Keys to achieving continuous cloud security | Part one

A Three-Part Series to Help You Mature Your Program

Cloud technology has many benefits, including scalability, flexibility, and operational efficiency. It also introduces vulnerabilities. Without strategic cloud security, you risk exposing sensitive data, which can lead to breaches and significant financial or reputational losses.

While there are many strong cloud security tools on the market, tools alone do not address the whole cloud security picture. While they may provide highly targeted relief to a specific issue, they do not offer broad strategic improvements. This is especially true for tools that are implemented with generic onboarding best practices and/or without policy guidance or custom controls.

To improve cloud security, a holistic approach is necessary. This includes not only utilizing tools but also global agnostic governance and controls, along with role-specific access, policies, and reporting. Adding this layer of customization on top of best practice configurations is an important maturity milestone and impact multiplier. This transforms tactical ideas into long-term, strategic solutions that streamline operations and free skilled staff for other work.

While that may seem daunting, it becomes easier when you break it down into three cloud security maturity stages.

• Stage 1: Define Current State & Implement Global Governance
  This foundational stage focuses on developing clear, agnostic, and enforceable standards through standardized reference architecture and Infrastructure as Code (IaC) baselines, and more.
• Stage 2: Achieve & Maintain Continuous Cloud Compliance
  Often referred to as “getting to green,” this stage focuses on global policy alignment, ticket and response integration, and third-party governance. It also involves building and maintaining a cloud asset inventory to monitor unauthorized technologies.
• Stage 3: Shift Enterprise Cloud Security Program to the Left
  This stage is about embracing shift-left policies that enable DevOps and security teams to work in parallel, strengthening overall posture. This means emphasizing security measures early in the development process, including code security practices.

Through these three stages, you can systematically mature your cloud security programs, ensuring robust, scalable, and efficient security measures that align with your strategic goals. In the following series, we will outline the details of each stage and how to implement it.

Let’s dive into Stage One: Define & Implement Global Governance.

Defining Current State

Establishing a Comprehensive Understanding of Your Cloud Security

The first step in maturing your cloud security program is to thoroughly understand its current state. This involves collecting data through interviews and in-person interactions to gather qualitative context that you can leverage to curate and prioritize insights, strategy, and policy.

At this stage, it’s also important to develop clear, agnostic, and enforceable standards. These standards should be universally applicable and supported by automated executive reporting to ensure continuous compliance.

While this may seem challenging, focusing on the following areas can help overcome common obstacles in assessing your current state:

• Interview Diverse Teams
  Engage the cloud security team as well as broader IT teams, including network identity, GRC, and other relevant departments, to ensure you get a holistic view of your current security posture.
• Achieve Unified Visibility
  Get unified visibility across your cloud platforms like AWS, GCP, Azure, on-premise infrastructure, and other SaaS technologies. While there are numerous tools that can help with this, Cloud Native Application Protection Platforms (CNAPPs) like Wiz, CloudGuard, and Orca are purpose-built to tackle this challenge and simplify the process. The best CNAPPs offer simple, clear query language that enables custom agnostic controls.
• Translate Standards
  Convert general regulatory, legal, and business-driven internal governance standards into agnostic cloud policies that can be applied to the existing cloud estate.
• Establish Shift-Left Baselines
  Work to establish flexible shift-left policies that support the development team, not hinder them. While some organizations develop these in tandem with the shift-right operational policies, if there are no existing controls in place, this work should be deferred to stage two. More details will be discussed in part two of this blog series.
• Integrate Operationally
  Adapt policies to existing tools and integrate an observability layer across the existing tool estate to enhance monitoring and compliance.
• Measure Maturity
  Establish a clear scale, metrics, and methodology to assess the maturity of your cloud security program.

By focusing on these key areas, you can effectively define the current state of your cloud security and lay a strong foundation.

Implementing Global Governance

Key Actions for the First Stage of Cloud Security Maturity

After establishing your current state, it’s crucial to implement specific actions that align with your governance goals. These steps will help establish a foundation for effective cloud security and facilitate your journey toward compliance.

Investing effort in reviewing existing policies and resources and interviewing team members for history and context is crucial. While a tool-only approach is not ideal, a tool-driven approach, specifically using a CNAPP, can create unified observability without the need for extensive maintenance, freeing up the team to focus on policy creation and data collection efforts. This enables data-driven decisions and a robust, scalable cloud security program.

• Achieve Unified Observability Across Cloud Platforms
  Implement a CNAPP platform to unify cloud security aspects into a single platform with an agnostic query language. This simplifies standardized elements like agnostic cloud policies, reference architectures, preventative controls, and IaC baselines. Use a Capability Maturity Model Integration (CMMI) scale to assess maturity across seven domains.
• Develop Standardized Reference Architecture
  Create agnostic reference architectures that integrate built-in, third-party, and custom frameworks tailored to your organization’s needs, addressing enterprise-specific requirements like compliance with specific endpoint security software.
• Implement Global Preventative Controls to Stop the Bleeding
  Establish global preventative policies, such as AWS Service Control Policies (SCPs), to strengthen your cloud estate and enforce least privilege. Consider elements like internal IP allowlists, technology allowlists, IP blocklists, standardized asset tagging, and permissible cloud services allowlists.
• Establish Shift Left Baselines to Prevent New Risks
  Embed policies within your CI/CD and development infrastructure using CLI, IDE extensions, IaC baselines, and code scanning capabilities. This approach detects noncompliance early and alerts the right people immediately and correctly, preventing risks before they are introduced and integrating security into development processes.

By following these foundational actions, you can cultivate a robust governance framework that aligns with strategic goals, leading to a more secure and compliant cloud environment.

What’s Next?

Maturing your cloud security is a daunting but necessary task. It requires a candid, data-driven analysis of your current state. Establishing clear, measurable standards for maturity allows you to define your current state, future objectives, and helpful KPIs consistently. Keep an eye out for the next blog in this series, delving into the details of Phase Two: Maintaining Continuous Cloud Compliance.