Wednesday, May 11, 2022

Cloud Governance best laid plans : Part 2

 In my previous post i discussed on the need of organizational level alignment to even get to the cloud governance, as both are interdependent. If your company is HIPAA compliant then the type of cloud governance and policies will differ from just a regular company. Let us now discuss on the cloud governance areas to potentially look when setting it up across an organization.

1. Identity governance.

 Identity has now become primary security perimeter , in on premises we had the network security but its all about identity on cloud. This is typically useful for cloud governance teams and architects in the company . This is basically to identify business risks related to identity and provide guidance to the team which is responsible for implementing and maintaining identity management infrastructure. Identifying technical risk, building a policy around it and identifying recommended solution will help create a good identity governance.

2. Cost management

For many customers, governing their costs is a major concern when adopting cloud technologies. Balancing performance demands, adoption pacing, and cloud services costs can be challenging. This is especially relevant during major business transformations that implement cloud technologies. This section outlines the approach to developing a Cost Management discipline as part of a cloud governance strategy.The primary audience for this guidance is your organization's cloud architects and other members of your cloud governance team.

3. Security baseline

Security is a component of any IT deployment, and the cloud introduces unique security concerns. Many businesses are subject to regulatory requirements that make protecting sensitive data a major organizational priority when considering a cloud transformation. Identifying potential security threats to your cloud environment and establishing processes and procedures for addressing these threats should be a priority for any IT security or cybersecurity team. The Security Baseline discipline ensures technical requirements and security constraints are consistently applied to cloud environments, as those requirements mature.The primary audience for this guidance is your organization's cloud architects and other members of your cloud governance team. The decisions, policies, and processes that emerge from this discipline should involve engagement and discussions with relevant members of your IT and security teams, especially those technical leaders responsible for implementing networking, encryption, and identity services.

4. Resource consistency

Resource consistency focuses on ways of establishing policies related to the operational management of an environment, application, or workload. IT operations teams often provide monitoring of applications, workload, and asset performance. They also commonly execute the tasks required to meet scale demands, remediate performance service-level agreement (SLA) violations, and proactively avoid performance SLA violations through automated remediation. Within the Five Disciplines of Cloud Governance, the Resource Consistency discipline ensures resources are consistently configured in such a way that they can be discoverable by IT operations, are included in recovery solutions, and can be onboarded into repeatable operations processes.

5. Deployment acceleration

This focuses on ways of establishing policies to govern asset configuration or deployment. Within the Five Disciplines of Cloud Governance, the Deployment Acceleration discipline includes deployment, configuration alignment, and script reusability. This could be through manual activities or fully automated DevOps activities. In either case, the policies would remain largely the same. As this discipline matures, the cloud governance team can serve as a partner in DevOps and deployment strategies by accelerating deployments and removing barriers to cloud adoption, through the application of reusable assets.

Friday, February 18, 2022

Cybersecurity Compliance for dummies

What is Compliance?

The term compliance describes the ability to act according to an order, set of rules or request.

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.

What does Cybersecurity Compliance mean?

Cybersecurity Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by industry and sector, but typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of sources including CIS, the NIST Cybersecurity Framework, and ISO 27001. 

Why is Regulatory Compliance Important?

Regulatory compliance is when businesses follow state, federal and international laws or regulations relevant to operations.

Why does it matter?

Compliance can be categorized by multiple criteria, the most important being:

Who defines and enforces it, such as governments for laws and regulations, professional associations and industry organizations for industry standards, and businesses for corporate policies. For instance, the International Organization for Standardization (ISO) develops and publishes international standards (such as ISO 9000 for quality management) that are not enforced by governments.

It addresses problems such as safety, fraud, privacy, human rights, the environment, and so on. This type of compliance can be enforced by governments, such as the Food Safety Modernization Act (FSMA) or an industry-specific standard like ISO/IEC 17025 for testing and calibration laboratories. 

Benefits of compliance

1. Security Compliance Helps You Avoid Fines and Penalties

2. Security Compliance Protects Your Business Reputation

3. Security Compliance Enhances Your Data Management Capabilities

4. Security Compliance Puts You in Good Company i.e gets you a good name.

5. Security Compliance Yields Insights That Promote Operational Benefits

6. Effective Security Compliance Enhances Company Culture

7. It Supports Access Controls and Accountability

Thursday, February 10, 2022

Azure Policy: Kubernetes pod security baseline

 When you deploy Azure Kubernetes Service (AKS) in an enterprise context, you will probably be asked about policies that can be applied to AKS for compliance and security. In this post, we will discuss Azure Policy for Kubernetes briefly and then proceed to explaining a group of policies that implement baseline security settings.

Azure Policy for Kubernetes

To apply policies to Kubernetes, Microsoft decided to integrate their existing Azure Policy solution with Gatekeeper v3. Gatekeeper is an admission controller webhook for Open Policy Agent (OPA). An admission controller webhook is a piece of software, running in Kubernetes, that can inspect incoming requests to the Kubernetes API server and decide to either allow or deny it. Open Policy Agent is a general solution for policy based control that goes way beyond just Kubernetes. It uses a language, called rego, that allows you to write policies that allow or deny requests. You can check the gatekeeper library for examples.

Although you can install Gatekeeper v3 on Kubernetes yourself, Microsoft provides an add-on to AKS that installs Gatekeeper for you. Be aware that you either install it yourself or let the add-on do it, but not both. The AKS add-on can be installed via the Azure CLI or an ARM template. It can also be enabled via the Azure Portal. Azure Policy for Kubernetes supports the following cluster environments:

The following limitations apply only to the Azure Policy Add-on for AKS: