This is a BETA experience. You may opt-out by clicking here
Edit Story

How To Build A Security-First Cloud Framework That Puts You In Control

PwC Cloud and Digital Transformation
Updated Jul 21, 2022, 10:24am EDT

Cloud computing is completely transforming many organizations. But as it becomes mainstream, there’s a growing awareness of cloud’s impact on enterprise security — especially as companies look to adopt a security-first framework.

In a cloud-connected world, there’s a need for much broader foundational controls, along with cultural change. Why? Security is no longer the sole purview of a dedicated group of specialists who report to the CISO. Everyone now has a role to play, including software developers, business teams and IT staff.

Organizations that embrace a cloud-first security model stand to make substantial cybersecurity gains. It lets you move beyond ambulance mode — chasing down and fixing problems as they occur — to employing a framework that delivers proactive end-to-end visibility along with a high level of security automation.

A leading practice security model starts with the basic realization that rethinking security is essential to succeed. Tools, resources and systems that offered adequate protection in the legacy world likely aren’t equipped for cloud and multi-cloud frameworks.

Business and IT leaders increasingly recognize this. Almost a third (31%) of participants in a recent CIO Imperative webcast reported that governance challenges represent a moderate to extreme barrier to realizing cloud’s value. A quarter of them also reported challenges with integrating existing systems.

Security first starts with the CIO-CISO connection

Now the good news. Although cloud security (or securing your cloud-first workloads) may seem daunting, a more advanced cybersecurity framework doesn’t require a complete security reboot. Cloud can deliver a highly modular, flexible and automated security model. It also helps topple barriers that traditionally got in the way of business results.

Leading practice cloud security is a byproduct of strong and committed leadership. Nowhere is this more apparent than in the working relationship between the CIO and CISO. In many cases, there’s a need to rethink roles, responsibilities and tasks. This includes being sure that your teams are in sync and built for speed, as well as investing in people and continually adapting and updating processes and workflows as business conditions and clouds change and evolve.

When CIOs and CISOs team up, it’s possible to build the technical and cultural framework required for a powerful security-first model. This helps ensure that the technology matches security needs, the organization is adopting security controls consistently across clouds and applications and employees are on the same page. This approach also facilitates cross-pollination of ideas among groups and teams, addresses pockets of resistance and helps keep everyone and everything on track.

Once your CIO and CISO are in sync, here are three more crucial steps in building a cloud-native security model.

Step 1: Know your risks and define a clear security strategy

PwC’s Cloud Business Survey indicated that more than half (53%) of companies have yet to realize substantial value from cloud investments. One explanation is that relying on third-party cloud providers can increase vulnerabilities that erode trust in the business.

Companies may not always grasp the full spectrum of cloud risks. Insufficient or poor planning can yield slow, over-budget implementations. In fact, the survey showed that just 17% of chief risk officers (CROs) and chief audit executives are brought in to cloud projects at the planning stage. Most come to the table much later, during requirements gathering.

It’s critical to have security, risk and tech leaders working together to identify the right security platforms and tools and understand how to configure them for cloud-first security (more on this in the next section). In addition, employees should understand security expectations in order to drive consistent and effective adoption.

An advanced security framework doesn’t happen by chance. It’s important to recognize that security is now everyone’s job — from software developers and IT administrators to line of business users and the C-suite. As a result, there’s a need to balance a technology foundation with cultural and practical changes.

The goal should be to define a clear security strategy aligned to the enterprise cloud strategy. This includes identifying what security capabilities to prioritize as well as creating a clear roadmap to mature the security posture over a period of time. Challenge traditional mindsets and paradigms and identify opportunities to integrate and automate security as part of the cloud delivery model.

Step 2: Adopt the right technology platform and establish security guardrails

The smart approach is to embed security into systems rather than adding layers of security as an afterthought. Today, major cloud providers offer powerful products and services that easily plug into cloud platforms. Leverage these services and design right-sized cloud controls to consistently apply them for cloud environments. Decide what requirements and controls are needed in your cloud environment and provide a clear framework for implementing cloud security. These services — including some that are included at no additional cost — simplify and automate countless tasks. Amazon Web Services (AWS), for example, offers security plug-ins for identity and access control; malware scanning; data discovery, classification and protection; key management; auditing; and automated security checks.

It’s important to understand the shared responsibility model employed in your cloud environments and fully recognize the controls that are solely the responsibility of the organizations using the cloud services. The foundations of cloud security can be classified broadly into five categories.

  1. Account management and governance: Organize workloads in a well-defined account structure based on risk, consumption patterns that provide blast radius isolation and governance with a standardized set of controls suited for each account type. AWS Control Tower is one simple yet powerful way to set up prepackaged controls that govern and secure a multi-account AWS environment. Control Tower delivers a landing zone based on blueprints of leading practices and can be tailored to fit your organization’s needs. It offers a prepackaged group of guardrails for security, compliance and operations. As a result, distributed teams can provision new AWS accounts quickly while your CISO, IT team and others can rest assured that all accounts align with centrally established company-wide policies.
  2. Identity and access management (IAM): It’s critical to have a well-defined process and platform to manage access to users and applications in the cloud. It makes sense to rely on a centralized identity provider to manage identities as it simplifies the management of access from a single place. AWS, for example, provides services and controls to manage identities as well as permissions. Implement SSO, MFA and strong credential management policies to secure the identities. Define policies and controls to manage the permissions required by users and applications. As the cloud footprint grows, it’s imperative to have automation to validate the process of providing and managing access. AWS offers a number of IAM policy services and controls to define permission guardrails.
  3. Infrastructure protection: Protect the critical assets in the cloud, including the network, compute and storage by employing leading practices and effective controls based on frameworks such as NIST and CIS benchmarks. Define the network trust boundaries, system-hardening controls and appropriate policy enforcement points to take a holistic approach to securing the cloud infrastructure. You can control the network traffic and connectivity using AWS Transit Gateway and VPC controls. It’s also important to implement controls to inspect and filter traffic at each layer of the network. To secure compute resources, implement processes and controls to standardize on hardening controls, perform vulnerability management and automate the process of detecting violations and enforcing remediation.
  4. Data protection: Understand the data being used in the environment and classify the data based on sensitivity. Leverage tags or labels for the data assets to apply appropriate security controls. Enforce encryption of data at rest and in transit. Implement key management and certificate management to control access to the data. AWS offers managed services to store and manage keys and certificates with appropriate access control.
  5. Security logging and monitoring: Visibility in the cloud environment is critical to detect anomalies and respond to incidents. Implement controls and processes to log and monitor activities in the cloud environment. Leverage services offered by your cloud provider to log account level activities, changes to resource configurations, service level and application level actions. CloudTrail, Config and CloudWatch are among the AWS services supporting this. AWS Security Hub is another service that can be used as a centralized location to aggregate and prioritize security alerts from multiple AWS services.

A cloud-centric model lets you adopt and implement tools over time, meaning your organization can get going with a few key cloud security tools and expand from there. What’s more, this approach promotes the idea of embedding security early on and then building systems and capabilities around it. In this way, security can actually drive business transformation.

Step 3: Cultivate a security culture and refine your operating model to support the new cloud ecosystem

Business initiatives succeed through a combination of people, processes and technology. The people part of this equation is key. The broad and complex nature of enterprise security means that software developers, mobile app engineers, web designers, database custodians, CMOs and other business groups must all play a role in helping security teams to design and manage processes.

Gone are the days when only dedicated IT or security specialists handled tasks such as setting up identities, authentication and encryption as they arose. Automation eliminates many manual processes that took too long and were prone to error. Now security-related tasks get done quickly, accurately and automatically, allowing groups to spin up new initiatives with minimal drag.

AWS services make it possible to implement foundational security controls. When an organization identifies key security risks and builds in testing and security controls, a leading practice approach becomes possible. Silos can disappear, security gaps can close and a highly secure framework can emerge.

Accelerating innovation securely

Cloud introduces ways to fundamentally improve security and strengthen trust — while accelerating business innovation and transformation. When you establish a strategic foundation built on testing, visibility, automation and alignment, you can move into the realm of cloud-native or cloud-first security controls and equip your organization to navigate today’s business and cybersecurity challenges. With end-to-end visibility, monitoring and control, the burden of security eases and your organization can adopt a leading-practice business framework.

Learn more from PwC and AWS professionals on achieving continuous security in your journey to cloud native.