Be able to define your own security requirements, and learn the steps to getting requirements right the first time.
- [Instructor] So how do you determine your own security requirements for your particular problem domain with information workloads moving to cloud? Really it's a matter of understanding the security architecture, controls, and stakeholder requirements, so let me suggest a process. Three phases. Phase one, discovery. Discovery is about understanding the goals and objectives and the scope, roles and responsibilities, access, basically determining through interviews high level security architecture, overview, audit information, what tools are in place, checkpoints, and basically the process in terms of as is security as it is today and understanding what the rules and regulations are, the compliance, encryption standards, technology that's in place to ensure that you understand your starting point as we move into the cloud.
Phase two is assessment. The objective is to leverage learnings from phase one in alignment of clients to cloud security best practices. So here's where we determine the common language. We're able to circle back and understand more about the existing as is state of security, we're able to understand security tools, update information such as it trickles in. In terms of information that's being leveraged, best practices, walk through best practices for cloud security with the client, understand where we're going, much of the best practices presented in this course, and then a checkpoint to see where we are at the end of this phase.
So it is about moving from phase one, which is discovering the as is state and where people are. Phase two, which is really kind of determining where they need to go, understanding more information based on information that we have from phase one, making the analysis, making the assessment as to what the next steps are. Moving to phase three, the recommendations. The objective is to provide recommendations for mediation and preparation of final deliverables. So we basically understand what is the final architecture, what's the gap between what you currently have and where you need to be in terms of security.
What about security tools? What about organizational recommendations in terms of people and process that need to be changed as it aligns itself with security as it moves into the cloud? And then finally a checkpoint to see where we are. So in going through this process, we're able to say, as is, to be, and the final recommendations in terms of architectures, tools, security patterns, operational procedures, organizational changes that need to occur, and basically a systemic change in how you're dealing with security as you move to cloud based systems.
- Cloud security on the infrastructure, application, and data levels
- Identity and access management
- Cloud security services: AWS, Microsoft, and third-party solutions
- Cloud encryption
- Cloud compliance services
- Planning cloud security