Building a cloud security program from scratch can be daunting. How do you get started, and what should your first steps be? There’s no one-size-fits-all approach to cloud security, but for those looking to form a solid program foundation, we've laid out a blueprint below to help guide you through the steps and get you off to a strong start.
1. Take an org-wide cloud app inventory.
There are a couple of ways to do this. Determining the sanctioned applications your team uses can be as simple as sitting down with the finance team. They can comb through cloud vendor contracts, purchase orders, etc., to locate SaaS or IaaS offerings your company has a formal relationship with.
To pinpoint unsanctioned applications, you’ll need to go a different route. This involves a little detective work with your network traffic team. Asking questions like, “What are the top 20 places our company is sending network traffic to daily?” can reveal both Bob in accounting’s Netflix habit and his public GitHub repository.
2. Perform a risk assessment.
Once you’ve determined the cloud applications and services your company uses, the next step is to measure the overall risk of working with these various cloud providers. You want to answer the question, “What would be the business impact of a potential data breach?”
Ranking each app on a score of high, medium, or low is an effective way to determine the risk rating of each app — which ones would be the most damaging in the wrong hands. Take Salesforce, for example: the popular CRM app houses sensitive information, regulated data, business-critical information, and deal room data. This would certainly warrant a “high” rating.
On the other hand, an application used to publish social media posts isn’t be as critical as an app that stores personal identifiable information, such as social security numbers or dates of birth. Those types of apps can be ranked as “medium” or even “low.”
3. Determine your security posture.
After you’ve established an inventory of your cloud apps and assessed the overall risk, you’ll want to perform a security posture review of each application. By working with each app’s “owner” or admin in the company, you can get a better idea of each app’s settings, the configurations for each one, and identify the strength of your current security posture.
From there, you can perform a more in-depth analysis, asking yourself questions like, “Is this the security posture I want? Should I be making changes to these settings?” or even, “Is there over-permissioned access to data and resources at our company?”
4. Automate, automate, automate.
Now that you’ve built out your inventory, completed your risk rating, and are trying to determine what to tackle first or where to task your team’s focus, you’ll quickly learn the importance of using automation. The steps you’ve completed thus far are not a set-it-and-forget-it model; your work will be all for naught without continuous monitoring and updating.
However, constantly maintaining these cloud apps would require an entire team of people to support the efforts of inventorying, assessing risk, and controlling security posture in your SaaS applications. That’s why automating these tasks is key to protecting the data within these cloud apps without overburdening your security team.
5. Don’t forget about compliance.
By performing the tasks above, you’ll achieve a solid cloud security program that will give you a leg up when it comes to internal and external audits. You’ll be able to show compliance with regulations that require you to have a deep understanding of both the inventory of the data you have as well as the risk and security posture that exists in your cloud technology stack.
As you build your cloud security program from scratch, you’ll begin to see the need for continuous monitoring and detection. By embracing automation, you’ll be equipped to keep tabs on third-party application risks, prepare for compliance audits, and stay ahead of security risks across the cloud.
