Course Introduction and Security Basics
Governance, Compliance and Risk
The course is part of these learning paths
In the last decade the nature and complexity of security attacks have increased tremendously. From simple attacks, which focused on hacking exposed web pages; we have evolved to stealthy attacks, which focus on the hacker staying hidden for years on end inside the victim’s network with the sole purpose of stealing data. To make matters worse, more and more companies have started to store their data in the cloud, thereby transferring part of the responsibility of securing that data to the cloud service provider. Therefore these days the cloud service is entrusted with the task of providing adequate security to the data and services that it provides to customers. While making a decision to move to the cloud, the two main metrics that enterprises look at tend to be cost and security risk.
We're now going to focus on the process of risk mitigation, because as I mentioned before, this is the category where most of the assets will fall. We mitigate risks by putting security controls in place. We could design a control or the box or we could rely on security frameworks. In the case of ISO 27001, the framework provides us with about 114 controls broken down neatly into 14 domains. This helps breakdown an enterprise into smaller chunks and implement security piece by piece. As you can see in this slide, these are the 14 domains.
We see that we have domains like HR, assets, and incident management etc. Each of these domains comes with its own set of controls. In this slide, I have provided a snapshot of HR controls that are prescribed by the ISO 27001 standard. This provides a very structured way of going about mitigating risks. The first step in risk mitigation is to select the controls that we want to implement.
Most organizations pick all of the controls, but their implementation rigor might vary depending on the risk appetite of the organization. The controls that the put in place to ensure this can be classified into deterrence controls, preventive controls, detective controls, corrective controls, and compensating controls. Once we have selected our controls, we go about the task of implementing these controls. This defines the security architecture landscape of the organization.
It is at this point of the course, that we're going to start focusing directly on the cloud application related aspects of the security implementation. So far, we have discussed the overall enterprise security setup and that was important because in order to understand cloud security, we need to understand enterprise security since cloud applications are but a small part of the overall enterprise security.
Out of the 14 domains prescribed by ISO 27001, not all of them directly impact the cloud applications. Some like system development and maintenance have a direct impact on cloud applications since it lays down controls that determine how the application code written for the cloud is tested and moved to production. Domains like HR will have an indirect impact on the cloud application, because for example, it may have a control in there that says all employees will have to undergo a background check. We're now going to focus only on the domains that impact cloud applications. Let's now look at the domains which impact cloud security architecture directly.
These are the following; asset management, access control, physical security, operations security, system routine management, application routine management, pin testing, monitoring, incident management. So now let's delve into these domains one at a time. Let's start with asset management.
About the Author
Vish Chidambaram is an Award-winning Enterprise Security Leader with 18+ years of experience skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most Recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace where he was responsible for securing a high performance SaaS platform with 40billion transactiions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them thru career transitions. and details can be found at datacoreacademy.com or writing to email@example.com His linked in page is https://www.linkedin.com/in/vish-chidambaram/