In our previous blog post, Getting Started with Cloud Governance, enterprise security architect Wayne Anderson discussed the challenge of understanding the “sanctioned” path to the cloud and how governance was the initial building block for cloud security. To understand the sanctioned path, we must have visibility into our overall use of cloud services and further apply a set of intelligent controls that enforce our governance requirements. These steps become the building blocks for intelligent data control, which tightens our data security posture and allows accelerated business transformation.
Before we focus on the intelligent control of data in sanctioned services, we must have a good understanding of what services are being utilized in our environment, along with the associated risk they bring. Setting requirements for cloud service governance is a good first step in identifying and limiting services. To map a set of technical controls to the problem data protection in the cloud, we must start with an architecture and an intelligent model that helps us achieve the desired controls.
The application of intelligent data control starts with a centrally managed platform that is elastic and works across all cloud services models, from SaaS, to PaaS and IaaS. There must be a consistent model in place for the visibility and control of allowable services as well as the control of data for sanctioned applications. The data policies used by the platform should also be consistent in both device-to-cloud and cloud-and-cloud scenarios.
Here’s a diagram showing a common control plane across cloud models:
Once we have the platform defined and in place, we monitor the cloud services being used and build an inventory of discovered services.
Here’s a sample inventory of cloud services using McAfee MVISION Cloud as our platform:
The discovered cloud services inventory is mapped against a comprehensive cloud services risk registry that assesses each service against dozens of attributes that can be used for fine-grained governance policies.
Example cloud service risk profile and attributes:
Finally, we can craft and apply our governance policies, providing visibility and/or remediation of services that fall outside the governance requirements. Any future changes to governance requirements are monitored by an approval workflow system. The risk registry is updated dynamically and external to the policy execution. This allows for remediation of newly discovered and disallowed cloud services that are outside the acceptable governance requirements.
Intelligent application of governance requirements:
Using this arrangement allows us to implement governance requirements such as total risk (no services allowed with a risk score > 7 on a 1-to-10 scale), not allowing a service that is multi-tenant and does not encrypt data at rest, etc.
Providing intelligent control of cloud services governance policies helps to close the gap of data loss and malware from suspect services that have not been sanctioned. Establishing intelligent governance of cloud services allows for the next step of applying intelligent control to our sanctioned services.
In the future, we will continue the discussion on how intelligent data control can increase data security efficacy and accelerate your business as a result.