Designing end-to-end security for cloud implementations begins with developing a strategic security program. The deliverables of the strategy become the administrative and managerial controls required to protect the organization financially and legally.
Protection of a cloud infrastructure begins with controls that provide governance, policy and/or rules, enforcement of policy and assurance of how information is protected. There are multiple methods of designing and delivering a strategy. In this tip, we will use a two-step approach to develop a strategy. We will first review how to understand an organization's business model, and then build a cloud security strategy based on the business model.
Understanding your business model
A business model describes the rationale of how an organization creates, delivers and captures value to remain competitive and profitable. To develop the best protection strategy, it is important to understand your organization's business model because it defines the priorities for the business and the target for protection.
Even if your organization does not have a published business model, one can make inferences based on the business strategy of the organization, which is typically shared annually. Business strategies are plans providing the goals, objectives and outcomes over multiple years for achieving long-term success. Goals define and qualify the primary outcome. Objectives provide measurable steps to achieve the outcome, which defines the end product of realized goals and identifies customer requirements. By combining the former with existing organizational charts and critical path questions, a "straw man" of your organization's business model can be built.
The result is a framework identifying the inputs required from the business to produce output. Inputs of business models are relationships, value propositions, key activities, key resources, key partners and cost structures. Outputs are channels, revenue streams and customer segments. Figure 1 shows an example of building a business model using relationship mapping from a business strategy.
Alignment to the business model is essential to achieve success. Information security, for the cloud or otherwise, does not drive the business; it enables the business. The strategies, frameworks and roadmaps of information security are built to support the business, regardless of the initiative, and will ultimately support the business drivers. Business drivers develop the protection business model as it is an output of business model and strategy. A business model contains the same overall frameworks of inputs and outputs, except the focus is based on systemic protection.
Business value propositions are dynamic in nature, while a protection program business model is fairly static. Key resources are controllable factors (e.g., team) which deliver the value propositions. Key partners are those within the business whom you engage to provide business drivers. Figure 2 shows the business model of a security program that can be used across multiple industries.
You have a business model with the identified abilities (e.g., people, process and technology) associated with supporting the business and customer.
Designing your strategy
The strategy is a plan for supporting the goals of the organization and resolving gaps. The strategy involves demonstrating alignment, verifying motivations, setting the context of activities and describing tactics. It identifies the what, who, how and why required to support the organizations business strategy. Your strategy will follow the organization's strategy and it will likely have a shorter cycle. If the business strategy is 3-4 years, your strategy should be 2-3 years. The final year is used to reassess and begin planning for the updated organizational strategy. It is built using the logic-based value chain shown in Figure 3.
Business drivers push the strategy horizontally. Vertically, the outcomes are mapped and associated with the drivers. The outcome is alignment to the business and assurance that business goals are met. It is a tool for leveraging strengths and identifying opportunities for growth.
Protecting the cloud begins with establishing managerial controls: the business model and strategy. Once verified, the objective of those controls result in administrative controls: policies, procedures, standards and guidelines. Those controls lead to roadmaps and tactics to select and implement technical controls, including security controls, aligned to business strategy. This is a model that fosters end-to-end security for the cloud whether you are a provider or consumer.
About the author:
Ravila Helen White is the director of IT architecture for a healthcare entity. She is a CISSP, CISM, CISA, CIPP and GCIH, and a native of the Pacific Northwest.