This article is one of a series providing guidance as you design a cloud security posture management (CSPM) and cloud workload protection (CWP) solution across multicloud resources with Microsoft Defender for Cloud.
Goal
Identify the teams involved in your multicloud security solution, and plan how they will align and work together.
Security functions
Depending on the size of your organization, separate teams will manage security functions. In a complex enterprise, functions might be numerous.
Reducing organizational risk by reducing the time in which bad actors have access to corporate resources. Reactive detection, analysis, response and remediation of attacks. Proactive threat hunting.
Building tools, processes, and expertise to respond to security incidents.
Team alignment
Despite the many different teams who manage cloud security, it’s critical that they work together to figure out who’s responsible for decision making in the multicloud environment. Lack of ownership creates friction that can result in stalled projects and insecure deployments that couldn’t wait for security approval.
Security leadership, most commonly under the CISO, should specify who’s accountable for security decision making. Typically, responsibilities align as summarized in the table.
Category
Description
Typical Team
Server endpoint security
Monitor and remediate server security, includes patching, configuration, endpoint security, etc.
Set direction for Azure role-based access control (Azure RBAC), Microsoft Defender for Cloud, administrator protection strategy, and Azure Policy, in order to govern Azure resources, custom AWS/GCP recommendations etc.
Maintain complete visibility and control of the infrastructure, to ensure that critical issues are discovered and remediated as efficiently as possible.
Focus on security controls for specific workloads. The goal is to integrate security assurances into development processes and custom line of business (LOB) applications.
Understand Permission Creep Index (PCI) for Azure subscriptions, AWS accounts, and GCP projects, in order to identify risks associated with unused or excessive permissions across identities and resources.
Although multicloud security might be divided across different areas of the business, teams should manage security across the multicloud estate. This is better than having different teams secure different cloud environments. For example where one team manages Azure and another team manages AWS. Teams working across multicloud environments helps to prevent sprawl within the organization. It also helps to ensure that security policies and compliance requirements are applied in every environment.
Often, teams that manage Defender for Cloud don’t have privileges to remediate recommendations in workloads. For example, the Defender for Cloud team might not be able to remediate vulnerabilities in an AWS EC2 instance. The security team might be responsible for improving the security posture, but unable to fix the resulting security recommendations. To address this issue:
It’s imperative to involve the AWS workload owners.
Depending on organizational models, we commonly see these options for central security teams operating with workload owners:
Option 1: Centralized model. Security controls are defined, deployed, and monitored by a central team.
The central security team decides which security policies will be implemented in the organization and who has permissions to control the set policy.
The team might also have the power to remediate non-compliant resources and enforce resource isolation in case of a security threat or configuration issue.
Workload owners on the other hand are responsible for managing their cloud workloads but need to follow the security policies that the central team has deployed.
This model is most suitable for companies with a high level of automation, to ensure automated response processes to vulnerabilities and threats.
Option 2: Decentralized model.- Security controls are defined, deployed, and monitored by workload owners.
Security control deployment is done by workload owners, as they own the policy set and can therefore decide which security policies are applicable to their resources.
Owners need to be aware of, understand, and act upon security alerts and recommendations for their own resources.
The central security team on the other hand only acts as a controlling entity, without write-access to any of the workloads.
The security team usually has insights into the overall security posture of the organization, and they might hold the workload owners accountable for improving their security posture.
This model is most suitable for organizations that need visibility into their overall security posture, but at the same time want to keep responsibility for security with the workload owners.
Currently, the only way to achieve Option 2 in Defender for Cloud is to assign the workload owners with Security Reader permissions to the subscription that’s hosting the multicloud connector resource.
Next steps
In this article, you have learned how to determine ownership requirements when designing a multicloud security solution. Continue with the next step to determine access control requirements.
La sicurezza è una considerazione fondamentale per tutti i clienti, in ogni ambiente. Il passaggio al cloud è però un cambiamento significativo che richiede un cambiamento di mentalità e approccio alla sicurezza. Cloud Adoption Framework fornisce linee guida per questo percorso, offrendo chiarezza per processi, procedure consigliate, modelli ed esperienze.