"Enterprise Security"

John D'Arcy - December 2021

"Use the cloud to protect the cloud"

At last, cybersecurity is getting onto the agendas in board rooms around the globe. Senior management are starting to take cybersecurity and the corresponding risk management much more seriously than just a few years back. And specifically, securing your workloads in a multi-cloud, multi-account, multi-region environment with on-premise connectivity can become a daunting task for any enterprise.

This article, describes one way of how the complexity of securing your environment can be tamed, and offers a structured approach to securing the cloud at enterprise scale. Customers often ask: Where do I start? What is most effective? What am I going to do? But there is good news. It doesn't have to be challenging. In fact, the cloud offers more granular security options than on-premise infrastructures.

The big cloud vendors AWS, Azure and GCP all have their well-architected frameworks with security pillars describing how to secure their services using best practices and automation. However, the biggest challenge is to build a culture of security in your enterprise. We all know the annoying password change, login again as your session has expired, the 50 character password and multi-factor authentication requirements that seem annoying in our daily work. Finding a balance between user friendliness and good security has been a Gordian Knot for many years. Psst... Try this site and see how quickly your password can be hacked, if you are still just using passwords.

Make your employees take security seriously and build it into all your applications, processes and procedures. Security controls and checklists are an absolutely critical part of security and compliance. The problem is not so much the checklist approach to ensuring security. The problem is the manual, after-the-fact approach to applying those checklists. Here are 5 mechanisms that can be used as an approach to build a security culture in you enterprise. See 5-steps to building a Culture of Security for details:

1. Consistently communicate the connection between security and mission objectives.

2. Set up practices to “build security in,” and fast feedback mechanisms to correct mistakes.

3. Establish norms for security hygiene and set high quality standards.

4. Adopt a zero-known-defect approach.

5. Continuously vet security, both in development and production.

The good news is that security is built into the cloud and setting up your security infrastructure and processes correctly in your platform can be done seamlessly.

Using the cloud to secure the cloud is the best policy as security is built-in to the underlying platform. On AWS everything is denied until you allow a specific permission. Even AWS services need permissions to access other AWS services, which you control. This, plus the fact that many organization-wide services are available makes it a "no-brainer" to use the cloud to protect all your assets.

"Zero trust, least privilege, connectivity control"

On the AWS cloud there are numerous services which, if used correctly, can help you gain a solid security and governance posture across the enterprise. One of the challenges, after the initial configuration though, is how to maintain these rules and policies across all regions and all accounts. Also, when considering that we want to use Infrastructure-as-Code (IaC) as our deployment "mantra", there is still some way to go for AWS to make it easily maintainable. Maybe this years re:Invent will give us some new announcements in the enterprise space. Lets see.

But, let it also be said, that utilizing organization-wide services gives you a huge advantage and control over your security and governance posture than more traditional methods. Below is a list of services you need configured and established in order to have a well-governed secure environment. Beside these services, processes and procedures need to be in place to supplement these services.

• AWS Organizations - Establish you organization to reflect your organization units (OUs) and setup corporate guardrails.

• AWS Control Tower - Manage your accounts and landing zones

• AWS Security Hub - Automate security checks and centralize security alerts

• Amazon GuardDuty - Protect your accounts with intelligent threat protection

• AWS Config - Record and evaluate configurations of your resources. Rules to check corporate governance policies

• AWS Trusted Advisor - Get recommendations to follow best practices

• Amazon Macie - Discover and protect your data privacy at scale.

• AWS Firewall Manager - Centrally configure and manage firewall rules across accounts and applications

Configuring these services and having fine grained policies defined at the AWS Organization level will help you to manage security at scale in your environment.

One "must have" with any large enterprise cloud infrastructure is a connectivity hub, which can provide connectivity to on-premises as well as many other services. A connectivity hub can provide you with:

• Secure outbound access

• Secure access between cloud applications and on-premise data

• Secure access between cloud vendors

• DNS services

• Firewall services

On AWS, using the AWS Transit Gateway, AWS Resource Manager and AWS Network Firewall together with an SD-WAN (Software Defined Wide Area Network) to give you VPN connections between all your cloud vendors and on-premises and anywhere else that has an SD-WAN endpoint. This gives you:

1. WAN as a service

2. Predictable Connectivity Anywhere

3. Built In WAN Optimization

4. Security & Secure Access Service Edge (SASE)

5. Automation and Orchestration

6. Predictive Analytics

7. Management, Visibility, and Troubleshooting

8. Last-Mile Management and Monitoring

9. Global PoP Architecture for Service Delivery

By centralizing your connectivity you are in a much better position to examine, monitor and react if there is a need to do so. Threat management, workload protection and hybrid multi-cloud security protection becomes easier to control and implement.

"Cloud Operatinng models - Organizational governance"

Depending on the governance structure and operating model in your enterprise, there are many AWS services you can avail of to implement your specific model. There are 4 basic operating models from the traditional separated model for engineering and operations across application and platforms. All need the basic organization-wide, multi-region, multi-account services implemented to enforce your particular model.

Operating models on the road to separated AEO and IEO with decentralized governance
(Click the links below for more details or click on the images below):

1. Fully Separated Operating model

2. Separated Application Engineering and Operations (AEO) and Infrastructure Engineering and Operations (IEO) with Centralized Governance

3. Separated AEO and IEO with Centralized Governance and a Service Provider

4. Separated AEO and IEO with Decentralized Governance

If its a "you build it you run it" paradigm you can set guardrails and enforce "the playing field" on which the development teams can work within. However, the path towards model 4 needs to be taken slowly and there are intermediate stages at 2 and 3 along the path. This is because you need to adapt the organization changes along the way, to help implement the operating model. Finding the right operating model for your enterprise when cloud environments become part of your IT landscape, is very individual and depends on the culture and already existing models in place at your enterprise.

If you are planning or are already on this journey, CloudRemote.io is here to assist you with real life models of how this can be implemented. We can help operationalise your strategy and implement your corporate guardrails, mail us at security@cloudremote.io Below are some examples of how this can be done.