The Doppler Quarterly Fall 2016 - Page 82

Limit the “Blast Radius” Enable Cost Transparency Minimize Complexity Maintain Compliance Secure Access Increase Developer Agility Increase Resiliency Posture Figure 2: CloudOps Guiding Principles Security Security implementation should be planned to ensure that the addition of multiple cloud vendors does not add additional risk or minimize visibility for the organization’s security posture and response. Security has several key categories that must be addressed uniformly across cloud providers: Policy – Policy is the set of organizational guidelines that control how the business functions, the levels of risk taken, processes followed and rules for data handling. The policy for an organization will not change and will be applied uniformly across cloud providers. Controls – Controls are the process-based implementations of the policy. The controls are workflows, checks and approvals to ensure that policy is being followed. Controls are commonly seen as passwords, access control lists and other boundaries to allow and prevent access to data and services. Controls will be broadly the same across cloud platforms, with only minor differences to account for technology differences between vendors. Technical Implementation – Controls are implemented through technology, so this tier can vary significantly from vendor to vendor because of differences in how they provide services and access to them. This technical implementation will be a major component of the MVC and architectural elements in the cloud, ensuring that a strong platform is built for the organization to safely consume services within corporate policy. Governance – Governance is the enforcement of policies across technology and cloud platforms. While governance can be a manual process to validate that policy is being followed, it should be automated in a cloud environment, to maximize agility for users of the cloud platform. 80 | THE DOPPLER | FALL 2016