomes to see if your strategy actually works.

putting it all together

when you consider today’s volatile threat landscape , it’s clear we can’t keep operating by the seat of our pants. developing a clear strategy will help you avoid the pitfalls of legacy approaches, save you time and resources in the long run, minimize the holes in your security process, and provide guidance as you grow and evolve. using sostac as a template enables you to build processes and invest in security platforms that support all your goals and protect your entire infrastructure.

our cloud security playbook details even more about each of these six areas of your cloud strategy, as well as real examples and printable worksheets to kickstart your own strategy creation.

download the cloud security playbook free

Application security Data security Cloud Build (game engine)

Published at DZone with permission of Venkat Pothamsetty, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Learning by Doing: An HTTP API With Rust
  • Data Ingestion vs. ETL: Definition, Benefits, and Key Differences
  • How To Use Terraform to Provision an AWS EC2 Instance
  • Pair Testing in Software Development

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: