The accelerated penetration of digital business and the adoption of cloud computing and related technologies including IoT, AI, big data, and DevOps go hand in hand with the ever-increasing cyber threats inflation. As paradoxical as this may sound, the adoption of these technologies and the IT transformations that go with it introduce new security vulnerabilities. The best answer is certainly not the isolated implementation of the latest tools as is too often the case, but the deployment of what is increasingly referred to as Enterprise Cloud Security. It makes business leaders both proactive and responsive to cyberattacks. In the following, I discuss the Cybersecurity Fortress Design Pattern that I developed to implement enterprise cloud security.
What is Enterprise Cloud Security
Enterprise Cloud Security refers to how well people, policies, procedures, processes and security tools are deployed throughout the organization in a way that effectively protects the company's IT including cloud and on-premise operations, critical systems and data from internet attacks. Despite the fact that cloud security and in general cybersecurity has become a key business issue, an impressive number of companies that have adopted cloud computing have experienced cloud-related security incidents, about 80% of them, according to many well-informed reports.
The most common cloud security incidents according to CloudTech's Duncan MacRae in a study that involved a panel of major cloud adopters include:
- Security incidents during runtime (34%)
- Unauthorized access (33%)
- Misconfigurations (32%)
- Major vulnerabilities that have not been remediated (24%)
- Failed audit (19%)
I totally agree with the findings, they are the same as I have been observing for 13 years. My conviction is that the root cause of these cloud security issues is the fact that systemic and holistic approaches to managing cybersecurity are ignored in favor of piecemeal processes. It is why I developed the Cybersecurity Fortress Design Pattern.
The cybersecurity fortress design pattern seeks to help businesses to rapidly implement robust cyber fortresses. It builds on the NIST Cyber Security Framework (CSF) to provide the methodological, operational, and organizational framework needed to effectively manage cybersecurity risks and proactively prevent or respond to cyberattacks.
Principles behind the Cybersecurity Fortress Design Pattern
The cybersecurity fortress pattern is based on five principles that determine the mindset as well as the organizational, operational, and technological pillars needed to design and implement cybersecurity fortresses. They include:
- Principle 1 - Elevate cybersecurity to the same level of importance as other business management areas, place it in the agenda of all corporate governance bodies.
- Principle 2 - Make risk management the cornerstone of your cybersecurity capability and practices.
- Principle 3 - Involve all your staff in the company's cybersecurity program, give everyone an active cybersecurity role.
- Principle 4 - Adopt a holistic and systemic approach, consider human, organizational and operational aspects but also, as a whole, the cloud and on-premise components of the company's IT.
- Principle 5 - Make technological watch and innovation the drivers of your cybersecurity risk management and the hub of your operational security (OpSec) practices.
The design of enterprise cloud security fortresses should follow these five principles.
The Cybersecurity Fortress Design Pattern Building Blocks
The above figure gives an overview of the enterprise cloud architecture and how cybersecurity fits into the company's IT. It highlights five cybersecurity building blocks derived from the NIST Cyber Security Framework (CSF) five core functions including Identify, Protect, Detect, Respond, and Recover. Each encapsulates specific cybersecurity processes, activities, staff, skills, methodologies, and tools.
Let's discuss them further!
Identify - In connection with principles 1, 2, and 3, the challenge here is to deploy a system of people, processes, and tools that allows the company to have a 360 degree view of its enterprise architecture and IT infrastructure so that it is able to proactively spot and evaluate cyber risks and determine preventive actions. The bottom line is to get current and future threats, both internal and external, clearly identified and documented. Key activities in this building block include governance, asset management, and risk management.
Protect - Relating to principles 4 and 5, the core purpose in this building block is to perform preventive cybersecurity controls in well-determined human, organizational, operational, and technological circumstances. The focus is on identity management and access controls and what's expected is to get remote access controlled. Key activities include identity management and access control, awareness and training, data security, information security protection processes and procedures, maintenance. Popular Preventive Solutions (procedures, policies, controls and tools) supporting this building block's activities include Authentication & Authorization, Firewalls, Malware Protections, VPN, MFA, SSO, and Cryptography.
Detect - Relating to principle 4 as well, this building block stresses security continuous monitoring through performance of detective cybersecurity controls in well-determined human, organizational, operational, and technological contexts. The objective is to get vulnerabilities scans continuously performed. Key activities include security continuous monitoring and anomalies and events continuous based on detection processes. Common Detective Solutions (procedures, policies, controls and tools) supporting the Detect building block include Events and Anomalies Monitoring, Intrusion Detection Systems (IDS), Security Information and Event Management Systems (SIEMs), User and Entity Behavior Analytics Systems (UEBAs), Threat Hunting Systems, and Antivirus Software.
Respond - Addressing principles 4 and 5, the focal point in this building block is to perform reactive cybersecurity controls following analysis and understanding cyber attack contexts. The goal is to make sure forensics are performed. Key activities include analysis, response planning, communications, mitigations, and improvements. Usual Reactive Solutions (procedures, policies, controls and tools) include Incident Response Plan (IRP), Computer Security Incident Response Team (CSIRT), and IDS Logs Analysis Tools.
Recover - In connection with principles 4 and 5, this building block is concerned with recovering from cyberattacks. The bottom line is to get recovery plans executed as needed. Key activities include recovery planning, communications, and improvements. Familiar Recovery Solutions (procedures, policies, controls and tools) include Recovery Plans, Disaster Recovery, and Backup & Recovery.
Deploying Enterprise Cloud Security
Those familiar with it has probably guessed that deploying enterprise cloud security is about implementing the NIST CSF recommendations.
Implementing the organizational, operational and technological framework in which technical experts will express their ingenuity to protect the company's assets is the first thing you must have in mind. It is the purpose of the 4 stages of the Cybersecurity Fortress Pattern:
Auditing the As-Is Cybersecurity Environment
The goal in this step is to identify and understand the gaps between the as-is environment and the enterprise cloud security architecture from the cybersecurity fortress pattern's perspectives. Key activities include (1) putting together the as-is enterprise architecture including people, processes, methodologies and tools; (2) benchmarking the as-is enterprise architecture against the cybersecurity fortress architecture elements; (3) identifying the gaps along with the related vulnerabilities; and (4) making cybersecurity improvement recommendations.
Aligning the As-Is Environment to the Enterprise Cloud Security Framework
The stake in this step is to fill the gaps identified in the audit to design the to-be enterprise cloud security platform and align it, as much as possible, to the agreed upon cybersecurity fortress pattern's recommendations. Primary activities include (1) identifying / designing cybersecurity solutions likely to fill the identified gaps; (2) reconfiguring the as-is cybersecurity architecture into the to-be cybersecurity architecture from the people, processes, procedures, policies, and tools perspective; and (3) develop the cybersecurity fortress deployment plan.
Implementing the Enterprise Cloud Security Recommendations
In this step the goal is to deploy your cybersecurity people, processes, procedures, policies, and tools throughout your organization. The principal activities include (1) communicating about the changes ahead, (2) training to the to-be cybersecurity responsibility assignment (RACI) matrix, processes, procedures, policies, and tools across the organization; and (4) running a cybersecurity pilot project.
The Key Takeaways
The ever-increasing number of cyberattacks, +38% in 2022 compared to 2021, leaves no room for improvisation; CIOs would be wrong to persist in blind cybersecurity implementations that stress blind deployments of tools. Furthermore, their incredible plurality and accelerated frequency make it suicidal to cling to this one-eyed view of cybersecurity. Enterprise architecture approaches are required as they provide the tools (cartography of applications, systems, and processes, enterprise architecture governance, etc) that help to make the implementation of cyber fortresses easier and faster.
Additional benefits of the fortress design pattern include:
- The proposition of architectural blueprints that allow to rapidly and easily pinpoint the key assets to protect and where to deploy the adequate cybersecurity solutions.
- It offers an organizational and methodological framework that favors the integration of all contributions to the company's cybersecurity strategy, more importantly, it is conducive to cybersecurity experts ingenuity.
- It provides experts with a library of hundreds of enterprise cloud security recommendations and best practices derived from the NIST 800-53 and many other resources.
Stay tuned, I will soon launch the initiative, The AWS Cybersecurity Fortress Project. In the same spirit as my book "Transforming Your Business with AWS," this international community of experts that we will build together will share Enterprise Cloud Security best practices with a view to deliver a formal and complete AWS Cybersecurity Fortress Models.
By Philippe Abdoulaye
Keywords: Cloud, Cybersecurity, Business Continuity