Security perspective
The security perspective helps achieve the confidentiality, integrity, and availability of data and cloud workloads. It comprises nine capabilities. Common stakeholders include CISO, CCO, internal audit leaders, and security architects and engineers.
1. Security governance
Develop, maintain, and effectively communicate security roles, responsibilities, accountabilities, policies, processes, and procedures.
Ensuring clear lines of accountability is critical to the effectiveness of the security program. Understanding assets, security risks, and compliance requirements that apply to industry and organization will help prioritize security efforts. Providing ongoing direction and advice will help accelerate transformation by allowing teams to move faster.
Understand responsibility for security in the cloud. Inventory, categorize, and prioritize relevant stakeholders, assets, and information exchanges. Identify laws, rules, regulations, and standards/frameworks that apply to industry and organization. Perform an annual risk assessment on an organization. Risk assessments can assist in determining the likelihood and impact of identified risks and vulnerabilities affecting the organization. Allocate sufficient resources to identify security roles and responsibilities. Develop security policies, processes, procedures, and controls in line with compliance requirements and organizational risk tolerance; continuously update based on evolving risks and requirements.
2. Security assurance
Continuously monitor, evaluate, manage, and improve the effectiveness of security and privacy programs.
Organization, and the customers you serve, need trust and confidence that the controls that you have implemented will enable you to meet regulatory requirements and to effectively and efficiently manage security and privacy risks in line with your business objectives and risk tolerance. Document controls into a comprehensive control framework, and establish demonstrable security and privacy controls that meet those objectives. Review the audit reports, compliance certifications, or attestations that the cloud vendor has obtained to help understand the controls it has in place, how those controls have been validated, and that controls in the extended IT environment are operating effectively. Continuously monitor and evaluate the environment to verify the operating effectiveness of controls, and demonstrate compliance with regulations and industry standards. Review security policies, processes, procedures, controls, and records, and interview key personnel as required.
3. Identity and access management
Manage identities and permissions at scale.
You can create identities in the cloud or connect your identity source, and then grant users the necessary permissions, so they can sign in, access, provision, or orchestrate cloud resources and integrated applications.
Effective identity and access management helps validate that the right people and machines have access to the right resources under the right conditions. The cloud Well-Architected Framework describes relevant concepts, design principles, and architectural best practices to manage identities.
These include:
- relying on a centralized identity provider;
- leveraging user groups and attributes for fine-grained access at scale and temporary credentials;
- using strong sign-in mechanisms, such as multi-factor authentication (MFA).
To control access by human and machine identities to the cloud and your workloads, set permissions to specific service actions on specific resources under specific conditions. You should use the principle of least privilege, set permissions boundaries, and use service control policies so the right entities can access the right resources as the environment and user base grow. In addition, grant permissions based on attributes so your policies can scale, and continuously validate that your policies provide the protection that you need.
4. Threat detection
Understand and identify potential security misconfigurations, threats, or unexpected behaviors.
A better understanding of security threats will enable to prioritize protective controls. Effective threat detection will allow to respond to threats faster and learn from security events. Agree on tactical, operational, and strategic intelligence goals and overall methodology. Mine relevant data sources, process and analyze data, and disseminate and operationalize insights. Deploy monitoring ubiquitously within the environment to collect essential information and at ad hoc locations to track specific types of transactions. Correlate monitoring data from multiple event sources, including network traffic, operating systems, applications, databases, and endpoint devices to provide a robust security posture and enhance visibility. Consider leveraging deception technology to gain an understanding of unauthorized user behavior patterns
5. Vulnerability management
Continuously identify, classify, remediate, and mitigate security vulnerabilities.
Vulnerabilities may also be introduced with changes to existing systems or with the addition of new systems. Regularly scan for vulnerabilities to help protect against new threats. Employ vulnerability scanners and endpoint agents to associate systems with known vulnerabilities. Prioritize remediation actions based on the vulnerability risk. Apply remediation actions and report to relevant stakeholders. Leverage red teaming and penetration testing to identify vulnerabilities in system architecture. Seek prior authorization from your cloud provider as required.
6. Infrastructure protection
Validate that systems and services within workload are protected against unintended and unauthorized access and potential vulnerabilities.
Protecting infrastructure from unintended and unauthorized access and potential vulnerabilities will help elevate security posture in the cloud. Leverage defense in depth to layer a series of defensive mechanisms aimed at protecting data and systems. Create network layers and place workloads with no requirements for internet access in private subnets. Use security groups, network access control lists, and network firewalls to control traffic. Apply Zero Trust to your systems and data in accordance with their value. Leverage virtual private cloud (VPC) endpoints for private connection to cloud resources. Inspect and filter your traffic at each layer. For example, via a web application firewall or a network firewall. Use hardened operating system images and physically secure any hybrid cloud infrastructure on-premises and at the edge
7. Data protection
Maintain visibility and control over data, and how it is accessed and used in the organization.
Protecting your data from unintended and unauthorized access, and potential vulnerabilities, is one of the key objectives of the security program. To help you determine appropriate protection and retention controls, classify data based on criticality and sensitivity (for example, personally identifiable information). Define data protection controls and lifecycle management policies. Encrypt all data at rest and in transit, and store sensitive data in separate accounts. Leverage machine learning to automatically discover, classify, and protect sensitive data.
8. Application security
Detect and address security vulnerabilities during the software development process.
You can save time, effort, and cost when you find and remediate security flaws during the coding phase of an application, and have confidence in your security posture as you launch into production. Scan and patch for vulnerabilities in code and dependencies to help protect against new threats. Minimize the need for human intervention by automating security-related tasks across your development and operations processes and tools. Use static code analysis tools to identify common security issues.
9. Incident response
Reduce potential harm by consistently responding to security incidents quickly and effectively.
Educate security operations and incident response teams about cloud technologies and how an organization intends to use them. Develop runbooks and create a library of incident response mechanisms. Include key stakeholders to better understand the impact of choices on the broader organization. Simulate security events and practice incident response through tabletop exercises and game days. Iterate on the outcome of the simulation to improve the scale of response posture, reduce time to value, and further reduce risk. Conduct post-incident analyses to learn from security incidents by leveraging a standardized mechanism to identify and resolve root causes.