E R T N
P
X
E INIO
OP
Outside of single requests for a new or
different capability, your organisation
needs to rationalise the different needs
for each, down to ‘collections’ of related
needs. For example, consider SaaS for
well-known, repeatable needs first, then
look to move or re-deploy capability
into IaaS or build natively in PaaS for
efficient applications.
Security measurements are
important when architecting a
multi-cloud structure
First and foremost, avoid looking at
your new cloud infrastructure as a
separate environment. It’s not merely
a new data centre, so an organisation
also needs to consider how switching
to a cloud infrastructure will shift
how the organisation secures assets.
Consider looking to resources like
the MITRE ATT&CK matrix and the
Centre for Internet Security’s Basic
and Foundational Controls list as a
guide for answering this question:
‘In the future, how do I maintain
unified visibility and security when I
incorporate new cloud providers?’
For a successful multi-cloud migration,
use your cloud access security layer
and a platform that ultimately unifies
your policy and threat identification
approaches. Identity is another common
challenge area. Moving to the cloud at
scale often requires your organisation
to ‘clean up’ your identity directory
to be ready and accommodating of
shared sign-on. By using an identity
management and/or aggregation
platform to expose identity to well-known
cloud services, you will be able to ease
the cloud implementation burden and
threat exposure of any given provider.
For a successful
multi-cloud
migration, use
your cloud access
security layer and
a platform that
ultimately unifies
your policy and
threat identification
approaches.
organisation matures, the way you
manage and align your cloud provider’s
capabilities to your compliance
requirements should evolve accordingly.
Initially, ensure that your company
requires business unit executives to
apply or accept the risk of compliance
obligations where service providers may
not have every requirement.
Your legal team should be a part of
the initial purchase decisions, armed
with technical knowledge to help
identify potential ‘rogue’ cloud services
and policy guidelines that dissuade
employees from adding services ‘on a
credit card’ without appropriate oversight.
Ensure compliance As your organisation gains more
experience with the cloud, request that
providers share copies of the SSAE16
attestations/audits. This, together with
more formal due diligence processes,
should become commonplace.
It’s important to know that your
organisation’s compliance requirements
are not mitigated or transmuted simply
because the data has left your internal
environment and entered the one
your cloud provider(s) uses. As your Organisations looking to advance in this
space would be well-advised to look
at the Cloud Security Alliance’s STAR
attestation and the associated Cloud
Controls Matrix as a ready accelerator to
benchmark cloud providers.
42
Secure buy-in from exec/c-level
on a multi-cloud strategy
Use of cloud services should reflect
the strategic focus of the business.
Technology leaders can leverage the
benefits of these services to underpin
initiatives in efficiency, bringing
innovation to market and controlling
costs. To strengthen this message,
technology department heads should
consider the metrics and operations
adjustments that will allow them to
demonstrate the enhanced value of the
cloud beyond just the bottom line. If you
are trying to get exec/c-level buy in,
consider the following:
• How will you measure the speed of
introducing new capabilities?
• Are new areas of value or product
enhancement made possible through
cloud services?
Issue 12
|
www.intelligentciso.com