Be able to define your own security requirements, and learn steps to getting it right the first time.
- [Instructor] So how do you determine your own security requirements for your particular problem domain, with information workloads moving to cloud? Really, it's a matter of understanding the security architecture, controls, and stakeholder requirements. So let me suggest a process. Three phrases. Phase one, discovery. Discovery is about understanding the goals and objectives, and the scope, roles and responsibilities, access, basically, determining through interviews, high-level security architecture overview, audit information, what tools are in place, checkpoints, and basically the process, in terms of as-is security as it is today, and understanding what the rules and regulations are, the compliance, encryption standards, technology that's in place to ensure that you understand your starting point as we move into the cloud.
Phase two is assessment. The objective is to leverage learnings from phase one and alignment of client to cloud security best practices. So, here is where we determine the common language. We're able to circle back and understand more about the existing as-is state of the security. We're able to understand security tools, update information, such as it trickles in, in terms of information that's being leveraged, best practices, walk through best practices for cloud security with the client, understand where we're going, much like the best practices presented in this course, and then a checkpoint, to see where we are at the end of this phase.
So, it is about moving from phase one, which is discovering the as-is state, and where people are. Phase two, which is really kinda determining where they need to go, understanding more information based on information that we have from phase one, making the analysis, making the assessment as to what the next steps are. Moving to phase three, the recommendations. The objective is to provide recommendations for remediation and preparation of final deliverables. So, we basically understand what is the final architecture, what's the gap between what you currently have and where you need to be in terms of security.
What about security tools? What about organizational recommendations, in terms of people and process that need to be changed as it aligns itself with security as it moves into the cloud? And then finally, a checkpoint, to see where we are. So in going through this process, we're able to say, as is, to be, and then the final recommendations in terms of architectures, tools, security patterns, operational procedures, organizational changes that need to occur, and basically, a systemic change in how you're dealing with security as you move to cloud-based systems.
- Cloud security on the infrastructure, application, and data levels
- Identity and access management
- Cloud security services: AWS, Microsoft, and third-party solutions
- Cloud encryption
- Cloud compliance services
- Planning cloud security