Matrix ( CCM ) as an accepted baseline of control objects for cloud computing in the enterprise , which is at the center of our cloud security methodology .
We have mapped the CSA Cloud Controls Matrix to the repeatable architectures on AWS , Azure and Google . Performing a Security and Governance Gap Assessment means looking at your control objectives against a known standard such as CSA ’ s matrix , and documenting the gaps in your controls and technologies against accepted best practices .
The result is an MVC with a prescriptive security and governance platform mapped to the CSA . This is a huge time saver . Instead of building your security reference architecture from the ground up , you can accept a baseline and
make minor changes to meet your specific needs .
New Controls & Tools
Most enterprises start by thinking about their cloud program as if it were a data center and quickly find themselves not knowing how to map their existing control objectives to the new cloud model . Taking existing tool sets and applying them to the cloud does not work . Data center-centric tools are not architected for public cloud platforms . Our experience points to new tools and processes to solve these problems .
In addition , there is a big secondary bonus to leveraging new tools - they are a lot cheaper than your data center tools !
# 8 - Plan for Continuous Compliance
Enterprises have many controls that govern the IT environment . Since most of the resources are hardware based , the controls take the form of change management and operational services . However , the new cloud model is software based and ungoverned by its very nature . Imagine going from a permissions based purchasing process ( getting a purchase order signed for new hardware ) to an open credit card account where you can order new services without approvals .
The new consumption based model requires a new level of governance . Using the standard change management and controls approach simply does not work . Legacy change controls will slow the process down and you will find yourself back in the same situation you were trying to escape .
What ’ s required is Continuous Compliance . In this context , Continuous Compliance is software that is constantly looking at your environment and controlling the consumption and usage of services in your cloud . The controls are implemented using “ software signatures ” that check for specific governance and compliance requirements .
For example , AWS has servers ( EC2 ) and attached storage ( EBS ) that form the basic server / storage configuration . If you delete a server and do not specifically tell AWS to delete the storage , the storage is left orphaned . Over time , orphaned block storage becomes a risk to the company . Unless properly gov-
SUMMER 2016 | THE DOPPLER | 65