See all posts

Cloud Security Transformation, part 2: Cloud Security Controls and Roadmap

When it comes to navigating the complexities of cloud security, it's essential to adopt an approach that suits the unique cloud environment. Traditionally, many security managers have turned to frameworks as the one-size-fits-all solution.

3 minOct 08, 2023
Olav Østbye
Olav ØstbyePrincipal Cloud Security Manager & Partner
Olav Østbye

This blog is part of an ongoing series dedicated to addressing the imperative topic of Cloud Security Transformation. At the bottom of the article, you will find links leading to the previous articles.

Rely on Information, Not Frameworks

While frameworks certainly provide helpful guidelines, it's important to recognize that they might not be the definitive answer, especially in the context of a changing cloud environment. Many frameworks, also cloud security frameworks, are created to combat attacks of yesterday and will not protect you against modern attack techniques in the cloud. Instead, it's time to shift the spotlight toward your cloud security engineers and architects. Engaging in open discussions with these experts can offer insights that are both timely and relevant.

Cloud security engineers and architects are at the forefront of understanding the dynamic nature of the cloud, but most important of all, they understand your current environment and the risks that come with it. No framework will actually know how and what you run in the cloud. In addition, Cloud Security Engineers and Architects can provide valuable guidance on emerging threats, best practices, and practical strategies to bolster your defenses. By emphasizing collaboration and knowledge sharing, you can create an adaptive security posture that evolves with the cloud landscape.

If you do this right, you will be able to build a mature cloud environment where the Cloud Provider delivers a strong fundamental defense, and your cloud security experts will cover the rest. Connecting this with risk assessments, threat modeling, threat intelligence, and other necessary activities will give you a strong cloud security defense that even threat actors high up on the threat actor pyramid will have a hard time breaking into. 

Refresh your ISMS

While your organization's current Information Security Management System (ISMS) might still be functional, the dynamic nature of the cloud environment demands a fresh perspective and increased investment to deliver optimal value. The Management System aspect might require only minor adjustments, but the Information Security component will likely benefit from a substantial overhaul. Aim to transform your cloud security controls from rigid rules into flexible guidelines. This approach ensures that your security controls evolve as your cloud environment does, transforming them from a mere checklist into a dynamic and adaptable set of guidelines. Such a shift also encourages ownership and active engagement among your security team, who can contribute their expertise to the development and enhancement of these guidelines.

Roadmap and prioritization 

Transitioning to the cloud involves a series of security activities that demand meticulous planning and coordination. As you navigate this journey, a well-structured roadmap becomes your guiding light. It ensures a smooth transition and maximizes the impact of your efforts by prioritizing tasks based on risk reduction and resource allocation. 

Remember that security engineers and architects, regardless of whether they are working on cloud or on-premise solutions, always get tempted by working on the sexy security tasks and not necessarily the tasks that are prioritized. 

Crafting a practical roadmap involves a strategic balance between risk and investment. Identify tasks that offer the highest security enhancement relative to the resources invested. While it's tempting to tackle everything at once, the reality of limited time, budget, and skilled personnel necessitates a focused approach.

So, as you traverse the cloud migration path, let your roadmap be your compass and your security engineers be your guides in achieving cloud security excellence..

Related articles:

https://www.o3c.no/knowledge/cloud-security-transformation-part-1-business-strategy-and-people

https://www.o3c.no/knowledge/isms-challenges-and-how-you-can-solve-them