Unlock the Power of Cloud Based Contact Management for Security

How to create outlook signature

welcome to cloud security architecture and introduction this course will give you an introduction to security architecture for the cloud maybe you thought that cloud security is something that the cloud service provider will take care of but in fact you as a customer will be responsible for designing security around your own cloud solution so why do we need cloud security architecture as you will see in this course you will be responsible for securing the solutions you deployed to the cloud ing to gartner 99 of cloud security failures are the customer's fault so when you make a mistake hackers are ready to exploit the misconfigurations you make and they might steal all your valuable data and also upload malware into your environment having a structured approach to security architecture will lower this risk considerably the primary objective of this course is to teach you how i'm axel bruin and i will be your instructor for this course i work as a security architect within the norwegian healthcare sector my job is to secure sensitive health information both used for treatment purposes and research within cloud solutions i always use a structured approach to cloud security everything i present in this course will be based on my experience as a security architect working on cloud solutions this course will give you knowledge about cloud security and how it's different from security in an on-premise environment i will teach you the necessary steps for creating a security architecture of your own and give you advice on how to handle risk and strategy the course will also give you an understanding of layer defenses and go into architecture implementation and best practices for the major cloud providers this course is created for a broad target audience you can be a student in id security or a professional working with cloud architecture and security the course will also benefit security architects chief information security officers and other enterprise security staff you don't have to be an i.t expert to enroll in this course but knowing cloud fundamentals will definitely help you to get the most out of it you should have some basic understanding of i.t security and it architecture this will help you understand how security is different in the cloud so what will you learn in this course we will start off defining what security architecture is all about then we will move into cloud computing and explain how responsibility for security is divided in the cloud following a top-down approach we will discuss methodology frameworks and strategy risk is a big area in itself and deserves its own course but we will talk a little bit about how risk is handled from a cloud consumer's perspective and how can we stay compliant with regulations that applies to our business we will not go into implementation details but a logical architecture will be explained using layer defenses the course will finish up by going through important implementation considerations and listing sources for your further study so what is information security architecture an architecture must provide all the links in the chain and ensure that security is provided through a fully integrated systems approach the security architecture must ensure that services are properly managed delivered and supported the security architecture must be created for your needs the architecture you end up creating must consider business needs as well as regulatory requirements it must be holistic and complete i'm going to talk a little bit about security architecture principle they form the basis for our security architecture design the same principles apply to cloud infrastructure as the infrastructure in your own data center to make our design complete we make sure that we provide security all the way throughout the lifecycle of the software we make sure that within any system the level of security is equal throughout later in this course we will talk about the principle called layer defenses as in medieval times when you have a castle with multiple walls we layer our defenses that will protect our asses in the cloud privilege separation is a technique in which a program is divided into parts the different parts are limited to the specific privileges they require in order to perform a specific task this is used to mitigate the potential damage of a computer security vulnerability the least privileged security design principle states that each user should be able to access the system with least privilege only those privileges should be assigned to the users which are essential to perform the desired task a system that has critical data processes or resources must be isolated such that it restricts public access the system can be isolated in two ways both physical or logical the physical isolation is one where the system with critical information is isolated from the system with public access information in a logical isolation the security services layers are established between the public system and the critical systems zero trust is based on the realization that traditional security models operate on the assumption that everything inside an organization's network should be trusted under this broken trust model it's assumed that the user's identity is not compromised and that all users act responsibly and can be trusted zero trust can be achieved by leveraging network segmentations for preventing lateral movement providing application threat prevention and applying granule user access control security by design is increasingly becoming the mainstream development approach to ensure security and privacy of software systems in this approach security is built into the system from the ground up and starts with a robust architecture design in this section you'll learn that cloud security architecture is needed to avoid costly designed and misconfiguration mistakes through this course you will learn about security architecture for the cloud and steps required to create your own in this section you also learned about the information security architecture and architecture principles these principles also applies to cloud architectures this section will cover some basics about cloud computing and how security architecture is different in the cloud i will talk about the essential characteristics of the cloud and how it differs from an on-premises environment i will also discuss different delivery and deployment models in the cloud and how responsibility for security is shared between the cloud provider and you as a consumer i will also explain how we can find information about how the cloud provider has secured the cloud services that you use cloud computing is being adopted worldwide for all types of organizations it gives a number of benefits to the cloud customers but will also change the way it is administered and operated for information security cloud computing provides new opportunities but will also post some challenges cloud technology enables companies to scale their computing solution as they grow the days of forecasting how many servers to buy is long in the past instead companies can simply alter their usage with the cloud provider like amazon web services or microsoft azure the cloud provider allocates more space and charges more money not only does the cloud allow companies to create more valuable apps for customers it enables better's customer support customers want answers and the ability to purchase products all the times of the day the cloud makes this possible cloud computing requires in-depth knowledge about technologies and platforms you should prepare to learn about the technology platform of at least one of the major cloud providers you will also benefit from knowing about automation of operations and how to utilize different cloud services and cloud security offerings so what are the main characteristics of cloud computing on-demand self-service a consumer can provision computing capabilities such as server time and network storage as needed automatically without requiring human interaction with each service provider broad network access capabilities are available over the network and accessed through standard mechanism that promote the use of thin or thick client platforms such as mobile phones tablets laptops and workstations resource pooling the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model with different physical and virtual resources dynamically assigned and reassigned ing to consumer demand rapid elasticity capability can be elastically provisioned and released in some cases automatically to scale rapidly outward and inward on demand measured service cloud system automatically control and optimize resource use by leveraging a metering capability appropriate to the type of service for example storage processing bandwidth and cpu usage research usage can be monitored controlled and reported providing transparency for both the provider and the consumer an important concept for cloud services is the cloud service delivery models these models are infrastructure as a service platform as a service and software as a service infrastructure as a service involves the hosting of physical or virtual machines in a data center environment service providers supply resources on demand as required by the client this means that an organization only pays for the resources that they utilize platform as a service is where cloud providers deliver a computing platform generally this involves hosting of an operating system or web server software as a service is a model in which users are giving access to application software and databases the cloud provider manages the infrastructure and platforms that operate the applications software is installed and updated in the cloud and can be accessed at any time by users this eliminates the need for businesses to and manage software themselves we have four different cloud deployment models public cloud is a deployment model that supports all users who want to make use of a computing resource such as hardware software on a subscription basis private cloud is typically infrastructure used by a single organization such infrastructure may be managed by the organization itself to support various user groups or it could be managed by a service provider that takes care of either on-site or off-site in a hybrid cloud an organization makes use of interconnected private and public cloud infrastructure many organizations make use of this model when they need to scale up their it infrastructure rapidly such as when leveraging public clouds to supplement the capacity available within the private cloud the community cloud model supports multiple organizations sharing computing resources examples include a university cooperating in certain areas of research access to a community cloud environment is typically restricted to the members of the community so how is security architecture different in the cloud cloud services can be delivered in many flavors in any combination of the service delivery models such as software as a service platform as a service and infrastructure as a service and the deployment models public private hybrid and community you as a cloud customer are responsible for knowing how your cloud services work with respect to security the cloud provider should give the documentation you need for your work with architecture cloud security concerns and solutions are dependent on the context in other words how your business choose to use the cloud services so then the solution architecture you end up with should match these concerns and build security safeguards into the cloud application architecture the cloud shared responsibility model is maybe the most important model for you to understand as a security architect failure to understand what responsibility you have for security as a cloud consumer can lead to loss of sensitive data and outages this slide shows the division of responsibility between the cloud consumer and the cloud provider for different service models for the iis here the security burden on the cloud service provider includes virtualization security and infrastructure security areas such as data security application security middleware security and host security all fall to the iis customer that means you simply put users are responsible for the guest operating system and everything inside of it for platform as a service the cloud service providers responsibility are broader including security configuration management operation monitoring and emergency response of infrastructure the service provider also has responsibility of security of virtual networks the platform layer security such as security of operating systems and databases you as a platform as a service customer is responsible for data security and application security in the software as a service tier the cloud service provider is responsibility for security of the application and all underlying components the software as a service customer is responsible for data security and endpoint device protection as you can see some of the areas are marked as shared responsibility this means between you as a customer and the cloud service provider depending on the type of service the administration is split between the customer and the provider for identity and access management you usually have full control as a customers over identities and access rights however the administration interfaces are delivered to you as a service by the cloud provider data security governance risk and compliance are always the responsibility of the cloud customer you should raise your own competency in these areas before you start using cloud services as you can see from this matrix there are many areas of responsibility for the cloud customer don't underestimate the time and resources you'll need to invest for each cloud deployment including any necessary training to bring your team up to speed so how do you know that the cloud provider fulfills its responsibility for securing the cloud the short answer is audit reports but apart from the audit reports each cloud service provider makes available for the customers there are also independent organizations such as cloud security alliance who can help you the consensus assessments initiative questionnaire the so-called offers an industry accepted way to document what security controls exist in iis pass and software as a service services kite provides security control transparency it provides a set of yes or no questions a cloud consumer and a cloud auditor might wish to ask a cloud provider to ascertain their compliance to the cloud controls matrix i will talk about the cloud controls matrix later in this course when i summarize the different frameworks and methodologies in this section we learn that cloud computing changes it operations and that you and your team need to develop new competencies you have learned that cloud services are flexible and can benefit your organization but you need to acquire knowledge about the service and deployment models in the cloud now you also know that responsibility for security is shared in the cloud and that you need to carefully study what is your responsibility the responsibilities of the cloud consumer changes with the different service models you also learn that audit reports and the from the cloud security alliance can help you understand how the cloud provider handles security now that we know how security architecture is different in the cloud we can start looking into important steps for building the cloud security architecture in this section i will talk about the steps that will be necessary for you to go through when designing and building a cloud security architecture this approach can be used both for an organization wide scope and for projects i will explain the use of methodologies frameworks and standards and how to use this in your own process i will introduce risk management and describe the most prevalent risks in cloud deployments implementation is important also for cloud and i will talk about what choices and priorities that can be made when developing a strategy finally i will talk about compliance in the cloud and how to document your cloud architecture there are multiple methodologies and frameworks to choose from even though they are not created for use with cloud architectures that can be adapted and used to design and build solid cloud architectures the methodology should follow a top-down approach starting with gathering of business and regulatory requirements risk management is an essential part of a security architecture and identified risks and their mitigation strategies should form the basis for your cloud security approach a sound strategy is vital maybe your organization already has established a cloud strategy the strategy should cover how applications are migrated to the cloud or built as native cloud applications this will also have an effect on how to secure those applications and the infrastructure they are deployed to always document the design and implementation of security architecture in the cloud ensure that you can trace the rationale of deploying a security control back to its business or regulatory requirement and vice versa implement the controls using infrastructure as code this will help you streamline and automate deployments and reduce the risk of manual configuration errors so why do we need a methodology when you develop security architecture for your organization or project you need to communicate your design a methodology will help you to be structured in your architecture approach and to provide a holistic architecture covering many perspectives important to different groups of stakeholders a methodology can integrate different frameworks and security standards depending on the needs of your organization or project it will always be an advantage to map your design decisions to regulatory requirements so that your documentation can be used to prove compliance traceability is another important aspect it's an advantage to be able to trace the existence of a security control back to a specific business requirement last but not least the methodology will help you break things down and manage complexity better this will also help you manage risk risk management is also an important part of many popular methodologies i'm going to talk a little bit about framework standards and methodology that we can use in our architecture work sapsa is a popular methodology for developing business-driving risk and opportunity-focused security architectures at the enterprise level it can be adapted for use in projects but also for use with cloud architecture sapsa ensures that the needs of your enterprise are met completely and that security services are designed delivered and supported as an integral part of your business and i.t management infrastructure although copyright protected saps as an open use methodology not a commercial product sapsa does not replace itil iso 27001 or nist frameworks but rather enables their deployment and effective integration into the corporate culture nist has a comprehensive security framework consisting of three components core implementation chairs and profiles the list framework core provides a set of desired cyber security activities and outcomes using common language that's easy to understand the core guides organization in managing and reducing the cyber security risks in a way that complements an organization's existing security and risk management processes the nist framework implementation tiers assist organizations by providing context on how an organization views cybersecurity risk management chairs are often used as a communication tool to discuss risk appetite mission priority and budget nist framework profiles are an organization's unique alignment of their organizational requirements and objectives risk appetite and resources against the desired outcomes of the framework core profiles are primarily used to identify and prioritize opportunities for improving cybersecurity in an organization iso 27001 is a widely known service security standard providing requirements for an information securities management system there are more than a dozen standards in the iso 27000 family using them enables organizations of any kind to manage the security of assets such as financial information intellectual property employer details or health information many cloud service providers offer security controls mapped to the iso 27001 standard the csa cloud controls matrix the ccm is a cyber security control framework for cloud computing composed of 197 control objectives that are structured in 17 domains the ccm can be used as a tool for systematic assessment of a cloud implementation it provides guidance on which security controls should be implemented by which actor within the cloud supply chain the as i talked about earlier in the course is a questionnaire answered by the cloud provider it matches the structure of the ccm the controls in the ccm are mapped against industry accepted security standards regulations and control frameworks including iso 27001 and nist frameworks can be combined and used together in a structured way it's important that you tailor the methodology to your own organization use and incorporate the frameworks you consider most appropriate for your business needs risk management is a very wide topic that deserves its own course in this course i will talk about managing risks that are important to cloud architectures risk management is an important part of developing a security architecture you need to be aware of the risks that you face as a cloud customer and how to mitigate them you should conduct a risk analysis during your security architecture development project guidance on how to perform a risk analysis is not part of this course but good documentation can both be found in the sapsa methodology and then the nist csf choose a methodology in the framework that suits you the best the first and most important part of the analysis is to identify the risks i have given references to information on cloud risk in this slide both csa and nissa offer good descriptions of cloud risks this is a very good starting point you should depending on your architectural requirements come up with more detailed risks covering the specifics of your services or solutions once the risks are identified they must be scored and prioritized the security services and controls in your architecture should be implemented to mitigate the risks that you have identified if your business has a low risk appetite then ensure that you use a defense in-depth model where security controls are incorporated at each layer we will talk more about defense in depth later in this course many organizations develop a cloud strategy a strategy will help the organization get the most benefits from the cloud initiatives the strategy takes all the aspects of cloud mentioned early in this course into account the choice of service and deployment model will impact the way cloud services are implemented and secured a strategy covers data classification change management and operational aspects an important consideration in the cloud that should be included in the strategy is the use of services one way to go is to choose sas and pass over iis as a service model then you buy operational services from the cloud provider and ing to the shared responsibility model more responsibility for security is shifted to the cloud provider similarly you can buy security controls from the cloud provider as a service this is often called security as a service change management is important for cloud consumers the services you buy from the cloud provider will be updated throughout the usage period update notifications will be sent to you as a customer and you need a way to handle the changes in case they affect the way you and your organizations use the cloud services additionally you have to handle your own changes both to configuration and to code deployed to the cloud you should handle changes in the cloud the same way you handle changes in your own data center itil could give you a good set of service management practices cloud operation is all about centralization standardization and automation this also applies to security operations monitoring of security events can be centralized handling of the events can be automated and deploying new environments can be standalized and also automated you can do more in the cloud with fewer personnel resources your cloud implementation strategy should not be a document ending up in your project archive but rather be a living document that you constantly seek to improve the major cloud providers offer a lot of documentation on their compliance status independent auditors perform assessments of the cloud vendors infrastructure operations and procedures their audit reports are available to cloud customers as documents downloadable from the cloud vendors portal the cloud service provider should demonstrate compliance with industry standards and frameworks such as iso 27001 and csa cloud controls matrix if you plan to host regulated data you must ensure that your cloud provider meet compliance requirements such as psi dss gdpr and hipaa when you as a cloud customer deploy your solutions and services on top of the already compliant cloud infrastructure and services it will be your own responsibility to stay compliant with the same standards and regulations that means for example that your solution must be compliant with gdpr if your user base is located within the eu you should gain knowledge about regulations frameworks and standards such as gdpr iso 27001 psi dss and hipaa depending on your business requirements follow the links in the resources folder in this section to learn more about regulations frameworks and standards so why do we need architecture documentation we need to document our architecture work to use this for communications with different stakeholders if you have chosen a methodology and framework these will help you to structure your documentation in my work i often use drawings to visualize the architecture this is very effective with most stakeholders from c-level executives to developers and infrastructure specialists but remember that you need a different level of abstractions for use with different groups of stakeholders as i talked about earlier in this course traceability is important for most stakeholders you want to be able to prove why a security control is needed and trace it back to a regulatory or business requirement management or legal team members often asks how a certain requirement is covered then you need transability from the top down to a specific security control my advice is to use visualizations in explanatory text keep documentation short in concise and map to standards and regulations always keep it updated in this section you learned about the steps you need for creating security architecture for the cloud you now have gained knowledge about methodology frameworks and standards you know why risk management and strategy is important for cloud services and how you can approach compliance you learn about architecture documentation and why you as a cloud security architect must be a good communicator the steps and topics we have covered in this section provides a good basis for designing and documenting the security architecture when we move on to the implementation phase we need to choose a cloud service provider we must also examine how to implement our architecture using the provider service offerings these are the topics for the next section in this section i will talk about important considerations for implementing the cloud architecture i will not go into cloud service provider-specific solutions or infrastructure but talk about security controls that all major providers will offer you this section will give you insight into implementing the cloud security architecture covering governance and policies identity and access management data security network security application security and security operations layer defenses will also be discussed to wrap up i will give you cloud provider-specific references for further reading after self-study you can go ahead implementing the architecture yourself using your chosen provider the three largest service providers are microsoft azure amazon web services and google cloud these very large providers combined have more than 50 of the cloud services market choosing a provider is a business decision but can also have an impact on the security architecture your security architecture will help you get an overview of what type of security controls you need to protect your services that makes choosing a provider simpler from a security perspective many organizations pursue multi-cloud strategies this can help you avoid vendor lock-in and potentially help reducing costs a consideration that you must make as a cloud consumer is how the multi-cloud approach will change the security architecture it will be more complex to manage security across cloud service providers and you need provider-specific security controls for each provider you choose to use architecture implementation is about architecting appropriate security controls that protect confidentiality integrity and availability of information this can help mitigate threats to cloud security security controls can be delivered as a service by the cloud provider by the enterprise or by third-party provider security architectural patterns are typically expressed from the point of the security controls both for the technology and the organizational processes these security controls and the service locations either enterprise cloud provider or third party should be highlighted in your security architecture documentation architecture implementation must cover both organizational and technical measures the overall security posture for your cloud services will depend on the governance policies and processes you establish as well as the technical security controls you select i will talk about important topics for implementations in this section governance and policies is about people and processes identity and access management is about the life cycle of identities data application and network security is important for protecting your valuable information assets layer defenses is a principle that brings it all together and forms the baseline of your security posture security operations is vital for monitoring your environments and finally the reference architectures from the cloud providers will give you valuable details on how to implement your environments using their cloud offerings you should align your cloud governance with your business strategy keep your business objectives in mind as you develop your governance policy and find some common ground between a strong governance policy and the flexibility to innovate separation of responsibilities is important for keeping your data secure rules and roles should also be clearly defined so you know who has access to what and why policies will help you stay compliant make sure your governance policy incorporates any external rules an outside organization or regulator might enforce on you plan how to handle an audit should the need arise automation is a key success factor in cloud operations it enables you to scale your business in the cloud incorporating automated systems into the cloud governance framework can ensure violations of your policies are more easily caught to protect your data in the cloud governance policies must be in place customize your governance policies so your most valuable or sensitive data follow stricter governance rules than your public data using policies in the cloud can effectively block users from doing misconfigurations this will help reduce your overall risk significantly identity and access management protects data by ensuring that only the right people have access to the right information at the right time and for the right reasons the task of determining job responsibilities and access needs for users and then grouping those common users together into roles may sound like a tedious task but spending the time to do this correctly will save you frustration and extra work down the road automation will help you minimize the manual work needed you should apply a join removal lever process for handling identity life cycle privilege access management is used for protecting accounts with administrative access rights the cloud provider should provide functionality for protecting identities with privileged roles functionality for temporarily elevating user rights is often offered to cloud consumers role-based access control is the default mechanism for cloud consumers to assign access rights in the cloud employees are assigned built-in cloud roles or given membership in security groups designed by you as a cloud consumer access keys are often used for giving applications or users access to data these keys must be kept confidential and have a short life to minimize the risk of unauthorized use data security is as important in the cloud as in your own data center you need contextual access control so you can ensure secure access to the data based on who the users are what devices they are using and what geographic locations they're in you also need application auditing so you can identify who has access which data and create alerts based on anomalous use this is critical as most sas applications don't provide an audit trail of read operations to understand what exactly happened when an incident occurred be sure to turn on data loss prevention to make sure that personal identifiable information and personal health information is not moving to or through the cloud in declare in violation of pci dss or hipaa regulations you also need the ability to easily but consistently enforce policies in the cloud for various use cases you can effectively prevent your users from doing dangerous mistakes by creating policies to protect sensitive data always use data encryption for transport and storage these are default settings in many cloud infrastructure implementations many cyber security attacks happen at the application layer as a cloud customer it will be important to protect applications from adversaries the cloud access security broker can help you manage and protect data stored in the cloud a cloud access security broker can offer many services such as monitoring user activity and warning administrators about potentially hazardous actions it can also enforce security policy compliance and automatically prevent malware use a web application firewall to detect and block malicious http requests to your web applications by inspecting http traffic it can prevent attacks exploiting in web applications known vulnerabilities these vulnerabilities can be sql injection cross-site scripting file inclusion and improper system configuration however a web application firewall will not replace the need for solid web application testing use overs guidelines and tools for improving the security of your web applications the acronym overs stands for open web application security project a link is provided in the resources folder in this section use security capabilities offered in the cloud platform to protect apis managing the apis using a common gateway will help administering and securing your apis although networking is taken care of by the cloud provider using iis and pass solutions often leave the network security to the cloud customer it will be wise to choose a network topology for your cloud implementation depending on your business needs the topology should provide your users access from on-premises or from home they will as an example need access to development test and production environments environments should be segregated and access between environments must be restricted to strictly necessary communication network segmentation is a proving security strategy that lets you set strict rules for which services are permitted between accessible zones this is also possible to do in the cloud designating sensitive data and resources within zones ensures only designated hosts and users belonging to other approach zones can reach them this is helpful for constraining attacks by making lateral movement across the network difficult hackers and malware count portskind to identify your critical assets if they're blocked let alone access them to exfiltrate data all network traffic must be monitored this for detecting potential misuse or attacks all major cloud providers offer tools for network monitoring creating alerts intrusion detection and prevention will help you discover and block unwanted network traffic solution detection system ids is a security solution that detects security related events in your environment but does not block them intrusion prevention system ips is a type of security solution that identifies a threat and blocks it so the attack cannot occur ids and ips systems can be provided as a security offering from the cloud provider or from a third party vendor layered security refers to security systems that use multiple components to protect operations on multiple levels or layers the central idea behind layered security or defense is that in order to protect systems from a broad range of attacks using multiple strategies will be more effective the outermost layer in the figure is physical security the cloud provider manages physical security at all locations only authorized personnel have access to different areas of data centers identity and access management is a centralized service offered by most cloud providers all resources are governed and controlled through the centralized service you can control access to your resources using role-based access control for privileged roles many cloud providers offer capabilities like privileged access management for extra protections of identity with elevated rights for protecting the perimeter many cloud providers offer distributed denial of service protection it comes with traffic monitoring in real time mitigations of common network level attacks ddos protections provides capability to protect against volumetric attacks protocol attacks and application attacks at the network layer cloud providers often offer rich capabilities for creating rules you can filter network traffic to and from resources in a virtual network through network security groups which contain security rules allowing or denying traffic you can also lock down inbound traffic to your virtual machines using security controls from the cloud provider for secure access to your environment securing compute resources like virtual machines is often offered as a service by the cloud provider cloud providers often offer protection against threats using signal processing and can detect security threats like rdp brute force attacks and sql injection disk encryption can be used to protect complete virtual machine images from unauthorized access major cloud providers offer endpoint protection for virtual machines this can also be bought from a third-party vendor applications hosted in the cloud are often web applications web application firewall provides centralized protection of your web application from common exploits and vulnerabilities obasp that i mentioned earlier in this course can be used to actively ensure applications are built with security in mind code scanners are also available and can be bought as a service for many cloud providers the innermost layer in our layer defenses model is the data layer data encryption should be used for storage of both structured and unstructured data you can further control access to the data using authentication mechanisms be sure to backup your data and keep the backups at an offline location you as a cloud consumer must build defenses on top of the cloud provider's security offerings this will give you the best possible layer defenses approach what controls to be used and how many depends on the services model remember the first section when i talked about the cloud share responsibility model you need to know your responsibility for security as a cloud consumer each separate environment will need multiple defenses both internally and externally cloud security operations is all about doing more with less resources many organizations struggle with shortage of personnels with the right skills centralization standardization and automation can help you achieve more with less resources centralization is the idea that you need to look at tools and cloud services that ideally integrate into a single dashboard it's very easy in cloud deployments to end up with numerous management tools dashboards and interfaces to handle operations across environments this is not exclusive to security tools operations and development teams are often faced with the same problems using and integrating with the cloud provider's tools can help you making operations more seamless and less fragmented automation is the core idea behind devops and devsec ops by extension i will explain devsecops a bit later in this presentation manual efforts in the cloud are doomed to fail in many cases as environments change very rapidly security teams should explore ways to automate their security controls and feedback loops whenever possible when using cloud services you as a cloud customer must also monitor cloud usage your primary source of feedbacks is logs enable logging everywhere you can within the cloud environment account as a whole in virtual machines for network platforms for all identity and access management activity for all interconnected services and their activity be sure to secure access to logs as well devsecops is short for development security and operations its mantra is to make everyone accountable for security with the objective of implementing security at the same scale and speed as development and operations from testing for potential security exploits to building business-driven security services devsecops tools ensures securities built into applications rather than being introduced as an afterthought by ensuring that security is present during every stage of the software delivery lifecycle we reduce the cost of compliance and software is delivered and released faster when implementing a cloud security architecture a good starting point is the existing resources from the cloud providers these will give you good start for your implementation project the aws well-architected framework helps cloud security architects build secure high-performing resilient and efficient infrastructure for their applications and workloads the framework includes hands-on labs and the aws well architected tool the tool provides a mechanism for regularly evaluating your workloads identifying high-risk issues and recording your improvements the microsoft cloud adoption framework provides tools and guidance for implementing not only cloud technologies but also help you with organizational changes because it is based on best practices and successful customer and partner experiences the framework is updated on a regular basis the microsoft cyber security reference architecture is created for a hybrid infrastructure and describes microsoft cyber security capabilities and how they integrate with your existing architecture the document can be used as a starting template for implementing your security architecture it can also be used to compare your existing architecture against microsoft reference architecture there are many good architecture resources available both from independent organizations and from the cloud providers i'll give you a couple of pointers here for further study the cloud security alliance the csa is the world's leading organization dedicated to defining and raising awareness of best practices to help your organization ensuring a secure cloud computing environment as i've talked about in this course the csa has tools like the cloud controls matrix and the top threads to cloud security it's definitely a place to go for learning more about cloud security architecture azure has a zone architecture center where you can find numerous architecture examples to use in your own environment similarly aws offers examples patterns and best practices in their architecture center google offers a solution architecture reference where you can find reference architectures for infrastructure modernization data management app development and smart analytics cloud security architecture implementation can be very different across cloud provider platforms however as you learned in this section many areas of implementations are the same you have learned about topics for implementations of governance identity and access management data security app security and network security layer defenses is an important concept and you should pay close attention to how well your security architectures covers the different layers plan how to monitor your infrastructure and applications already in the design stage so that your security operations team can get a head start use the resources i recommended in this section for implementation best practices in architecture design review the security offerings from the chosen cloud provider and integrate the controls that fits your needs with existing tools i hope you enjoyed the course as much as i enjoyed teaching it cloud security has many aspects and affects many different stakeholders in your company in this course you have learned that cloud security architecture is different from security architecture for an on-premise implementation now you also know that you should use a structured approach and apply business and regulatory requirements as a basis for your architecture approach your goal is to provide value for your business it's imperative that you document your architecture and that you can communicate your results and proposals to different stakeholders use a graphical representation rather than just words be sure to follow a layered approach to security in the cloud and to investigate the implementation best practices and reference architecture from your chosen cloud provider finally i have a tip for you use an agile approach to architecture remember that an agile approach lets you do small steps it gives you the ability to try different ways of implementing the architecture you may have to go back to your architecture design and do some changes when you learn how your implementation actually works using agile methodology an implementation project can also be an initiative for learning i wish you the best of luck with your security architecture project you