Let’s take a step back from all the acronyms, products, policies and all the other security word-cloud worthy terms that are part of the security environment. Let’s examine what we are working to accomplish.
Ultimately, security is all about protecting
our customers, employees, partners and our business!
Everything: our data, systems, processes, interactions and ultimately our reputation!
Meaning that security has to come before any other priorities! It has to be baked into everything that we do! Now if this seems a little daunting, well you’re right! There is a ton here. So how do we take a systematic approach that will help us understand our risks, gain control and confidence to securely run your business?
Get a Security Check Up!
There are all sorts of bad actors out there that want to cause harm for multiple reasons that we won’t detail out right now. But the threats can also come from innocent mistakes made by our own employees. They can also come from not proactively addressing known vulnerabilities.
Security can mean a lot of things depending on your role and experience and if you have multiple people on your team this can get quite complicated quickly. That’s why we love the Open Security Architecture (OSA) Security Taxonomy model to connect all the dots! It’s an easy diagram to help everyone in your organization to understand a high-level view of what your security model should include.
Before you say this is way too complicated, pause, and then read this chart out loud, slowly, starting in the top left. Your Business Strategy is achieved through Business Processes. Your Business Processes run on IT Systems and Data Assets. That’s pretty straight forward and makes sense.
Your Business Strategy informs your IT Strategy & your Enterprise Architecture (EA). Your EA guides your Solution Architecture and includes Security Architecture. You Solution Architectures instanciates to IT Systems & Data Assets.
Bottom left of the diagram, Laws & Regulations inform Policies. Laws, Regulations & Policies require Controls. Controls are supplemented by Standards & Guidance. Controls require Tests that are verified by Evidence. This is your vulnerability testing, application penetration testing, audits and other tests. The Evidence is used to Certify your Business!
Back to Controls. Controls are included in your Security Architecture and can mitigate Risks. Controls can also protect IT Systems & Data Assets which:
Threats & Vulnerabilities affect your Risks. Risks can potentially crystallize into Incidents. Incidents impact your Business Processes and are remediated by Responses.
While connecting the dots, we talked about how Laws & Regulations inform Policies and require Controls. What are these Laws & Regulations? Do we have to get a law degree to understand them? Where do we even get started? Many organizations are required to follow certain compliance frameworks. You may be obligated to comply based on legal or contractual requirements. But in many cases following these programs is really just best practice!
There are so many flavors of compliance. Here are just a few of the many compliance programs that AWS adheres to and supports:
CSA
Cloud Security Alliance Control
ISO
International Organization for Standardization
PCI DSS Level 1
Payment Card Standards
AICPA SOC
SOC for Service Organizations
FIPS
Government Security Standards
Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada’s Federal Private Sector Privacy Legislation
Freedom of Information and Protection of Privacy Act (British Columbia)
Privacy Legislation in British Columbia (BC)
Health Information Act (HIA)
Privacy Legislation in Alberta
Personal Health Information Protection Act (PHIPA)
Privacy Legislation in Ontario
Personal Health Information Privacy and Access Act (New Brunswick)
Privacy Legislation in New Brunswick
Zuggand has a rich history in building and maintaining robust Security and Compliance programs. With our deep public sector background we invested considerably in working with NIST, HIPAA, HITRUST, PCI, FERPA, FIPS, FedRamp, FISMA and other programs. We developed a policy framework from the ground up to support multiple public sector entities and have worked in this space for nearly a decade now. Our strength is leveraging this knowledge and experience to make it simple to what you need to do in the shared responsibility model in AWS Cloud.
It is important to establish core security principles that you can build your security practice on! AWS has developed a set of living best practices called the Well-Architected Framework (WAF). The AWS Well-Architected Framework helps you understand the pros and cons of decisions you make while designing your critical systems. By using the Framework you will learn architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud.
The Security pillar for the Well-Architected Framework has seven key principles for best practices which are: