If you are looking for complete instructions on how to build your own Cloud governance process and control then view our recorded webinar on our youtube channel. We take you step by step on what is governance for the cloud and a focus area for security governance.
2. • Kamran Mehboob
• Dir of Product Management
Security & Compliance
Meet Our Speakers
3. What we will learn today?
• What to govern in a multi cloud?
• Governance best practices
• Where and how to to start
• CIS control for all clouds
• Cloudnosys Security & Compliance Platform
• Q & A
4. Why even have a Multi Cloud Strategy
1. 85% of Enterprises now have Multi-Cloud
Strategy for Public Clouds. McKinsey, Forrester,
Gartner
2. Merger and Acquisions forcing companies to
quickly develop a model to govern and effectively
manage acquired company’s Cloud footprint.
3. Technology, Costs and Talent
Multi-Cloud is the new norm
6. What are the common threads to Govern
security for Public Clouds at Scale?
1. Software define infrastructure controls – Core
2. Mostly process and technology automation – Very little People
Governance = Configurations + Collaboration + Enforcement + Self healing
7. Cloud Velocity requires Automations
Cannot humanly see or govern thousands of
configurations everyday and fix them!
• Need compliance framework control testing
• Need continuous monitoring & automation
• Need DevSecOps Governance for CI/CD automation
8. Security Governance for Public Clouds
1. Build a set of granular Corporate policies for Security and
Compliance configurations and OS levels for all cloud
services (Firewalls, Access, Encryption, IAM and more)
2. Enforcement of Policies in near time and analyzing any
additions or changes to existing cloud configuration services.
3. Monitor and measure risks continually then either allow or
deny services requests for out of policy actions
Invest in open source and commercial tools to deliver a 360 view
of all cloud assets running globally in a single pane of glass.
9. Key Focus areas to reach Scale on
Governance
1. Visibility - Considerable attention to Visibility and Change in
your Cloud services
2. Speed - Increase speed by “continues delivery or monitor
changes” Reduce human intervention
3. Self Healing – Fix the problems before they go into
production and while in production fix on the fly via
automation.
4. Leverage Partners and Vendors to understand what “Good”
looks like. You don’t have to build it yourself
10. Start here but end with a 360 view of all
cloud policies and risks?
AWS Azure GCP
Configuration
Management Config, CFT
Azure Policy, Azure
Security Center (ASC)
Configuration Mngt,
Anthos, Forseti
OS Management Inspector ASC
Security Command
Center (SCC) (in
beta)
Log Management
GuardDuty,
WatchTower ASC StackDriver
Automation - Self Healing Lambda Azure Functions GCP Functions
Monitoring PII Data usage
in DB Macie
MS Information
Protection DLP - SCC
Risk Management none none none
Best Practice Policies CIS CIS CIS
11. How to build, manage and enforce
Policies at scale in addition
understand risks?
1- CIS First
2- Custom Signatures
3- Automation
My budget is Zero and we have no time
13. How we govern and audit S3 Bucket?
Note; 23 policies just for AWS •AWS S3 Bucket Authenticated 'FULL_CONTROL'
Access
•AWS S3 Bucket Authenticated 'READ' Access
•AWS S3 Bucket Authenticated 'READ_ACP' Access
•AWS S3 Bucket Authenticated 'WRITE' Access
•AWS S3 Bucket Authenticated 'WRITE_ACP' Access
•Enable S3 Bucket Default Encryption
•Enable Access Logging for AWS S3 Buckets
•Enable MFA Delete for AWS S3 Buckets
•S3 Bucket Public Access Via Policy
•Publicly Accessible AWS S3 Buckets
•AWS S3 Bucket Public 'READ' Access
•AWS S3 Bucket Public 'READ_ACP' Access
•AWS S3 Bucket Public 'WRITE' Access
•AWS S3 Bucket Public 'WRITE_ACP' Access
•Enable Versioning for AWS S3 Buckets
•DNS Compliant S3 Bucket Names
•Enable S3 Bucket Lifecycle Configuration
•Review S3 Buckets with Website Configuration
Enabled
•AWS S3 Unknown Cross Account Access
•Secure Transport
•Server Side Encryption
•Limit S3 Bucket Access by IP Address
https://docs.aws.amazon.com/AmazonS3/latest/dev/ex
ample-bucket-policies.html
You write these rules via API
14. How should we Govern VPC?
• Unused VPC Internet Gateways
• Use Managed NAT Gateway for AWS VPC
• Ineffective Network ACL DENY Rules
• Unrestricted Network ACL Inbound Traffic
• Unrestricted Network ACL Outbound Traffic
• Enable Flow Logs for VPC Subnets
• VPC Endpoint Unknown Cross Account Access
• AWS VPC Exposed Endpoints
• Enable AWS VPC Flow Logs
• AWS VPC Peering Connection Configuration
• AWS VPN Tunnel Redundancy
• AWS VPN Tunnel State
• Unused Virtual Private Gateways
• VPC Peering cross accounts
• Easy to turn on and collect
• Requires Log Correlations
• Information Latency
• Requires automation, integration & Analysis
All via APIs - Requires expert understanding
of AWS security at the component level.
Compliance as code is the new norm!
Custom Rules: Written by YOU!
You write these rules via API
15. Governance Model for Resources
Collection and Reporting
AWS Infra Logs and Config
Config, CloudTrail, Cloudwatch, VPC Flow
Logs
Easy
AWS Service Logs
S3 logs, RDS logs, Lambda etc.
Easy
Host Based Logs
Server logs, Audit logs, Applications etc.
Easy
Machine Meta Data and related
Configurations changes, limit reached etc.
All API based collections (Automations)
Very
Hard
Policies Output Collection
Policy Analysis for
Governance
Evidence based Governance/
Compliance Reporting -
PASS/FAIL with RISK
Ratings
All raw data but a core foundation of your compliance and security
gap reporting. It is not in a business ready usable format.
16. Security and Compliance Reporting for
“Governance and Security Risk Posture”
GDPR Compliance Reporting:
Date 6/20/2018
AWS Account Name: GDPR Prod
Inventory of Assets 10 EC2, 10 VPC, 20ELB, 18 S3, 12 RDS
Data Privacy By Design Article 25
Data controller is required to implement appropriate
technical and organisational measures both at the
time of determination of the means for processing
and at the time of the processing itself in order to
ensure data protection principles such as data
minimisation are met. Any such privacy by
design measures may include, for example,
pseudonymisation or other privacy-enhancing
technologies
FAIL
Access Control 100 29 129
Encryption RDS 200 32 232
Encryption S3 105 95 200
Encryption ELB - TLS 1.2 200 29 229
IAM Audit Controls 120 200 220
17. Summary : A quick checklist for your Cloud
Start with your Cloud native provided tools
GuardDuty, Security Center, Configuration Manager
Organizational Responsibilities
Assign a Data Protection and Security officer which will govern and benchmark the program.
Technical Responsibility and Obligations
CIS controls first then to NIST Controls- Inventory data, and implement strong
controls to maintain data privacy, build your “collection” expertise. Pay attention to DLP, Encryption, and
CIS/PCI/HIPAA equivalent controls around Cloud configuration monitoring. Audit trail management.
Implement cloud compliance automation to manage these controls and continually monitor in near real time.
Three cores areas to focus on for building Cloud COE to run at scale. These also align to well architected framework for the cloud.
cloud is nothing more then lego blocks, each block has its set of controls or configurations. You need to master them, control them and monitor them for changes and perform risk management.
Velocity means better have a well defined automated process, or else you will loose the cloud race and get ready for a breach.
Policies are your guardrails and this is where you focus. Polices are configurations that’s all.
Start with Cloud vendors tool, then try to consolidate all the data and build out an alert and reporting system. You can also look for tools that augment this like a opensource tool called Cloudcustodian.
Start small and simple and then fan out as yo grow
The hard part is building APIs based control and tht is where most people fail. If you don’t have time for this, then invest in a COTS products like Cloudnosys.
This is what you need when someone comes to you and say we need a GDPR report on our infra. You should be able to do this in 5 min or less, if you have all the automation build out.
WE mapped all the controls already and coded that to run at scale for all clouds.
Summary of all your security risks
A business view for compliance engineers to give them information on what is failing and where for which compliaces.
Lots of security framework and compliance standards
Reproting is key and also available in JSON format to feed into 3rd party GRC and SIEM system.