🔖 Security & Compliance
Ensuring security and compliance of IT systems is among the biggest concerns of organizations adopting a multi-cloud strategy. Leveraging cloud service provides with public cloud platforms is a form of outsourcing that requires oversight by a retained organization - and the cloud foundation team is best positioned to fulfill this need. This includes ensuring that workloads running on the cloud platform are managed and secured in accordance with the organization’s internal standards and policies.
However, Cloud Foundation teams cannot absorb all responsibilities of building and running secure systems. After all they cannot possibly forsee all the use cases and applications that application teams will built atop the cloud’s infrastructure. It’s therefore inevitable that the cloud foundation team has to provide a clear Shared Responsibility Model Alignment that defines its responsibilities between the cloud service provider and the organization’s application teams.
💡 It’s helpful to apply the same considerations to private cloud platforms as well and not treat them as “safe by default”. They require a similar split in responsibilities between platform teams and application teams.
Key Activities for Multi-Cloud Security & Compliance
Multi-Cloud Security & Compliance involves the following key activities and capabilities
Establish a clear Shared Responsibility Model Alignment for all Landing Zones
Establish a security baseline leveraging cloud capabilities like Service and Location Restrictions and Centralized audit logs
Establish a Multi-Cloud Tagging Policy serving the needs of all cloud foundation stakeholders and processes
Providing compliance capabilities like supporting an Incident Management Process powered by Resource Configuration Scanning
As the cloud foundation approach is all about integrating the capabilities of its constituent pillars, the Security & Compliance pillar has several important links to other cloud foundation capabilities
Cloud Tenant Tagging helps provide essential metadata for security & compliance processes directly in the cloud platform
Link Cloud Tenants to CMDB/EAM can often enable extending existing security & compliance processes to cloud tenants
- The scope of permissions granted to application teams as part of an Resource Authorization Management should reflect the responsibility split defined in the Shared Responsibility Model Alignment
- Compliance considerations can also extend into cost management, for example Budget Approval Process or Billing to different legal entities
- Centrally managed and secured services provided by the cloud foundation team can help raise and organization’s cloud security posture, for example by centralizing risky services like Virtual Network Service with On-Premise Network Connection or Managed Internet Egress
Designing a Multi-Cloud Security & Compliance Strategy
Especially when considering a multi-cloud scenario, cloud foundation teams need to design a security & compliance strategy that enables consistently securing workloads across all cloud platforms.
Multi-Cloud Security and Compliance: The Comprehensive Guide 2021
Take a look into the Security Guide 2021 for more insights on building an effective multi-cloud security & compliance strategy.Read the Security & Compliance Guide →
Key Stakeholders for Multi-Cloud Security & Compliance
Cloud Foundation teams need to cover the spectrum of knowledge about the organization’s security & compliance guidelines all the way to the technical implementation capabilities in different cloud platforms. Inter-disciplinary teams comprising information security specialists, enterprise architects and platform specialists are best positioned to define and automate security baselines that are compatible with both, compliance requirements and real-world- application requirements.
Cloud Foundation teams should pay special attention to strategically leveraging automation opportunities. Very often this allows automating security controls with technical measures, instead of requiring application teams to implement individual solutions based on organizational measures.