Cloud Security Process

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We've talked about the risks
00:00
of the various service models,
00:00
as well as the various deployment models
00:00
>> and their risk.
00:00
>> Now, we're going to talk about
00:00
the Cloud security process at a very high level.
00:00
In this lesson, we're going to talk
00:00
about the Cloud security process,
00:00
the security considerations
00:00
>> for each step of the process,
00:00
>> and also stakeholder considerations
00:00
>> in the Cloud process.
00:00
>> This diagram is provided by
00:00
the Cloud Security Alliance
00:00
>> and I think it really lays out the high-level steps
00:00
>> for determining Cloud security in a very succinct way.
00:00
>> The first step is to identify requirements.
00:00
Now, when we're thinking about security
00:00
and specifically Cloud security,
00:00
there always has to be a business case
00:00
for why it makes sense to go to the Cloud.
00:00
It doesn't mean no business just says, ''Oh,
00:00
I think this is cool, I think we're going to do this.''
00:00
The first step is to identify the requirements
00:00
>> based on the business case.
00:00
>> How is your business really leveraging the Cloud?
00:00
Well, either the service models
00:00
>> or the deployment models
00:00
>> to expand what they do
00:00
>> and gain a competitive advantage.
00:00
>> Then based on that,
00:00
what are the inherent risks
00:00
in what they're trying to do in the Cloud?
00:00
How will the backups work?
00:00
How is processing activities?
00:00
How are they going to be monitored?
00:00
Who needs access to this?
00:00
What are the real services
00:00
>> or applications that are going to be
00:00
>> hosted out there in the Cloud,
00:00
and how are they going to be supported?
00:00
This step is really about the why,
00:00
and it really drives all of the other security concerns
00:00
because security is really about
00:00
managing risk and reducing it to levels
00:00
>> that are acceptable within the organization's
00:00
>> risk tolerance and risk appetite.
00:00
Then we move on to selecting a provider,
00:00
a service, and deploy a model.
00:00
We established the why in the first step.
00:00
Now, we're really investigating the vendors
00:00
>> and trying to figure out
00:00
>> which of these vendors truly meets our needs.
00:00
>> This is when vendor management
00:00
is a critical consideration,
00:00
being able to interpret those risks
00:00
>> that are associated with vendors.
00:00
>> Many of them that we've talked about
00:00
>> such as vendor lock-in and lock-out,
00:00
>> being able to effectively look at
00:00
any documentation providers
00:00
>> based on their controls or third-party audits
00:00
>> and look for any holes or gaps
00:00
>> that might be missing
00:00
>> based on your business requirements
00:00
>> and the controls that they have in place.
00:00
Step 3 is defining the architecture.
00:00
This is really where they say a picture
00:00
>> is worth a thousand words.
00:00
>> That's really what's going on in the architecture step
00:00
>> is looking and building a picture of all the servers,
00:00
>> all the applications, all the APIs,
00:00
really understanding fully
00:00
>> what the application is going to look like,
00:00
>> helps to inform
00:00
all the security considerations
00:00
>> between how our different applications and connections
00:00
>> going to securely authenticate to each other.
00:00
>> Are there places where we're going to have to use APIs
00:00
>> to connect to other applications
00:00
>> within our environment?
00:00
>> Is this a multicloud environment?
00:00
Well, we need to traverse across the Internet
00:00
and need to secure that data in transit.
00:00
Defining the architecture helps to really create
00:00
a solid picture of what you're really doing in the Cloud.
00:00
What are all the assets that need protecting?
00:00
How are these things communicating to each other?
00:00
How do those communication needs to be protected?
00:00
Storage. Things being stored
00:00
out in the Cloud and what are the parameters are on that,
00:00
as well as who is managing what.
00:00
That's always one of those critical aspects
00:00
that deal with the Cloud is
00:00
the shared responsibility between the provider and
00:00
then the customer or
00:00
potentially multiple providers and vendors.
00:00
Then we want to assess security controls.
00:00
We know the why,
00:00
we know who is involved in third-party perspective,
00:00
we know what the architecture
00:00
of what we're doing in the Cloud is
00:00
going to look like, and now,
00:00
we need to think about what security framework
00:00
and controls do we need applied,
00:00
what regulations are applicable
00:00
to our industry that need to be implemented?
00:00
When we're going to make a push and
00:00
leverage all those great characteristics of the Cloud.
00:00
Once those security controls have been identified,
00:00
then you really need to do the gap analysis.
00:00
What controls as an organization
00:00
already currently have in
00:00
place on an on-premise solution,
00:00
and then what do we need to do in the Cloud?
00:00
A lot of these gaps come around
00:00
third-party management, as we've said,
00:00
because you really don't necessarily
00:00
know completely what the controls are,
00:00
of these other organizations that may be responsible
00:00
for critical aspects of your Cloud infrastructure.
00:00
You need to build effective communication,
00:00
have effective contracts
00:00
>> and service level agreements to ensure
00:00
>> that these gaps are addressed or at least monitored,
00:00
>> and it put it in effective monitoring to ensure
00:00
>> that any indications of incidence or deviations
00:00
>> from performance are addressed quickly.
00:00
Then there's designing
00:00
>> and implementing of the controls.
00:00
>> You know, the why,
00:00
you know what standards you're trying to meet,
00:00
you know what your gaps are so now,
00:00
you really need to adapt any controls
00:00
>> to the Cloud environment to ensure that
00:00
>> they meet your organization's business objectives,
00:00
>> their risk objectives,
00:00
>> and then any security control requirements
00:00
>> based on the framework that you've chosen
00:00
>> to mitigate your risk or legal requirements.
00:00
>> Then, finally, you need to manage changes.
00:00
Remember, the Cloud is on the ability
00:00
>> to scale things up and break things down
00:00
>> and build environments when you want to.
00:00
>> There's a lot of change.
00:00
>> It's dynamic.
00:00
>> That's one of the benefits of moving to the Cloud.
00:00
>> However, from a security perspective,
00:00
you must manage that change.
00:00
Technology never just stays the same.
00:00
There are always new changes
00:00
>> in terms of what is available
00:00
>> and to Cloud new applications, new vendors,
00:00
>> as well as new threats that appear out there,
00:00
so you need to manage those changes
00:00
effectively to get the most out
00:00
of the Cloud in a secure manner.
00:00
Time for a quiz question.
00:00
What is the most important step
00:00
in the Cloud security process?
00:00
One, identify requirements, two,
00:00
define architecture, three,
00:00
designing and implementing controls.
00:00
Well, there's an argument to be made that
00:00
all of these are important.
00:00
I would argue that
00:00
identify requirements is really
00:00
the most important fundamental step because,
00:00
as I said, security is driven by the business case.
00:00
What does the business value
00:00
your organization is getting?
00:00
Then what are the risks that come
00:00
with that business case in putting it in the Cloud
00:00
because that is really going
00:00
>> to drive all the other steps
00:00
>> when it comes to security in the Cloud.
00:00
>> In this lesson, we talked about the steps
00:00
of the Cloud security process,
00:00
the security considerations at each step,
00:00
and how business needs
00:00
and controlling risks drive this whole process.
00:00
I hope you got a lot in this lesson.
00:00
I'll see you in the next one.
Up Next