Adopting cloud infrastructure in a large scale is a challenging proposition for companies. One of the key challenges is adopting the organization's existing infrastructure and security governance to the cloud operations. Scalability, agility and distributed computing are inherent properties of cloud infrastructure. These precisely are the challenges faced on governing cloud security.
Existing procedures that depended on manual intervention are not feasible when the infrastructure is almost infinitely (compared to human resources at disposal) scalable. Parts of the infrastructure can change abruptly within minutes. How does one deploy audit processes with such agile infrastructure? What if the infrastructure changes even before the audit is complete? How to provide security assurance to higher management while following rapidrelease cycles in DevOps mode?
This project is a series of governance learnings, tools prototyping and experimentation done on job. Infrastructure governance policies, procedures and tools were created specifically for the cloud. Parts of the cloud infrastructure such as the OS were customized to meet the governance policies. Asset and identity management were achieved by centralizing cloud service accounts. This enabled a central team to use cloud APIs to manage assets and users. Automated tools were deployed centrally to audit cloud assets and user accounts for security issues.
The results strongly indicate that security automation and self-certification are key components of security governance of cloud and DevOps
