Evolution of your Cloud Center of Excellence – Security Showback

Introduction

This is the second part of the three-part series for companies that already run an established CCoE but somehow feel stuck and are unable to move the needle forward. In the introduction you can read what to expect in this part and what else awaits you in this series. If you want to learn about “The unkept promise” and why you should create a Cloud Strategy / Cloud Governance now I would recommend to read the first part of the series.

Cloud Security Showback

What exactly is meant when I talk about cloud security showback? Everyone may have heard of public cloud cost showback. A capability/service that many Cloud Centers of Excellence (CCoE) already provide to their internal customers. Showback consist of providing an analysis of cloud costs to different business units within a company without actually cross-charging those costs. This solely serves the purpose of creating cost awareness in various levels of a company starting from the engineer up to executive management. Cloud security showback uses a similar method by utilizing frameworks from cloud service providers (hyperscalers) that represent a deviation of the settings of the deployed cloud resources from their recommended best practice. This results in a security score, with 100% indicating strict adherence to the provider’s specifications and minimal to non deviation from the defined framework. The purpose of this is also to create awareness at various levels of a company, but this time not on the subject of costs but on the subject of cloud security best practices.

Why a simple number?

In contrast to costs, the absolute value is not decisive for the security score. It is about revealing the general state of a cloud application in terms of security. Is an upward trend recognizable when the awareness of the cloud application owner has increased and are processes to regularly comply with increased requirements in terms of best practices with its resources established. This number is not intended to yell it out into the company world but rather serves as an indicator in the security apparatus of the company. Since it is an indicator it makes sense to just use a simple number like a percentage value. A simple example would be here: There are 100 security guardrails and the cloud application only follows 90 of them, resulting in a security score of 90%. Weighting individual requirements certainly makes sense here. A completely publicly available resource vs. a non-installed agent clearly differ in their security risk. Most security solutions of cloud service providers (hyperscaler) already come with a security score out of the box that should be used as a starting point.

Why the Cloud Center of Excellence?

Why the Cloud Center of Excellence (CCOE), which is not part of a company’s security apparatus per se? The following reasons clearly speak in favor of the CCoE:

• By definition, the CCoE is the central point of contact for all topics relating to the public cloud this includes security
• The cloud application owners / teams / business units are known to them and there is a regular exchange of information
• Cloud cost showback/chargeback and the associated processes are already a capability that is practiced
• Networking with the company’s security apparatus is established by the CCoE
• In many cases does the CCoE design secure cloud architectures in the form of a consulting service together with the cloud application owner. Often supported by experts of the affected hyperscaler

Creating a Security Showback Framework

Introducing a cloud security score is only half the battle. Similar to the cloud cost showback, the introduction of this score is only effective if corresponding processes are designed. The following processes can be a good starting point:

• Cloud account onboarding process to activate security scoring before the first resource has been created and for training of cloud application owners who are unfamiliar with the processes
• Security score outlier and deviator process which describes the procedure to offer help or self-help in the event of a poor numerical value
• Excemption process to allow deviation of resources or settings from hyperscaler best practices
• Reporting process for the compilation of a regular report to the security apparatus

Hyperscaler out of the box solutions

Microsoft Azure – Secure Score in Defender for Cloud

When turning on Microsoft Defender for Cloud in a subscription the Microsoft cloud security benchmark (MCSB) standard is applied by default to the subscription. Assessment of resources in scope against the MCSB standard begins. Microsoft also offers the possibility to track the secure score over a longer time than the standard and even offers a precompiled management ready PowerBI dashboard for a view outside the Azure portal.

Amazon Webservices (AWS) – AWS Security Hub

When turning on AWS Security Hub the Security Hub console display a summary security score across all of the enabled standards. The service offers the calculation of the cloud security score against common industry standards such as CIS, NIST or PCI DSS.

Google Cloud (GCP) – Security Command Center

Google Cloud unfortunately does not offer any cloud security score out of the box but is using its service security command center to display findings and their severity for any Google Cloud project. Using the API made available would enable a score to be calculated based on the number of findings and their severity outside of the Google Cloud.

Oracle Cloud – Cloud Guard

Oracle Cloud takes the same approach than Google and detects misconfigured resources and insecure activity and compiles them into the Oracle Cloud – Cloud Guard. In addition to that you are able to activate best practice policies. All combined is then calculated into a secure score and security score rating.

Notes

Security showback should not be seen as the savior when it comes to cloud security. Hardening the system and protecting it against all attack vectors is still on the table. Cloud security scoring is an indicator and helps to implement cloud best practices and increases the awareness inside teams working with the cloud. The Cloud Center of Excellence (CCoE) as a small part of the security apparatus plays a pivotal role in instigating a paradigm shift towards imbuing security considerations across all tiers of the cloud application stack and daily life of cloud developers and operators.

Consult me

If this still do not feel comfortable to introduce a cloud security showback feel free to consult me. I specialize in supporting companies during their cloud journey and implement processes and tools that work towards a strategic goal.