Cloud Security Knowledge Sharing By Guy-Bertrand Kamga

To promote a Secure Cloud-Based Digital Transformation

DevSecOps in Azure

Azure is one of the popular cloud platforms used nowadays to support the business transformation of several organizations.

These transformations are implemented in an agile mode and with devops culture.

In order to help Azure customers to integrate security in their devops cycles, Microsoft released the Secure DevOps Kit for Azure (AzSK) framework that was initially developed for its internal staff to secure its infrastructure.

This AzSK framework helps Azure customers to integrate security at all stages of the devops lifecycle.

The following posts I released on Peerlyst (InfoSec community) can help you to get started with this framework:

Defining Effective Cloud Security Baseline

One key aspect of an effective Cloud Security Strategy, is to have an organizational Cloud Security Policy defined and enforced.

An organization adopting cloud technologies without an effective Cloud Security Policy will certainly put its entire organization at risk.

I released an article entitled “How to define and implement an effective Cloud Security Policy” on Peerlyst security community, showing how an organization can formalize how it wants to benefit from the cloud technologies without jeopardizing its assets.

To facilitate and support a seamless & effective application of its Cloud Security Policy, an organization should define the subsequent Cloud Security Baselines, describing how its Cloud Security Policy should be implemented within each main cloud platform or solution.

For this purpose, I released on Peerlyst security community, a couple of articles that share some insights about the establisment of effective Cloud Security Baseline.

Those articles include:

  1. How to define effective Cloud Security Baselines
  2. How to define effective Cloud Security Baselines – Part 2
  3. How to define effective Cloud Security Baselines – Part 3: Application to Microsoft Azure

Introduction to Microsoft Azure Security

According to several studies including the RightScale 2018 State of the Cloud Report, although Amazon Web Services (AWS) remains the leading platform in the public IaaS/PaaS worldwide cloud market, the adoption of Microsoft Azure is growing faster than for AWS.

Thanks to the significant Microsoft footprint (e.g. Windows OS, Office tools, Active Directory, etc.) within most of organizations, Microsoft Azure is being selected as strategic platform for implementing the public and/or hybrid cloud solutions.

If this is the case for your organization and/or you want to understand the Microsoft Azure security capabilities, the series of posts I released on Peerlyst (web comunity of security professionals) might interest you.

These posts include:

 

Dealing with Shared Responsibility Model in public Cloud

Cloud computing radically changes the way computing services are provided and consumed, both cloud service providers and cloud service customers need to adapt themselves to this new information technology service delivery model.

On one hand, for public cloud services, customers must rent resources (e.g. software or applications, platforms, servers, etc.) running on platforms owned and operated by external service providers. Cloud customers generally pay for the services proportionally to their consumptions (known as pay as you go billing or pricing model), and they can automatically scale (horizontally or vertically) based on their needs. These are only few of numerous benefits of public clouds.

On the other hand, public clouds are shared platforms between several customers (including competitors, hackers, criminal organizations, etc.). That’s why, since the beginning of the 1st public cloud service offering launched by Amazon Web Services (AWS) in 2006, security and compliance risks are always among the top barriers for public cloud adoption.

When it comes to security in the public cloud, one of the main concept to understand, is the Shared Responsibility Model‍.

I released on Peerlyst (web comunity of security professionals), a series of 3 posts focusing on the shared responsibility in public cloud.

In the first post, you will learn some tips that can help to understand how the security responsibility is shared between the Cloud Service Provider (CSP) and the Cloud Service Customer (CSC), and how a cloud customer should consider this aspect during the definition and implementation of its cloud security strategy‍.

In the second post of the series, I provided some tips‍ that can be helpful for a CSC to have a detailed view of the shared responsibility in public cloud. I particularly highlighted how much a clear understanding of the chain of responsibility at CSP and CSC sides is important, as well as the key role of a cloud security RACI matrix.

In that second post, I also briefly introduced a Cloud Responsibility Checklist which can help a CSC to evaluate to what extend its security responsibilities in a public cloud are under control.

In the third and last post of the series, I proposed a process that can be used by a CSC to keep control of the shared responsibility model in public cloud. This process includes the following 3 main steps:

  • Clarification of the responsibility scope
  • Identification and agreement on the responsibility delimitation with the CSP & partners
  • Evaluation of the alignment to the CSC’s cloud strategy

This process can help a CSC to not only ensure that it understands and takes care of its responsibilities in the cloud, but also to make sure that the CSP, as well as all involved partners have formally agreed with the CSC on their scope of responsibility.

Pyramidal view of Cloud Security Risks

As I described in most of my previous articles, defining and implementing an effective cloud security strategy requires the involvement of several stakeholders within and outside of an organization.

Indeed, defining and implementing the cloud security strategy‍ within an organization should include people from diverse entities, including:

  • Business Groups or Units
  • Information Technology (IT)
  • Cyber Security
  • Procurement and Supply Chain
  • Legal & Compliance
  • External partners (Cloud Service Providers, IT partners, Managed Service Providers, etc.)

Having all these diverse profiles involved, ensures that most of aspects will be taken into account in the cloud security strategy on one hand but on the other hand, this may lead to endless debates as the members will not have the same level of knowledge in terms of cloud computing.

Learn in this article posted on Peerlyst community, the common stakeholders’ positions or attitudes with regards to cloud security‍ as well as the multi-level or pyramidal view of cloud security risk‍s.

Key Management Models for Public Cloud Services

Key management is one of important aspects a Cloud Service Customer (CSC) should carefully address in order to enable proper data protection in the public cloud environments.

There are several possible key management models or strategies that can be used, depending on your business requirements and risk appetite.

In this article I published in the Peerlyst community, you can learn different strategies for key management in public cloud, as well as example of baseline policies for managing encryption keys in public cloud services.

Tips for cloud security policy definition and implementation

Cloud security policy is a key item of a cloud strategy as it drives all the cloud security activities required within an organization to ensure a secure and safe journey to the cloud.

If you are looking for a methodology to define and implement an effective cloud security policy for your organization or for one of your customers, this article I published on Peerlyst community might be of your interest.

Introduction to Cloud Governance

Cloud Computing is very attractive as business transformation enabler but obtaining the maximum benefits from the cloud is not come by default.

Learn in this article published on Peerlyst Community how to leverage Cloud Governance to make your cloud adoption a success for your organization.

Integrating public cloud with on-premises applications

In this article I posted in the Peerlyst community, I describe 3 main pillars for integrating public cloud services with on-premises applications and systems.

Guide for selecting a Cloud Service Provider

If you are looking for an effective approach to select a Cloud Service Provider who can help you to take the most advantage of cloud benefits, this article published on Peerlyst can provide you with some insights.