Cloud Security Strategy

Welcome to the first article of the series "Cloud Security Strategy".?The aim of this series is to show IT managers a procedure to implement a cloud security strategy in a structured way within their IT infrastructure.

The design and implementation of a security strategy in highly regulated environments presents companies with very high challenges. The tension between productivity and usability on the one hand and security on the other is omnipresent here. On the one hand, the workloads must be efficiently mapped in the cloud infrastructure and a modern workplace must be made available to the users, on the other hand, the security requirements resulting from regulatory requirements must always be met.

To achieve this goal, a structured approach from the outset is certainly the key as a central starting point. Security helps create assurances of confidentiality, integrity, and availability for a business. Security efforts have a critical focus on protecting against the potential impact to operations caused by both internal and external malicious and unintentional acts.

To structure this process Microsoft recommends a six-step approach. The goal of this process is to implement security, to avoid obstacles in cloud adoption and reduce unnecessary business or operational disruption.

Step 1: Establish essential security practices

Security in the cloud starts with applying the most important security practices to the people, process, and technology elements of your system. Additionally, some architectural decisions are foundational and are very difficult to change later so should be carefully applied.

Step 2: Modernize the security strategy

Effective security in the cloud requires a strategy that reflects the current threat environment and the nature of the cloud platform that's hosting the enterprise assets. A clear strategy improves the effort of all teams to provide a secure and sustainable enterprise cloud environment. The security strategy must enable defined business outcomes, reduce risk to an acceptable level, and enable employees to be productive.

Step 3: Develop a Security plan

Planning puts the security strategy into action by defining outcomes, milestones, timelines, and task owners. This plan also outlines the roles and responsibilities of the teams.

Security planning and cloud adoption planning should not be done in isolation. It's critical to invite the cloud security team into the planning cycles early, to avoid work stoppage or increased risk from security issues being discovered too late. Security planning works best with in-depth knowledge and awareness of the digital estate and existing IT portfolio that comes from being fully integrated into the cloud planning process.

Step 4: Secure new workloads

It's a lot easier to start in a secure state than to retrofit security later into your environment. We strongly recommend starting with a secure configuration to ensure that workloads are migrated to, and developed and tested in, a secure environment.

Step 5: Secure existing workloads

Many organizations have already deployed assets to enterprise cloud environments without applying the security best practices, creating increased business risk.

After you ensure that new applications and landing zones follow security best practices, you should focus on bringing existing environments up to the same standards.

Step 6: Govern to manage and improve security posture

Like all modern disciplines, security is an iterative process that should focus on continuous improvement. Security posture can also decay if organizations don't sustain focus on it over time.

Consistent application of security requirements comes from sound governance disciplines and automated solutions. After the cloud security team defines the security baselines, those requirements should be audited to ensure they're applied consistently to all cloud environments (and enforced where applicable).

Summary

Cloud security in a highly regulated environment is a complex topic and requires a structured approach to be successful. In the next articles in this series we will take a closer look at each of the six steps mentioned above as well as giving good practices to make a cloud security strategy successful.