A $100-billion Fortune 200 consumer packaged goods company recently partnered with CapTech to commercialize Microsoft Azure's Platform as a Service (PaaS) as an enterprise service offering. This blog is the fourth in a ten-part series of blogs. The purpose of this post is to cover conducting your security assessment to utilize the cloud. It is intended for anyone interested in gaining insight into the major bodies of work and considerations involved in commercializing cloud services for large enterprises.

Recommended Bodies of Work

The next couple of posts in this series are going to focus on some of the recommended bodies of work for commercializing the cloud at your organization. Below is a diagram that illustrates a high level and comprehensive view of the bodies of work with their relationships and dependencies. In the remainder of this post we will explore what's involved in conducting the cloud security assessment highlighted in green.

Workstreams

Conducting the Cloud Security Assessment

Perhaps one of the biggest hurdles when it comes to any large enterprise adopting cloud services is security. Depending on the size, scope, and complexity of your enterprise, this may be the long pole in the tent with obtaining stakeholder buy-in as it pertains to security. You will want your Cloud and Security Architects for this effort as well as Cloud Service Provider liaison to provide clarification on specific cloud capabilities and how they meet your enterprises security requirements. This activity entails assessing Azure's security capabilities against your enterprise's security control categories for various data classifications to understand how Azure meets your enterprise's security requirements. Such security control categories may include, but not limited to:

  • Access Management
    • Can access be centrally managed?
    • What sort of review capabilities exist?
    • What sort of logging capabilities exist?
    • How is access managed?
  • Audit Requirement
    • Can the platform be audited by a 3rd party?
    • Can the platform be audited by the enterprise?
  • Authentication
    • Does the platform support Unique Id/Strong Password requirements?
    • Does the platform support 2-factor authentication?
    • Can access be federated?
  • Authorization
    • Can authorization be based on business role?
    • How granular is the authorization capabilities?
  • Boundary Defense
    • Do they offer traffic monitoring?
    • Do they have a Network Intrusion Detection System (IDS)?
    • Do they have a Network Intrusion Protection System (IPS)?
    • Do they offer Destination Port Filtering?
  • Certifications
    • What sort of certifications do they have (eg. ISO 27001)?
  • Data Loss Prevention
    • Are there any automated access notifications?
    • Do they offer Digital Rights Management (DRM)?
  • Encryption at Rest vs. Transmission
    • What protocols do they use (eg. AES256+)?
    • Are passwords hashed?
    • Do they offer TSL/SSL, IPSEC, or SSH for encryption transmission?
  • Incident Response
    • Is the process documented?
    • Do they offer 24/7 monitoring?
    • What is the escalation process?
    • Do they offer client notifications?
  • Malware Defense
    • Do they utilize active device scanning?
    • Do they perform network edge scanning?
  • Physical Security
    • Do their data centers have restricted access?
    • Are they monitored 24/7?
    • Are the data centers subject to 3rd party audits?
  • Platform/Application Hardening
    • Do they offer data segregation either physical or logical?
    • Do they offer isolated hardware?
  • Privileged Access Management
    • Is vendor access least privilege?
    • Do they have detailed audit logs?
    • Do they have access logs?
  • Vulnerability and Patch Management
    • Do they run vulnerability scans?
    • Who manages patches at the physical and OS levels?

All of these control categories will most likely needed to be evaluated in some part. In addition to conducting the cloud security assessment, the project team should work with the enterprise's Security and IT Operations counterparts along with the Cloud Service Provider to develop a Major Incident Response Plan (MIRP) in the event of a security breach.

Conclusion

This fourth post in the ten-part series described conducting the security assessment to commercialize Azure with this Fortune 200 CPG client. These were the categories that we had to assess for this client. Every organization is different and has different security requirements. Depending on the size and maturity of your organization, these categories will change.

The entire series:

In the next post we are going to talk about establishing MPLS connectivity.