Planning Your Cloud Security Program

As we stated in the introduction to this blog post series, our purpose is to give you insight into the issues you should address when you are at the early stages of establishing a cloud security program.

If your organization is just starting out on its cloud security journey — whether it’s a rapidly growing startup or a more established company — it’s important to develop a strategic security roadmap that’s suited to its early-stage maturity level. You should not reasonably expect to go from no security or rudimentary security to a full-blown, encompassing program in one step. It’s far better to take a graduated approach by defining objectives that will give you reasonable protection now, that won’t drain your budget and resources (and possibly divert critical resources and attention away from your company’s primary business goals) — and that will also serve as a rock solid platform to build on when you want to move up to the next level of maturity on the cloud security ladder.

What you need is an end-to-end roadmap that will get you started in cloud security monitoring, address your first round of security concerns, and noticeably and measurably improve your security stance, all in a reasonable amount of time and for a reasonable expenditure of money and resources.  

And that’s exactly what we’ll do in this post: walk through five steps that will help you develop a strategic action plan that includes defined goals and is targeted at your organization’s specific maturity level, needs, and resources.

Step 1: Define Your Objectives and Priorities

We’ll make it easy. Based on our experience dealing with hundreds of companies that are just beginning their journey in cloud security, you need to focus on three objectives:

  1. Establishing a security baseline
  2. Implementing industry best practices that are designed to bring rapid improvement to early stage companies
  3. Starting a company-wide security awareness program that will make everyone in your organization aware of and responsible for security

If you focus on these three objectives at the outset, you’ll be assured of adding significant security to your organization in short order, and of laying down a solid foundation that will enable you to scale security to keep pace with your organization as it grows and as its needs become more complex.

Step 2: Define Constraints

Now that your objectives have been defined and you know what you need to accomplish, you must realistically think about budget, time, and resource constraints. There may be others, but for now, these are the only ones you need to be concerned with.

The point we want to make is this: On one hand, you don’t have all the time, money, and resources in the world, so you need to use what you have wisely. On the other hand — and here’s the good news — at this maturity level, you don’t need a large commitment in any of these areas. Here are some basic guidelines:

  • Budget: Security at this maturity level should not be expensive. Many of the industry best practices that we’ll speak about in later posts require knowledgeable resources that you may already have on staff, but no major outlay of cash. And even the job of establishing a baseline only requires a modest outlay. So at this level, you should not be primarily focused on securing budget to purchase systems or hire resources.
  • Time: In security, the most important time is NOW. At your current maturity level, we encourage you to think in tight intervals: hours (or sometime minutes, as we’re going to show you), days, or weeks. But not months or longer. If you’re familiar with the concept of a “scrum sprint,” think about accelerated timeframes — getting tasks completed in the shortest possible amount of time.
  • Resources: Our main guidance is: Look to your existing talent pool. Use what you already know to get things done. And don’t become distracted by the idea of having to invest a major amount of time learning new tools, acquiring new skills, etc. Much of what we’re going to tell you draws on the knowledge and skills that can already be found in most organizations.

Step 3: Execute on Your Plan

When it comes to execution, our advice is: Just Do It!  OK. There’s a bit more to it than that, so we will explain how to execute on each of your three objectives in follow-on posts.

And before you start executing, it will be a good idea to create three checklists (one for each of your objectives) in order to capture what you need to do, who is going to do it, when it will be started/completed, as well as the results you obtain. Take these items and work them into your work management system. Create tickets, kanban cards, sprint stories, etc. This will help you track what needs to be done, what is in progress, and what has been finished. Security won’t be your only work, so it’s important to keep track.

Step 4: Measure, Evaluate, and Improve

No system is perfect in its implementation or results from day 1. You need to measure results, evaluate them, and make improvements. Not only does this lead to continuous quality improvement, but the very act of carrying out this activity makes your security program more proactive, less reactive, and therefore, a stronger and more effective part of the daily life of your company.

In later posts, we are going to explain how to make adjustments that will improve your security baseline. We will also provide guidance on measuring and improving on the industry best practices that you’ll implement, and finally, we will explain how to incrementally improve the security awareness program you are establishing.

Step 5: Expand Your Cloud Security Program

At some point, after you have managed, monitored, and improved on the results obtained through implementing your initial strategic plan, it will be time to add to the scope and depth of your security. By doing so, you will be able to address new issues and add granularity as needed. (For example, you may want to modify your Secrets Management to provide greater internal access controls. Or in the case of Patch Management, you may want to go beyond a purely automated process to enable a higher level of scrutiny.)

As a rule, it’s time to start expanding or evolving your security program when:

  • You have put defined, repeatable processes in place
  • You are handling security in a proactive manner and not, by and large, in response to incidents after they have occurred
  • Security gains have plateaued and it is, therefore, time to introduce more rigor or granularity in order to “catch” new types of threats and identify new vulnerabilities
  • You want to add more sophisticated capabilities such as automated monitoring, investigation, and reporting
  • You want to increase agility and operational velocity

When you recognize the above conditions, you will be ready to graduate from your current maturity level to one where you employ more complex tools and tactics to give your security program greater scope and depth.

Final Words . . .

Remember, by writing and implementing a security plan that is designed for your cloud maturity level, you can achieve significant results for a very reasonable expenditure of time and money, often using resources that you already have in house.

The key is to write the plan and commit to relentlessly executing on it. You will find that results start to come in immediately. In a relatively short period of time — often a matter of a few weeks — you will notice that you have a much stronger security posture as well as the beginning of a company-wide security culture.

In our next post — How Securely Configured is Your AWS Environment? — we will explain why a security baseline is essential in establishing your security program, and we’ll also walk you through the process of creating one.