The rising number of cloud security data breaches due to simple service misconfigurations is forcing public cloud security owners to rethink classic security concepts and adopt approaches that better address the needs of developers building the dynamic, distributed cloud infrastructure.
As a result, teams tasked with securing their organizations’ cloud environments have focused on what is known as cloud security posture management, or CSPM, which is defined as “a continuous process of cloud security improvement and adaptation to reduce the likelihood of a successful attack.”
We interviewed several cloud security experts and asked them how public cloud transformation has changed their approach to cloud security posture management. From this, it’s clear that many organizations find that the biggest challenges they need to overcome are not necessarily related to technology, but to people and processes.
To help face these challenges, we’ll explain how to structure a cloud security team and distribute responsibilities for successful cloud security posture management.
Building a cloud security team
To ensure success in the public cloud, you should establish a Cloud Center of Excellence (CCoE), which is a cross-functional team tasked with supporting and governing the execution of your organization’s cloud strategy. Security and compliance is one of the three key areas of excellence within a CCoE (in addition to cloud financial management and operations) and is responsible for:
- Ensuring continuous compliance with relevant standards
- Staying up-to-date with the changing threat and compliance landscape
- Translating business requirements into cloud security standards
The key security champion in a CCoE is the cloud security architect, whose primary goal is to design security and compliance standards and scale them in a way that helps the organization simultaneously meet its business and security needs. The below diagram is a sample structure of a security organization within a large organization.
Reporting to the CIO or CISO is the information security department, which can have distinct teams such as security operations, vulnerability management, and governance, risk, and compliance. Each of these teams has specific requirements that the developer teams must address to ensure security and compliance of the infrastructure they build in the cloud.
Additionally, a key responsibility for the security architect is to provide security and compliance tools and solutions that can enable different information security teams to perform their responsibilities and coordinate efficiently. Gartner recently released a report that covers the skills and resources teams need to make optimal use of cloud infrastructure and platform services, along with best practices for acquiring and maintaining these skills. See a recap in our article or download your copy of the report here.
Distributing cloud security responsibilities
Once you’ve established a Cloud Center of Excellence and built your cloud security team, you can effectively distribute cloud security responsibilities across your organization. There is often confusion over the division of security responsibilities in the cloud. Not knowing who owns tasks for ensuring security and compliance in a dynamic cloud environment can lead to blind spots in your cloud security posture.
There is a shared security responsibility between the cloud provider and the customer. Shared responsibility can vary depending on the cloud provider and service, but in general, the cloud provider is responsible for the security of the cloud, and the customer is responsible for security in the cloud.
For example, the cloud provider assumes responsibility for the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility for the guest operating system, applications and workloads, identity and access management, and the configuration of cloud services.
In addition to security responsibilities between the cloud provider and customer, it’s also important to identify responsibilities internally. Cloud security is no longer a function of just one team—it’s a shared responsibility throughout the organization, with each department understanding the security risks and policies of the cloud services they’re using.
The CCoE should define the lines of security responsibility amongst individuals and teams within their organization, and then prevent silos by enabling efficient information-sharing and implementing a regular cadence of communication. With this, stakeholders from across functional teams can understand the cloud security implications of decisions before implementing them, along with the actions expected of them to maintain a strong cloud security posture.
The below is a suggested breakdown of cloud security responsibilities by department and specialized function.
|Department||Specialized Function||Examples of Security Responsibilities|
|Information Security||Cloud Security Architect||Design security standards for building applications in the cloud|
|Information Security||Vulnerability Management||Reduce risks due to misconfiguration vulnerabilities in the cloud|
|Information Security||Security Operations||Monitor threats to detect and respond to suspicious activities in the cloud|
|Information Security||Governance, Risk, and Compliance||Collaborate with auditors to help the business meet regulatory compliance in the cloud|
|IT||Cloud Operations||Enable security teams to get complete visibility and monitor company cloud accounts|
|Line of Business||Cloud Security Architect||Run applications at scale in production and ensure application reliability (including security)|
|Line of Business||Vulnerability Management||Adopt security and compliance best practices while building applications in the cloud|
To begin, the security architect works with IT operations to ensure the company cloud accounts are configured correctly to give various security functions appropriate roles to monitor and secure cloud resources.
In parallel, the security architect works with developer teams to build standards that establish security and compliance requirements and are prescriptive and easy for developers to implement. Together, the architect, developers, and operations teams find ways to automate processes and ensure that information security controls are implemented in a way that minimizes risk without restricting service access or affecting application reliability.
Organizations that are smaller in size often don’t have the resources, nor the need, to dedicate specialized personnel to different roles in information security. No matter the organization’s size, the leaders building the cloud security organization must identify the individuals that together, perform the role of the security architect and the information security and IT operations teams.
Establishing a cloud security organization and distributing responsibilities are critical components of successful cloud security posture management. However, there are several other components to consider, such as attaining visibility into your entire cloud environment, defining standards and controls, detecting risks and misconfigurations, remediating issues with automation, and more.
To see all our CSPM best practices, download our complete guide: 7 Best Practices for Cloud Security Posture Management