Intelligent CISO Issue 12 | Page 42

E R T N P X E INIO OP Outside of single requests for a new or different capability, your organisation needs to rationalise the different needs for each, down to ‘collections’ of related needs. For example, consider SaaS for well-known, repeatable needs first, then look to move or re-deploy capability into IaaS or build natively in PaaS for efficient applications. Security measurements are important when architecting a multi-cloud structure First and foremost, avoid looking at your new cloud infrastructure as a separate environment. It’s not merely a new data centre, so an organisation also needs to consider how switching to a cloud infrastructure will shift how the organisation secures assets. Consider looking to resources like the MITRE ATT&CK matrix and the Centre for Internet Security’s Basic and Foundational Controls list as a guide for answering this question: ‘In the future, how do I maintain unified visibility and security when I incorporate new cloud providers?’ For a successful multi-cloud migration, use your cloud access security layer and a platform that ultimately unifies your policy and threat identification approaches. Identity is another common challenge area. Moving to the cloud at scale often requires your organisation to ‘clean up’ your identity directory to be ready and accommodating of shared sign-on. By using an identity management and/or aggregation platform to expose identity to well-known cloud services, you will be able to ease the cloud implementation burden and threat exposure of any given provider. For a successful multi-cloud migration, use your cloud access security layer and a platform that ultimately unifies your policy and threat identification approaches. organisation matures, the way you manage and align your cloud provider’s capabilities to your compliance requirements should evolve accordingly. Initially, ensure that your company requires business unit executives to apply or accept the risk of compliance obligations where service providers may not have every requirement. Your legal team should be a part of the initial purchase decisions, armed with technical knowledge to help identify potential ‘rogue’ cloud services and policy guidelines that dissuade employees from adding services ‘on a credit card’ without appropriate oversight. Ensure compliance As your organisation gains more experience with the cloud, request that providers share copies of the SSAE16 attestations/audits. This, together with more formal due diligence processes, should become commonplace. It’s important to know that your organisation’s compliance requirements are not mitigated or transmuted simply because the data has left your internal environment and entered the one your cloud provider(s) uses. As your Organisations looking to advance in this space would be well-advised to look at the Cloud Security Alliance’s STAR attestation and the associated Cloud Controls Matrix as a ready accelerator to benchmark cloud providers. 42 Secure buy-in from exec/c-level on a multi-cloud strategy Use of cloud services should reflect the strategic focus of the business. Technology leaders can leverage the benefits of these services to underpin initiatives in efficiency, bringing innovation to market and controlling costs. To strengthen this message, technology department heads should consider the metrics and operations adjustments that will allow them to demonstrate the enhanced value of the cloud beyond just the bottom line. If you are trying to get exec/c-level buy in, consider the following: • How will you measure the speed of introducing new capabilities? • Are new areas of value or product enhancement made possible through cloud services? Issue 12 | www.intelligentciso.com