In the last few weeks, we implemented 710 security and compliance controls in the 7 key standards that apply to a public cloud environment. To assess control compliance, cloud provider allows assessment using technical security policies. For 710 controls, approximately 2050 policies are used for assessments; most of those are in NIST related assessments.
By default, with all the assets configured for practical use, only 15% of the policies were compliant, and our goal was to be 80%. In our journey from 15% to 85% compliant, we identified a few security patterns and a direct correlation with the significant increase in the cost, which some of us might consider a cloud provider would be misusing the insecurity of the organization to their advantage. Below are some pointers for executives with higher rigor or maturity of controls ambitions in the cloud environment.
Costliest services
The costliest services are not computing or storage as you move to a higher percentage of compliance. Approximately 40% of the total cost is of threat prevention services and monitoring.
Network security is still complex
Network security is still complex in the cloud vs the on-premise. The cost will increase by approx. 200% if all the network recommendations are implemented as prescribed by the cloud policies.
Significant cost of security
Going to 85% compliance score will increase the cost of cloud services by approximately 300%. The majority of the cloud costs, at that point, is security related.
Most impactful security controls
The highest security impact to prevent ransomware scenarios or data leaks and the easiest to fix controls are related to identity and access lifecycle.
Below is the animated view of our journey and relative comparison of security standards :
What next
Out of SOC-TSP, NIST-SP-800-53-R5, ISO-27001:2013, Azure-Security-Benchmark, Azure-CIS-1.3.0, PCI-DSS-3.2.1 and NIST-SP-800-53-R4, Azure security benchmark was the easiest to implement because it appears to promote Azure service consumption only. About 90% compliance to NIST R4 controls means about 60% of ISO-27001 compliance even though ISO has much fewer controls.
In conclusion, the organization must watch out for cost, not blindly trust cloud provider scores and recommendation and set up a governance team who would take cost vs security impact decision.
Reach out to Aristiun for a free consultation on approaching security policies in the major public cloud service providers.