Executive Cloud Security Simulation Workshop on 3rd December by AWS at AISS 2018 held by DSCI


         I was fortunate to attend AWS held a Cloud Security simulation workshop in AISS summit held by DSCI. I am summarising the key aspects of this workshop and the key learnings from this workshop for IT and security professionals embarking on their journey to Cloud. The workshop was based on case study where in a hospital chain was planning to improve their Customer experience and reduce IT costs by migrating to the cloud. 

          The participants were divided into teams which had to read the case study and do certain tasks.  In Round 1 each team had to 
  • List our Business priorities of the company 
  • List out IT Security priorities 
  • List down Year 1 Security Goals 
  • Choose 3 out of 16 security initiatives listed below with each initiative having some budget .
Key Initiatives for a Cloud Security Journey. ( See images for detailed explanations ) 

  • Cloud Security Strategy 
  • Security Cartography 
  • Risk Assessment 
  • Governance 
  • Security policies 
  • Executive Sponsorship 
  • Cloud Provider Fundamentals 
  • Cloud COE 
  • Skills Assessment and Training 
  • Recruitment 
  • Core Security Epics Program 
  • Compliance Program 
  • Config and Vulnerability Management 
  • Data Classification 
  • Secure CI/CD DevSecOps 
  • DR/BCP 


      Based on the above selection the team was given scores on the following parameters of the Balanced ScoreCard with maximum of 15 points . The budget was initially 15 and would reduce depending on the initiatives chosen

      My team chose Cloud Security Strategy , Executive Sponsorship and Cloud COE. On hindsight the last choice was not appropriate for the first year .  Executive sponsorship was a good choice as it is essential component for buying support for your program. The AWS team stated that too many CISOs focus on the technical aspects of the program without obtaining necessary support from the senior management for their program. 

      A Balanced ScoreCard was used to rank choices based on the following 
  • Security Automation 
  • Operational Agility 
  • Security posture 
  • Strategic Impact 
  • Budget 


       After this there were three events in Round 1 where in you had to choose what action to take . Depending on the choice the team was again given points on the Balanced scorecard.. (This also depended on the selected security initiatives) For example it was essential to choose Executive sponsorship in Round 1 to get support for your security program . 

Round 2 

        A further case study with a follow up situation was presented for Year 2 (Round 2 ). Here again the teams had to List down Year 2 Security Goals and choose 3 new security initiatives which would have corresponding impact on your scores on the Balanced ScoreCard. 

      This time our team chose Core Security Epics , Secure CI/CD DevSecOps and Security Policies . We debated a lot to include Governance or not but excluded it based on high cost . This however was a mistake as Governance was an essential initiative and encompasses Security policies. 

       A good choice was the Core Security epics program which involving doing essential activities to secure Cloud. This includes 

  • - IAM 
  • - Detective Controls 
  • - Infrastructure Security 
  • - Data Protection 
  • - Incident Response 
       This was followed by 3 more rounds for which you had to choose certain actions . One of them included receiving a call at 2.45 am that a breach had been reported followed by a call from CEO asking how should she respond to Board and shareholders . The correct answer was to remain calm and tell her that you had things under control as you had implemented  the correct tools and had full visibility .We chose another option which entailed asking her for time to check as you were not sure if your data was safe . This option was not the best option. 

       However in today’s world can a CISO or Security team be completely confident that they would have repelled each and every attack. I don’t know but so believe they if you get a input it is always advisable to check first and then comment and commit. 
Key lessons learned from the workshop 

 - It is essential to set the foundations well in your Cloud Security journey . These include Cloud Security  Strategy , Executive Sponsorship , Core Security aspects and Governance

 - Cloud Security is a journey and the security team would need work on few initiatives every year  to improve the maturity and ensure better protection. 

 Having a Balanced ScoreCard to assess the impact of initiatives is a good tool. The Balanced Score Card can be used to assess the effect of all Security initiatives for complete Cyber Security program to rate each initiative on parameters of Strategy, Posture, Automation and Agility . This helps in ensuring that all initiatives are not working towards only one area of the Balanced Scorecard. 

 - Cloud Security Training for internal Resources It is essential to train and up skill your internal resources to ensure enhancement of the organisation's security posture in a cost effective manner.



















Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more