Cloud Infrastructure Assessments

We all stand on the shoulders of giants. Pioneers and visionaries blazed trails before us, and we build upon and take their work forward into new directions. This applies to the entire food supply system, the world of health and medicine (both eastern and western), mechanics, mathematics, physics, anthropology, and especially IT & Cybersecurity.

These giants before us, from the great folks at DARPA that brought us the Big I, Claude Shannon who laid the ground work for encryption, NIST for their innumerable contributions, to the giants that developed various software languages and computers to interpret them, they all laid the groundwork enabling us to take giant leaps. Giant leaps are made from standing on the shoulders of giants who laid the groundwork for us to see higher, further, and achieve bigger things.

What does this have to do with IT & Cybersecurity? Simply put: everything. Knowledge is transferred by willing Leaders to the leaders of tomorrow, foundations are examined and understood, and novel thinking is applied to build new homes atop those foundations. One critical foundation for Cybersecurity established decades ago by giants is the truism of People, Processes, and Technology. This is a GIANT foundational component, and yet remains elusive to Senior Leadership in their apprehension of what solid #Cybersecurity programs and #Resilience really look like in practice.

First, you must have the right people. This doesn't mean they need to be directly on your payroll, they can be an outsourced Supplier. But as a Leader, you have to take a hard look at your staff, evaluate their expertise, propensity for growth, and ability to align with the evolving and highly dynamic needs of the business. They need to have many skills, and it is a good bet that those with legacy, premise-based mindsets are not the right folks for adopting and securing a #Cloud infrastructure. Maybe this is why recent headlines flash about Organizations releasing their entire security departments, and unfortunately the flash is what people see instead of the Truth. It's easy to look from the outside and say, "how can you be secure if you let your security team go?" From there, big rabbit holes and social media spin goes into useless circles, when perhaps the Truth is actually the "security team" didn't have the right mix of expertise, vision, and capability - and has been replaced by a better team - even if outsourced.

Next, you must have the right processes. This sounds really simple, and even boring, but it's another critical leg of this truism. Experts, and their use of tools, must be governed by the right processes in order to effectively deliver upon desired outcomes. I've seen countless examples over the years of organizations that buy tools, have experts play with them, but have no governing process for the purpose of combining those tools and experts into actionable outcomes. This is a chief culprit in superb technology becoming shelfware, because there was no process to define success criteria for tool adoption, measuring effectiveness, leveraging the information, and no process for ongoing management.

Finally, technology must be "fit for purpose." For example, it makes no sense to buy a full-blown Threat Analytics platform, simply because "you got the budget," if you haven't nailed down the logging mechanisms, access controls, visibility tools (e.g., intrusion detection systems, log alert conditions), and the right expertise, all governed by well-defined processes for dealing with the information from the platform. In the People, Processes, and Technology model, Technology is very purposefully last in the list. It ought to be the very last consideration, but marketers and buyers have confused technology as the "solution" for the latest "problem" that is being marketed.

Instead, the #Cybersecurity program should be aligned with the Corporate culture, direction established by Senior #Leadership, and the expertise (in-house or out-sourced) that will implement and manage the program. This brings us directly to the narrow topic of this post: Cloud Infrastructure Assessments. There are literally hundreds, if not thousands of "tools" and technology in the marketplace to evaluate Cloud Security posture. In my view, it doesn't matter what technology you use nearly as much as the expertise driving the tools. All tools perform functions, and the output of the functions is information. The expert's mission is to increase the signal-to-noise ratio, and defining key action plans based on the interpretation of the information from the tools.

To this point, free is an option! But it implies you have the right expertise to leverage the tools and effectively ascertain the "signal" in all the noise. Commercial tools are great, but offer minimal value when deployed in half-hearted projects with limited focus, or worse, novice administration. Wrapping all of this up, to effectively evaluate your Cloud Security posture, you must step beyond GRC tools (which offer great integration, but limited visibility) and consider more advanced options to effectively understand the full breadth of your Cloud exposure across all security domains.

Scoutsuite, Cloudmapper, and Prowler are excellent open source tools to explore for evaluating your #AWS, or multi-Cloud security posture. Assuming you have the right expertise as outlined above, these tools yield significant insights and offer the ability to define key action plans for a prioritized remediation workflow. This is a solid approach to identify and address weaknesses in your #Cloud deployment. Explore, evaluate, and derive the value of these tools to push your #Cybersecurity program well-beyond what your #GRC tools are telling you, and deep into the realm of #Resilience.