Control and Security
Compliance and risk are operational governance concerns. In developing our vision and strategy we have laid out our external and internal requirements that guide our decisions. A high level of automation will be required to stay in control when transitioning to the cloud, and automation is an important operational governance tool.
Blind faith in the power of automation will not ensure happy outcomes.
Blind faith in the power of automation will not ensure happy outcomes. We have to stay in control of our control and ask ourselves questions like:
- Does the automation work as expected?
- Where can we improve?
- Are we creating the proper logging trails?
- Are we complying to the standards we have set and the security levels that are expected of us?
- Do we feel in control of risk?
Let’s not forget we are dealing with services provided by third parties and it is your responsibility to check their compliance to your standards. Things to check on and demand from your suppliers are:
- Audit/Assesment reports.
- Cloud Provider Certifications.
- Security Scans.
Setting up logging and auditing on IaaS and PaaS is absolutely necessary and does require some attention and configuration. The basic principles of auditing also apply here but if you are engaging through an MSP you have to make sure everything is on the up-and-up. The CCoE has an important role supporting teams with design, exchange knowledge, inform of product updates regarding the subject and help in setting up the proper controls.
Setting up logging and auditing on IaaS and PaaS is absolutely necessary.
Process or Activity
The CCoE has an important role supporting teams with design, exchange knowledge, inform of product updates regarding the subject and help in setting up the proper controls
Demarcation of Responsibilities
Determine who is responsible for security in the cloud.
CCoE assists with selecting and setting up proper cloud controls.
To Do List
Create security and risk response scenarios for cloud service chains.
Draw up KPI’s to monitor automation success and failure.