Cloud
Severine
Member Posts: 33 ■■■□□□□□□□
Security is what everyone is looking for- How is it possible to maintain secure operations across clouds?
Comments
-
scasc Member Posts: 465 ■■■■■■■□□□Million dollar question....how to secure your cloud workloads. A random list (non-exhaustive):
1. Understand the shared security model and where your responsibility lies.
2. Understand the type of model you are adopting (SaaS/IaaS/PaaS etc.) Based on this you know what to focus on.
3. Ascertain your risk appetite based on the sensitivity of data/info assets you are looking to adopt. i.e. choosing data centers in Europe only for example or APAC only. Also, access to crypto keys - what is your appetite to manage/rotate or choosing the provider's solution? Bring your own key seems to be flavor of the month.
4. Best practice standards to help baseline your efforts include from CSA and NCSC. https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles and https://cloudsecurityalliance.org/artifacts/consensus-assessments-initiative-questionnaire-v3-1/
5. End to end encryption inside a VPC - i.e. subnet to subnet traffic - do you require this, based on the fact that the provider may be performing 24/7 monitoring and could access/witness data flying over the wire?
6. Leverage the provider's own SOC 2 - type 2 report, ISO/PCI/HIPAA etc. The aspects you cannot assess or audit should provide some form of comfort.
7. Pen test what you are allowed to test - i.e. your API Gateway/Lambda function, RDS instance etc.
8. Is a multi-tenant solution adequate or do you require a dedicated instance? The latter is physical segregation not just logical. More costly but more secure.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...