Cloud Security Governance

Cloud governance consists of three pillars – cloud security governance, cloud financial governance, and cloud operations governance. In the perfect scenario, all three pillars contribute equally to the success of a business´ cloud operations. However, whereas a business can still be successful if it fails to optimize costs or rightsize infrastructure, the same does not apply if it fails to take control of cloud security.

Therefore, it is important to understand the concept of cloud governance, where cloud security fits into the jigsaw of cloud governance, and how a business can mitigate cloud security risks by obtaining visibility of its cloud environment, centralizing control of the cloud environment, and automatically enforcing cloud security governance policies.

Cloud Governance vs. Cloud Management

First, a quick explanation of the difference between cloud governance and cloud management, as the two terms are sometimes interchanged. Cloud governance is the activity of developing, monitoring compliance with, and auditing cloud governance policies; while cloud management is the activity of organizing, allocating, and coordinating operations within cloud governance policies.

The two activities are complimentary inasmuch as you cannot govern without management, and you cannot manage without policies to follow. Although complimentary to each other, the two activities are sometimes separated – i.e. the C-Suite establishing the rules, and department heads responsible for managing within the rules. To be effective, cloud governance should be collaborative.

The Importance of Visibility for Cloud Governance

There is a saying in cloud computing that “you cannot control what you cannot see”; and therefore, before developing cloud governance policies, it is important to have visibility into what resources are being used, who is using them, and how they are being used. In the cloud this can be difficult due to Cloud Service Providers obscuring activity below the level of abstraction for security reasons.

The solution to this issue is to implement a cloud management platform that attaches agents to resources in order to monitor activity below the level of abstraction. While not providing total visibility inasmuch as you cannot, for example, inspect packet data as you would be able to in an on-premises infrastructure, the enhanced level of visibility enables businesses to view all resource activity – even the activity of resources they didn´t know existed.

Shadow IT Environments Should Sound Alarm Bells

The scale of Line of Business “Shadow IT” is unknown, but estimated to account for a third of all cloud spend – and for up to 80% of cloud security events – due to Lines of Businesses deploying unsanctioned resources “to get the job done”. While the motives behind Shadow IT are meritable, the consequences of users with limited knowledge of cloud security deploying resources can be disastrous.

The majority of data breaches in the cloud are attributable to misconfigured servers exposing vulnerabilities that can be exploited by hackers. There is also a risk that sensitive data could be saved to storage volumes exposed to the public Internet or in locations that violate compliance requirements. Consequently, Shadow IT environments have to be eliminated and brought under centralized control.

How to Eliminate Shadow IT Safely

Because of the risks to cloud data security, businesses discovering a Shadow IT environment are often tempted to implement unenforceable restrictions on cloud use. The problem with this approach is that many of the unsanctioned services and resources being used in Shadow IT environments are required to get the job done; and, if they are not available, either productivity will suffer or new Shadow IT environments will evolve – possibly more unsecure than their predecessors.

Therefore, in order to eliminate Shadow IT safely, businesses need to create a Cloud Center of Excellence that is built around a core group of IT professionals, but which includes representatives from all Lines of Business and members of the C-Suite. The initial role of the Cloud Center of Excellence is to determine which unsanctioned cloud services and resources are being used, and replace those which are unsecure with secure alternatives – training users on how to use them securely.

Developing Cloud Security Governance Policies

Developing cloud governance policies for security, finance, and operations involves extending existing IT governance policies to the cloud. With C-Suite involvement, determining the objectives of the policies and building a cloud governance framework should not be difficult. However, issues can arise with the logistics of how a policy in one cloud governance pillar impacts a policy in another pillar.

An example of where policies might conflict is with regards to accountability. Developers, for example, may now be required to enhance capabilities during the CI/CD pipeline while being held accountable for security issues that develop due to configuration drift. Enforcing a “golden image” cloud security governance policy will prevent developers from making ad-hoc enhancements, and compromises may be required within the Cloud Center of Excellence to ensure policies are complied with.

Enforcing Cloud Security Governance Policies

Despite the highest level of collaborations and agreement between departments, it is still the case that errors can occur which lead to violations of cloud security governance policies. Indeed, the research and advisory firm Gartner has predicted that “99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security an IT professionals at the time of the incident”.

The way to avoid errors occurring is to enforce cloud security governance policies with policy-driven automation – a capability of some cloud management platforms which allows administrators to configure the platform with a policy and an action to take if the policy is – or is about to be – violated. Examples of automated policy enforcement and how it is achieved include:

  • Administrators can create a policy that instructs the platform to continuous verify the configuration of Virtual Machines and notify the owner of any configuration drift.
  • The platform can also be configured to block the deployment of untagged resources or to correct misspelled tags in order to enforce accountability.
  • Enforcement of a tagging policy ensures that data encryption policies can be enforced when data is not encrypted by default.
  • It is also possible to enforce cloud security governance policies stipulating that MFA is enabled by revoking access to accounts with the security measure disabled.
  • Similarly, account access at any level can be automatically revoked if suspicious activity is identified recognized – for example logging into an account outside of normal working hours.

Automated Policy Enforcement Reduces the Management Overhead

The consequence of obtaining enhanced visibility and bringing Shadow IT under centralized control is that there is more cloud activity to manage – potentially overwhelming the Cloud Center of Excellence´s security personnel. However, by automating the enforcement of cloud security governance policies, the majority of management is “hands-free” and only the most serious violations have to be addressed.

This not only applies to cloud security governance, but also to cloud financial governance and cloud operations governance – where policies can be enforced to (for example) make better use of committed use discounts, terminate unused resources, and rightsize infrastructure that does not conform to the configurations defined in operational governance policies.

Ultimately, the implementation of an agent-based cloud management platform with policy-driven automation capabilities will not only improve a business´ cloud security posture, it will also help the other two pillars of cloud governance contribute equally to the success of the business´ cloud operations – while reducing the management overhead and mitigating cloud security risks.