Challenges
Cloud computing is now an inevitable part of the technology transformation that the world is undergoing. Be it fintech born-in-the-cloud companies or traditional banks adopting digital transformation. Or manufacturing firms implementing Industrial Internet of Things (IIoT). Cloud computing is everywhere. Where once companies used to refrain from adopting the cloud due to data ownership and security concerns, today Boards are beginning to challenge CIOs to speed up cloud adoption.

Some of the key security challenges that CISOs are facing as they seek to enable businesses to adapt to the cloud are:

  • Ensuring businesses adopt cloud computing in a controlled fashion without the CISO becoming a bottleneck to technology transformation
  • Ensuring the contractual framework with the cloud service provider is in line with industry regulations and laws of the land
  • Ensuring secure data transfer between the on-premises infrastructure and the cloud
  • Ensuring secure connectivity between private and public clouds
  • Ensuring appropriate governance and oversight mechanisms over cloud service providers
  • Ensuring that the security features of cloud service providers such as AWS and Azure are properly understood and implemented
  • Managing identities across complex environment
  • Identifying assets and vulnerabilities in hybrid environments
  • Addressing the challenges of DevOps (no traditional security segregation between environments, dynamically changing production environments, container security, infrastructure as a code, etc.)
  • Ensuring as far as possible that the cloud computing environment meets or exceeds the security posture of the organization.

Our Cloud Security Program
The cloud security program that we propose to clients seeks to address these challenges whilst ensuring that businesses do not perceive security as a bottleneck:

Assess
Understand the current computing landscape of the organization
Understand the digital transformation roadmap
Analyze through the use of tools and interviews the extent of Shadow IT within the organization
Understand the legal regulatory environment that impacts security and compliance requirements

Transform
Create a cloud security policy that lays down the rules for cloud adoption by the business
Evangelize the policy highlighting the risks and benefits of cloud computing
Create a cloud risk assessment framework for different cloud computing models (IaaS, PaaS, and SaaS)
Design secure data transfer, cloud connectivity, and secure access solutions for cloud computing
Implement security monitoring and continuous auditing mechanisms for cloud environments

Sustain
Implement a managed services security program that addresses the cloud computing environment of the client

  • Continuous or periodic vulnerability assessments
  • Continuous security monitoring and incident response
  • Implementation of DevSecOps for application security
  • Designing and implementing a cloud security metrics program

Engagement models
The below is a representative list of some of the cloud security engagements we have done:

  • Build and implement a GDPR and PCI DSS compliance program for a born-in-the-cloud technology company
  • Conduct comprehensive security assessments for companies that run their entire business out of AWS or Azure environments
  • Design, develop and implement DevSecOps for a large bank as part of their Digital Transformation journey
  • Build a comprehensive cloud security checklist based on the Cloud Security Alliance’s guidelines for a retail giant
  • Implement a Cloud Access Security Broker for a client to discover the extent of Shadow IT and design a cloud security program for them
  • Implement a secure network design for an AWS client
  • Deploy BlueScope for AWS clients to enable 24/7 security monitoring and incident response

Sample graphics in which the above could be represented