It has long since been said that by failing to prepare, you prepare to fail. It is no different when deploying organizational policies and uniform security guidelines across your cloud infrastructure. Learn about how ISmile Technologies approaches Cloud Security Enablement with due diligence.
Prioritized Milestones & Discovery
ISmile Technologies takes a prioritized, milestone-based approach to evaluate business requirements for security enablement. As a result, our clients benefit from:
- Reduced overall project risk through increased duration and thoroughness of testing
- Prioritized security controls enablement in the environment
- Efficacy through aligning test execution with business functionality in the environment
At the beginning of the enablement timeline, we undergo a discovery phase, in which we evaluate all the required resources that ought to be deployed using IaC. This typically takes the form of a two-week sprint, where we review drawings, videos, and other documentation created by the Enterprise Architecture team. This team is hired by the stakeholder from an official cloud provider to create a Cloud architecture for the stakeholder’s purposes.
Following analysis of this documentation, we cross-reference best practices, the target architecture, and what is realistically feasible to create a requirements document for setting in stone what is to be created using Terraform/IaC and what dependencies those resources require.
For example, to provision a database on the AWS Cloud, you need to know what subnet the database will exist in and what CIDR block it will be accessible through. That subnet will also need to be hosted on a VPC with its CIDR block, a routing table, a network access control list, a security group, and so on.
On top of that, the database must have security measures that are met, handled by a SecOps team that is aware of recommended principles and practices and bases their connection of the database with the rest of the Cloud architecture based on organization documents.
All of this information and more must be consolidated for the sake of creating a proper requirements document.
The timeline of implementation and delivery of products is thus affected by the requirements document generated after discovery. For example, if the original specified delivery timeline was over 2 months, the requirements document generated in the discovery period may prove a deadline impossible to meet. This would be communicated to the Enterprise Architecture team and the stakeholders to determine and evaluate a new, more appropriate deadline.
Implementation can begin after the discovery phase and confirmation of briefing with the Enterprise Architecture team. This includes:
- Designing and documenting the architecture to be provisioned with Terraform,
- Defining security controls and requirements for authentication,
- Including considerations from ISO-27001, NIST Cyber Security Framework, ISO-22307, CoBIT, PCI DSS 3.2.1, and CIS benchmarks
- Network security,
- Blob/file storage, and SQL DW,
- As well as mapping, documenting, implementing, and testing security controls for deployment.
The total of working on this stage of the enablement process can take anywhere from 4 to 6 months for an average timeline.
Moving on from implementation, deliverables by the end include production and non-production environment specifications, architecture, security and controls, and governance processes and procedures to adhere to security compliance. Additionally, operational processes and procedures for all tasks are required in both environments so that the architecture can remain stable even after consultation is complete.
The adoption of the cloud introduces a shared responsibility model for security. Consumers have the most responsibility with IaaS and the least with SaaS cloud models. This shared responsibility model can create confusion and risk exposures for cloud consumers if not properly understood and addressed.
Therefore, organizations should clearly define cloud security roles and responsibilities and verify cloud vendor contracts, implementations, and control operations address gaps.
Having a security partnership capable of helping you ensure valid security controls can bring a competitive advantage to your business. For more information, Get Your Free Consultation.
A technology enthusiast passionate about automation, Gabriel Chutuape is a Cloud Engineer at ISmile Technologies. He’s part of the ISmile Technologies Cloud enablement team that help customers to design/solution/project engineering, integrating and implementing infrastructure technologies & services.