CDM-CYBER-DEFENSE-eMAGAZINE-March-2019
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
for well-known, repeatable needs first, then look to move or re-deploy capability into IaaS or build<br />
natively in PaaS for efficient applications.<br />
Security measurements are important when architecting a multi-cloud structure<br />
First and foremost, avoid looking at your new cloud infrastructure as a separate environment. It’s<br />
not merely a new data center, so an organization also needs to consider how switching to a cloud<br />
infrastructure will shift how the organization secures assets. Consider looking to resources like<br />
the MITRE ATT&CK matrix and the Center for Internet Security’s Basic and Foundational<br />
Controls list as a guide for answering this question: “In the future, how do I maintain unified<br />
visibility and security when I incorporate new cloud providers?”<br />
For a successful multi-cloud migration, use your cloud access security layer and a platform that<br />
ultimately unifies your policy and threat identification approaches. Identity is another common<br />
challenge area. Moving to the cloud at scale often requires your organization to “clean up” your<br />
identity directory to be ready and accommodating of shared sign-on. By using an identity<br />
management and/or aggregation platform to expose identity to well-known cloud services, you<br />
will be able to ease the cloud implementation burden and threat exposure of any given provider.<br />
Ensure compliance<br />
It’s important to know that your organization’s compliance requirements are not mitigated or<br />
transmuted simply because the data has left your internal environment and entered the one your<br />
cloud provider(s) uses. As your organization matures, the way you manage and align your cloud<br />
provider’s capabilities to your compliance requirements should evolve accordingly.<br />
Initially, ensure that your company requires business unit executives to apply or accept the risk<br />
of compliance obligations where service providers may not have every requirement. Your legal<br />
team should be a part of the initial purchase decisions, armed with technical knowledge to help<br />
identify potential “rogue” cloud services and policy guidelines that dissuade employees from<br />
adding services “on a credit card” without appropriate oversight.<br />
As your organization gains more experience with the cloud, request that providers share copies<br />
of the SSAE16 attestations / audits. This, together with more formal due diligence processes,<br />
should become commonplace. Organizations looking to advance in this space would be welladvised<br />
to look at the Cloud Security Alliance’s STAR attestation and the associated Cloud<br />
Controls Matrix as a ready accelerator to benchmark cloud providers.<br />
Secure buy-in from exec/C-level on a multi-cloud strategy<br />
Use of cloud services should reflect the strategic focus of the business. Technology leaders can<br />
leverage the benefits of these services to underpin initiatives in efficiency, bringing innovation to<br />
market and controlling costs. To strengthen this message, technology department heads should