Balancing Controls with Enablement
There’s no better event in sports than playoff hockey. It’s fast-paced, gritty and every player knows the stakes are high. The rules are relaxed in playoff hockey too, to let the teams play and, in a sense, self-govern. When a player on the opposing team crosses the line in the physicality of a hit, that’s when the enforcer is called into the game. His job is to send a message to opposing players that this type of play won’t be tolerated and that there’s consequences for putting another players health and safety at risk.
For many organizations this describes the atmosphere surrounding a mission critical project. When budgets or milestones are at risk, rules can be relaxed. Don’t get me wrong I’m not advocating that this is a good approach to project management or to managing risk. In fact, I think this is a really bad idea and exposes the organization to a host of bad outcomes. There is a better way!
Avoid the Enforcer
Viewing this through the lens of security governance, the question becomes “how do we balance governance controls and team enablement, while at the same time, protecting our critical cloud resources?” Effective governance of cloud security starts with recurring manual and automated processes designed to detect vulnerabilities and impose policies to remediate them. Much like the enforcer in hockey, Azure Policy remediation and effects bring your deployed cloud resources back into compliance when they've strayed outside your organization's acceptable governance policies. The following are a few examples to get you started along the path to updating security policy based on business change and feedback from the security and IT teams tasked with turning governance guidance into action.
- Initial risk assessment and planning – starting point to identifying your organization’s unique security and compliance risk exposure
- Deployment planning – before any workload is deployed to the cloud perform a security review to ensure compliance and to identify new risks that may require planning and remediation.
- Deployment testing – as part of the deployment run vulnerability and policy compliance scans to validate security policy compliance.
- Annual planning – this is an opportunity, one a year, to perform a high-level review of the security governance strategy. Collaborate with the business and IT teams to surface future business priorities and emerging security needs.
- Monthly audit and review – perform a monthly audit on all cloud deployments to assure their continued alignment with security policy. This is also a time to review security incidents and activities and gauge whether existing security policies cover the current threat landscape.
The Enforcer Packs a Punch
Educating your IT teams and developers so they are up-to-date on the latest security policy requirements of your organization is critical to the success or failure of your security governance policies. In those times when a security policy is ignored or bypassed, then you will need a process in place to enforce policy and bring workloads back into compliance. Take a look at the following examples for triggers and enforcement actions to put in place when policy violations are detected:
Trigger |
Remediation Step(s) |
Cloud resource experiences a 25% increase in brute force or denial of service attacks |
Discussion between security team and workload owner to determine remedies (is DDoS prevention properly applied to these resources). Continued monitoring. |
Data source detected without appropriate privacy, security or business impact classification |
External access to data source will be denied until the classification is applied by the data owner and the appropriate level of data protection applied according to security governance policy. |
Virtual machines discovered having access or malware vulnerabilities |
Appropriate patches and security software are installed to bring VM’s security posture in line with security governance policy. |
Access to any resource not explicitly allowed by network access policies should trigger an alert to the security team |
Should trigger an alert to the security team and workload owner. Issue should be tracked and security policy guidance updated if revision is necessary. |
Win the Trophy!
Educating and empowering your teams to innovate with proper security policy adherence is a win-win for your organization. Establishing sound and effective cloud security governance takes time but is worth the effort for both development teams and business leaders.
- Do you have assets in Azure that have been created inconsistently?
- Are your IT teams empowered to create resources in Azure?
- Are your teams moving slowly because existing security policy governance isn’t cloud friendly?
If you answered yes to one or more questions you have security governance issues that are impeding team productivity. InCycle has worked with many organizations to accelerate adoption of winning security governance practices.
To learn more about modern governance and best practices, download the Governance Playbook!