Matrix (CCM) as an accepted baseline of control objects for cloud computing in the
enterprise, and this is at the center of our cloud security methodology.
We have mapped the CSA Cloud Controls Matrix to the repeatable architectures on
AWS, Azure and Google. Performing a Security and Governance Gap Assessment means
looking at your control objectives against a known standard, such as CSA’s matrix, and
documenting the gaps in your controls and technologies against accepted best
practices.
The result is an MVC with a prescriptive security and governance platform mapped to
the CSA. This is a huge time saver. Instead of building your security reference architec-
ture from the ground up, you can accept a baseline and make minor changes to meet
your specific needs.
New Controls and Tools
Most enterprises start by thinking about their cloud program as if it were a data center,
and quickly find themselves not knowing how to map their existing control objectives to
the new cloud model. Taking existing toolsets and applying them to the cloud does not
work. Data center centric tools are not architected for public cloud platforms. Our expe-
rience points to new tools and processes to solve these problems.
In addition, there is a big secondary bonus to leveraging new tools – they are a lot
cheaper than your data center ones!
#8 – Plan for Continuous Compliance
Enterprises have many controls that govern the IT environment. Since most of the
resources are hardware based, the controls take the form of change management and
operational services. However, the new cloud model is software based and ungoverned
by its very nature. Imagine going from a permissions-based purchasing process (getting
a purchase order signed for new hardware) to an open credit card account where you
can order new services without approvals. During our workshops, we jokingly say to the
audience, “What could possibly go wrong?”
The new consumption-based model requires a new level of governance. Using the stan-
dard change management and controls approach simply does not work. Legacy change
controls will slow the process down, and you will find yourself back in the same situation
you were trying to escape.
What is required is Continuous Compliance. In this context, Continuous Compliance is
software that is constantly looking at your environment, and controlling the consump-
tion and usage of services in your cloud. The controls are implemented using “software
signatures” that check for specific governance and compliance requirements.
54 | THE DOPPLER |
SUMMER 2019