How to Build a Cloud Security Strategy

As the head of security at a cloud-forward organization, you are a security and risk expert with strong business acumen. On your shoulders falls the difficult task of detecting security issues as early as possible to reduce your organization’s risk posture. You must collaborate with DevOps, developers, IT and compliance teams to ensure security remains strong while business priorities are met. You recognize the importance of building a risk-based security strategy in the cloud, but need buy-in and approval from key stakeholders to receive funding and budget allocation.

The challenge, then, is ensuring your cloud security strategy is cogent and that it appeals to the right people.

How?

To start, you must understand why building and getting buy-in for your cloud security strategy is critical. Then, you need to know how to do that and be able to describe the benefits to your organization. Finally, you’ll need to have a proven method of implementing the strategy efficiently and successfully.

Let’s get started.

Why It’s Important

Moving security forward is not easy, particularly if stakeholders consider the controls an impediment to business priorities. That’s why a winning strategy delivers a roadmap for improving your cloud security posture and driving product development.

A successful security strategy accomplishes several objectives:

  • Serves as the building block for developing a risk-based security posture
  • Answers questions concerning the why and what you will do with funding
  • Protects your budget moving forward
  • Creates avenues for additional funding for risk remediation
  • Identifies threats and addresses them within the strategy’s framework
  • Ensures you and your team are protected in the case of a security incident
  • Demonstrates that the strategy supports business priorities

Look for opportunities to embrace a DevSecOps mindset. For example, cloud-forward businesses are using more non-human accounts than ever to develop products faster. In turn, attacks on non-human identities are rising significantly. You’ll want to protect those accounts without slowing down DevOps. Find a vendor that provides just-in-time (JIT) permissioning for human and non-human accounts. This elevates security and gives developers the access they need to deliver efficiently.

With your strategy built and business-oriented opportunities in mind, it’s time to focus on ‘selling’ your strategy to key stakeholders.

Selling Your Cloud Security Strategy

Four critical components will help you when you’re ‘selling’ a security strategy:

  1. Developing a risk framework
  2. Getting business buy-in and support
  3. Building a customized control framework
  4. Using the right solution(s)

Risk Framework

A risk framework begins with risk identification. Here are four common scenarios:

  1. An external party seizes control of your system and initiates a denial-of-service (DoS) attack
  2. An external party steals sensitive data or processes
  3. An employee misuses access to mission-critical data
  4. An employee leaks customer information

Each scenario requires an assessment to analyze and classify the risk likelihood and impact. Develop a scoring system that helps you and your company’s stakeholders quickly understand potential outcomes.

Control mapping lets you understand the controls needed to address the risks. For example, if the kill chain is to gain access to your environment and the threat is credential theft, the security control might be multifactor authorization (MFA), JIT or improved privileged access management (PAM).

  • Kill chain = Gain access
  • Threat = Credential theft
  • Controls = MFA, JIT, PAM

Once you have established the risk framework, prioritize and define the initiatives needed to improve controls that reduce risk.

Business Buy-In

Assign the risk’s impact on business finances, customers and reputation. To illustrate, consider a numerical scoring system from one to five, where five is high and one is low. This example includes scenarios above low risk and very low risk:

Score: 5

Rating: Very high

Description: Potential existential impact

Reputation/Customer: Extreme impact on client relations

Financial: Significant and/or permanent impact to revenue generation

Score: 4

Rating: High

Description: Serious, long-term impact

Reputation/Customer: Major impact on client relations

Financial: Reduced ability to generate revenue

Score: 3

Rating: Moderate

Description: Serious, long-term impact

Reputation/Customer: Material but recoverable impact

Financial: Near-term revenue loss

Next, assign the risk’s likelihood, e.g.,:

Score: 5

Rating: Very High

Likelihood: The risk is almost certain to occur

Control Frameworks

Adopt one or several of the available security control frameworks. Doing so provides your strategy and stakeholder buy-in with control checklists and is a critical benchmark system for maintaining a strong cloud security posture.

Choose the Right Solution

Choosing the right solution(s) for your cloud security strategy depends on your objectives. Key questions include:

  • Where are you on your cloud journey?
  • Do you use an on-premises data center and are looking to move to the cloud?
  • Will you maintain a hybrid (on-premises + cloud) environment?
  • Will you adopt a multi-cloud hybrid environment?
  • Are you all-in-cloud?
  • Do you use a single cloud environment?
  • Will you adopt a multi-cloud environment?

Regardless of where you are on your cloud journey, your strategy should address today’s challenges and plan for the security risks in store.

Broad adoption of IaaS and PaaS platforms and SaaS applications have accelerated IT operations and application development. Managing and securing the resulting massive proliferation of cloud identities and privileges for both app developers and their users has been challenging. It is not feasible over the long term to continue managing identities in password-protected Excel spreadsheets, which is common practice with many SecOps and DevOps teams. Rather, ensuring the security of privileged access in a complex multi-cloud environment will require both a new mindset and new security tools.

The dynamic nature of the cloud brings changes to administration and configuration tools daily. With each change comes another set of features and functionality that needs to be understood and integrated into existing security tools. Ultimately, administrators and auditors lack adequate visibility into who has what level of access for each platform. As such, here are eight  best practices to look for in a platform solution:

  1. Grant cloud privileges JIT
  2. Assign privileges based on policy
  3. Drastically reduce standing privileges for human and nonhuman identities
  4. Integrate single-sign-on (SSO) or MFA
  5. Extend identity and governance administration (IGA)
  6. Feed UEBA/SIEM with privileged cloud activity
  7. Cross-cloud visibility and reporting
  8. Holistic, cloud-native platform

Summary

Assessing risk is specific to your organization. However, when it comes to building and selling your cloud security strategy, risk should be the cornerstone.

Be sure to keep your strategy simple, visual and based on established best practices and frameworks.

To successfully sell your strategy to key stakeholders, you will need their buy-in. Demonstrate how your strategy improves your security posture and facilitates business priorities: “Because we’ve deployed JIT permissions for human and non-human identities, developers can access the tools they need quickly and safely. This elevates our posture and accelerates velocity.”

Next Steps

The first step is identifying team members with whom you can form a security risk group. Next, identify the key stakeholders in the various business departments of your organization. Then, list relevant risk scenarios and adopt a control framework that is customized to your needs and risk tolerance. Finally, with an understanding of the priorities of each department, and the security risks they face, develop your strategy overview and make plans to incorporate control scores, risk pictures, and desired outcomes.

Building and selling a successful cloud security strategy is not easy. But the recommendations here will help you grasp the circumstances of your organization’s business security priorities.

Best of luck!

Avatar photo

John Morton

John Morton is a seasoned cybersecurity defender, learn by doing enthusiast, and hacking tinkerer. Accomplishments include numerous vendor technical sales MVP awards, and US Navy submarine service veteran.

john-morton has 1 posts and counting.See all posts by john-morton