This post is the final post in a series of eight on the five pillars to actionable cloud security. For the rest of the series, visit the Five Pillars blog page here.
“And one to bind them…” J.R.R. Tolkien
Earlier, we described an Actionable Cloud Security Framework as a loop, that feedback from one pillar feeds into the next, and the framework is continually being tuned and managed to comply with the best practices that were established as part of each pillar to keep the framework secure and compliant. In an era of heightened security risks and concerns, compliance is taking on new meanings, not simply as complying with specific mandated written policies, but with infrastructures that maintain data and security policies that support the mandates to which those organizations are trying to comply.Rich Turner wraps up his series on 5 pillars to a well-architected Azure security framework in this blog post on actionable security tools. Click To Tweet
To that end, a class of products is emerging, as services that monitor and manage organizations’ security postures. Some of these products are as basic as “benchmark checkers” that will evaluate an organization’s cloud security policies against industry standards such as CIS. Others aggregate the control planes used in the various pillars into single “pane-of-glass” management tools. Azure Security Center and Azure Graph are examples of such products in Azure.
Other solutions take this a step further: they aggregate the information provided by management tools, they provide network and infrastructure rules based on industry standard benchmarks, and perform ongoing evaluations of organizations’ cloud infrastructures. These solutions are looking for non-compliance, i.e. situations in which deviations have occurred regarding policies and benchmarks. These products may offer an automated remediation feature, but of equal importance is the context into which they describe such deviations. A policy deviation could be the result of a new software routine being developed at the organization, which will require a new policy going forward – or that deviation could be a developer inadvertently (or maliciously) exposing the infrastructure to compromises and threats. Left unmonitored, this policy “drift” can quickly move an entire organization into serious non-compliance.
This newest class of actionable security tools can alert IT administrators to such policy violations, and can suspend their actions until the administrator has reviewed the violation and its intent. These products also allow administrators to zero-in on deviations that could be occurring in an infrastructure of hundreds of workgroups, projects, and user groups and determine their potential impact. Finally, these solutions often include a robust monitoring and logging capability, which is an obvious “must have” for organizations’ compliance to newer data production rules like GDPR.
Conclusions and Next Steps
IT organizations are typically staffed to keep their respective companies or users secure and productive and operate within a defined company framework. Even those with extensive security understanding and cloud experience are best served by partners whose focus is architecting security.'Even companies with extensive security understanding and cloud experience are best served by partners whose focus is architecting security.' ~@rkturner1Click To Tweet
Once an organization has completed the exercise of defining their five pillars toward actionable cloud security, and developed a strategy to close gaps they identify during this process, they can work with that partner to implement tools and processes they have identified as keys to their actionable Azure security framework. These partners can also ensure that hybrid frameworks don’t hamper cloud migrations and leverage, but instead remain integral parts of the organization’s overall security framework.
Those organizations are also then able to focus on the real value they intend to extract from the cloud: digital and operational transformation. Organizations who understand their IAM framework, for example, can feel secure leveraging Azure services such as ML (Machine Learning) or AI (artificial intelligence) to build new and transformational workloads without compromising their own security frameworks.
What are an organization’s next steps in this process? Besides identifying a partner or partners to should part of the burden and ensure those organizations aren’t bogged-down by developing this actionable cloud security framework, organizations should:
- Identify the key processes within each of these pillars that affect their business operations
- Identify information which organizations must initially gather to create these pillars (as an example, the roles and permissions they need to extend across users and groups, or the definition of “at-risk” data, etc.)
- Identify “holes” in their existing security strategy and assess the criticality of each issue as well as which pillars it affects
- Identify both third party and native Azure services that can be leveraged to address security challenges
- Build-out a timeline during which organizations can deploy services, procedures, and policies and execute building their actionable cloud security framework
- Evaluate tools and services that will help keep their actionable cloud security frameworks secure – to proactively identify and remediate policy violations and preclude the policy “drift” that is inherent in any organization actively developing or deploying new versions and solutions.
About Barracuda Networks
With more than 1 million cloud-enabled products delivered since its inception, Barracuda Networks continues to disrupt the IT-security market with innovative solutions. We’re on a mission to protect customers, data and applications from today’s advanced threats by providing the most comprehensive and easy-to-use IT-security platform and backing it up with best-in-class customer support.
For Azure frameworks, Barracuda provides solutions that address common challenges that organizations encounter when building an actionable Azure Security Framework, including
- CloudGen Firewall – the industry’s first built-for-the-cloud network firewall, which combines SDWAN capabilities, virtually unlimited remote access, and all the security and management parameters with which IT organizations are familiar from their on-premises architectures – but built to provide security and visibility to and through Azure.
- CloudGen WAF – a highly-scalable web application firewall to provide Layer 7 security for web-facing applications, along with automated remediation and highly-granular rule sets that can be tailored by user and application.
- Cloud Security Guardian (CSG) – a service which operates across the control, management, and data places, that can configure and manage security controls and practices across an organization’s entire cloud architecture, and to detect non-compliance with these controls and remediate them to avoid risks and compromise.
Rich is the Director of Public Cloud Product Marketing at Barracuda. He joined the team as part of the acquisition of C2C Systems in 2014. Rich is one of Barracuda’s public cloud experts – he works directly with the cloud ecosystems and has been quoted in eBooks from Microsoft on public cloud security. He is also a frequent contributor to Barracuda’s own cloud blogs. For our cloud motions, he helps develop strategies and execution with our partners and sales teams.
You can email Rich at email@example.com.