Certified ISMS Compliance
One way to achieve and demonstrate compliance in your cloud journey is to get your Cloud Foundation certified based on one of the common frameworks like C5 or ISO27001. These are standard frameworks for information security combining technical and organizational measures.
Proven Patterns When Implementing ISMS Compliant Cloud Foundations
Start with a Specific Use Case
Even if you are implementing an ISMS compliant Cloud Foundation for a large variety of applications, it makes sense to identify a couple of specific use cases to start with. There is a good chance you will identify a handful of application types that you want to accommodate for in the future. E.g. you can have cloud-native applications in contrast to applications that require on-premise connectivity, representing different Cloud Zones of your Cloud Foundation.
Provide Standard Security Templates
Once you identified the different application types you want to support with your Cloud Foundation, you can go ahead and provide standard security templates for these use cases. The standard templates will be applied to all applications of this type to ensure a consistent implementation of security requirements. This facilitates audits as you can easily proof how security requirements are implemented for a large number of applications. Furthermore, it will be much easier to handle and implement future changes, due to regulatory changes or new technical capabilities.
Map Control Catalogs with Technical Security Controls
When implementing security requirements, we are often faced with a gap between the organizational and mostly document-heavy part of it and its technical implementation. While dedicated security or governance departments feel comfortable when dealing with abstract descriptions of hundreds of security controls, their technical counterparts may have a tough time interpreting these requirements and translating them into cloud-specific implementation patterns. This gap bears the risk of having inconsistent implementations of the same control in the catalog, making it hard to audit and maintain over time. Therefore, having a centrally defined mapping between your control catalog and the actual implementations will reduce complexity and increase consistency of your security setup.
Automate Control Implementation
You can prevent security findings, if relevant configurations are automatically rolled out and continuously enforced in your cloud tenants. Modular Landing Zones are a great way to achieve this. Following such a preventive approach is that it is much more efficient than handling misconfigurations or vulnerabilities in a reactive manner, e.g. when scanning each cloud environment for possible misconfigurations (see Resource Configuration Scanning), as this will require continuous remediation actions that cost resources.
Keep the User Experience in Mind
A key to success when implementing a cloud foundation is to keep the user experience along the entire cloud project lifecycle in mind. Especially when building up powerful capabilities like ISMS compliance, it’s important to ensure that the initial aim of your cloud foundation: Enabling application teams to build applications in the cloud. Following the previous steps will help you to implement an end-to-end process that will help to achieve great control of your cloud landscape without slowing down and reducing agility of your application teams.
Currently no tool implementations documented. Contributions welcome!