For both SMBs and Large Enterprises, it is imperative from both Service Provider as well as Customer’s perspective that a holistic threat landscape assessment be taken into consideration on continual basis before any steps are being taken to implement security infrastructure and programs.
This has to be a Top Down driven approach with extensive involvement of Senior Management Stakeholders. Security has taken centre stage in IT establishment from the fringe where it used to be 5 years back. All the efforts of organization building state of art products, intellectual property and proprietary information bears little value in an environment lacking adequate security controls. With adequate, it specifically means, a holistic approach to identify, assess, counter and prevent looming security threats. This holistic approach involves extensive cost, planning and time dedication from all stakeholders of the program.
Despite repeated attacks and breach attempts, organizations fail to understand the requirements of such holistic approach which shows a larger picture in the long run and has to mature across a period of time.
The 3 pronged dimensions towards attaining holistic cloud security nirvana can be listed as below
• Threat Scenario
• Security Programs
• Core values of Security
Figure 1. The 3 pronged dimensions towards attaining holistic cloud Security Nirvana
An organization need to attain mastery in identifying all possible threat scenarios as per Figure 1 con-stitutes first step towards attaining Security Nirvana. This has to be a continual activity and assessing the landscape vis-à-vis the attack surface need to be done in sync with threats from both external and internal agents.
Figure 2.
DIMENSION 1
Current threat landscape on the cloud environment can be summed into 9 major domains. These do-mains as enlisted by CSA have been drawn from a survey of industry experts to compile professional opinion on the greatest vulnerabilities within cloud computing.
Figure 3.
CSA 9 threats highlight the different entry points to compromise cloud infrastructure and cause mon-etary and reputational losses to organizations. Traditionally, organizational approach to security compro-mises have been reactive and top management fail to see a larger picture of the attack anatomy.
If we delve into the most sophisticated breaches in the past, they have not been unfortunately effective because the organization lacked controls, but because the target organization responded successfully to the earlier attempts and plugged few holes but due to lack of security vision, did not conduct a complete overhaul of the environment in order to prevent future attacks. It has been observed that decoy attacks are used in many scenarios which divert organization’s attention towards fixing the current threat and in turn, assisting the attackers to exploit a larger hidden hole which flushes out a bigger chunk of useful in-formation than what decoy attacks are being targeted upon.
This threat landscape mapping should be done throughout the enterprise functions, product groups and business units.
Figure 4.
DIMENSION 2
Post identifying the threat landscape, next step should be to categorically identify the list of security pro-grams which will suit the business environment and regulatory requirements of the target organization.
Maximum effort should be made to ensure the internal resources available to an organization are being
for the organization. Only after the internal resource are exhausted should the scope be drafted to in-clude external resources in terms of both FTE resources and software solutions.
Each threat item should be carefully synchronized with compensating security programs based on the assessment. Metric should be calculated based on the weight assigned as to what percentage of threat levels have been covered due to implementation of the security program. This shall only exhibit a macro threat coverage metric without accounting for its relative effectiveness to counter actual threats in the environment.
All the elements of the Security Programs should be tied to their performance benchmarking against countering daily threats, alerts, offenses, detections and prevention by crafting baseline thresholds and exhibiting a relative security posture for senior management’s informational use. These metrics should be driven from an independent stakeholder function and need to be improvised on daily basis ensuring the balance between the business continuity and essential security programs in place.
These security programs shall be discussed further in the next part to this article series especially the Social Security domain which has gained spotlight in the past few years.
Following Mapping between Dimension 1 i.e. Threat Scenario with Dimension 2 i.e. Security Programs gives a very high level view which requires extremely granular approach to seep down to the very basics of security requirement including valuation of assets in an organization tied down to a qualitative mea-surement of their risk value.
Figure 5.
DIMENSION 3
Attaining Dimension 1 and Dimension 2 provides the adequacy towards available countermeasures from security perspective. However, to attain a truly self-sustainable intermittent process for enhanced and improved security posture, these dimensions should be continually improvised to achieve better matrices and move towards attaining 3rd Dimension. This dimension enlists the Core Values of Security which helps organizations attain a higher level of security nirvana, attain self-sustenance, and be self-sufficient in identifying, mapping, assessing, countering and mitigating the security threats in turn providing inputs to overall business ecosphere towards collaborative approach for holistic security perspective.
Figure 6.
For further details on Dimension 2 and Dimension 3, follow the next series of the article.
About the Author
Varun Srivastava is an IT Professional with extensive experience in Management Consulting and Risk Advisory. He has au-thored two bestselling technical books in IT Security and has published multiple research papers in international journals. Varun encompass both hands-on expertise as well as leadership perspective on IT Security Strategies and their impact on business processes. Further information about the author can be read at in.linkedin.com/in/varuns/.