Cloud Security

Governance & Assurance

A DSCI-Infosys Point of View

March 2022 | 1
 Contents
Context of the POV 3
Objectives of the POV 5
Cloud Security Governance Overview 7
Key Drivers for Security Governance 9
Security Governance in Cloud Environment 11
Resources & References for Cloud Security Governance 15
Cloud Security Assurance and Governance Framework 18
Recommendations 24
Frequently Asked Questions 26

Cloud Security Governance & Assurance

2 |
A DSCI-Infosys Point of View
Context
of the POV

March 2022 | 3
Cloud as a Digitization Enabler Enterprises should strive towards systematically
dealing with the potential security & privacy threats
In the current context of rapid digitization, cloud has to their cloud environments. There should be a
emerged as a key enabler for organizations across continual attempt at adhering to sound security best
the board for adopting technology at a faster pace practices and principles as this would pave the way
and reaping the benefits associated with the same. for inculcating trust in the customers and consumers.
Be it enhanced productivity, or the ability to attain However, security environment tends to be complex.
scalability of operations or drive innovative delivery On cloud, enterprises would be able to orchestrate
of products and services, cloud has become an and manage security better by using existing pool
integral part of the overall digitization journey. From of tools, technologies, and services on the cloud.
a sectoral standpoint, banking financial services and Organizations may not have all the expertise in-
insurance, manufacturing, healthcare, e-commerce, house to cater to all the aspects of security on
government, and others, have been adopting cloud cloud and may partner with other stakeholders like
and pushing the digitization agenda forward. managed service providers, capability providers to
effectively manage security on cloud.
Securing Cloud for Enhanced Trust in
Digital Economy Governing Security Affairs on Cloud
While the cloud adoption agenda pushes ahead, it The fundamental intent and object of this POV
is of utmost importance to examine the cyber risk document is to establish best practices in the
landscape of cloud critically and holistically. Cloud area of cloud security governance and assurance.
environment has been the recipient of several Governing security affairs of your cloud environment
targeted and persistent attacks and intrusions. is indeed a pristine task and warrants disciplined
Organizations which are already leveraging cloud implementation. This POV would serve as a guidance
and the ones which are contemplating migration to document for enterprises that are looking to
cloud often grapple with questions around security streamline their cloud security governance program
and privacy of data being accessed, availability, and are endeavoring to make it effective and
integrity, and legitimate use. impactful.

Cloud Security Governance & Assurance

4 |
A DSCI-Infosys Point of View
Objectives of
the POV

March 2022 | 5
Against the backdrop of rapid digitization and burgeoning adoption of cloud to enable the same, this POV
intends to accomplish the below mentioned key objectives pertaining to security governance & assurance in a
cloud environment:
 Dissect cyber security governance on the cloud  Examine the standards and frameworks that are
and examine various elements associated with getting built for ensuring secured migration to
it cloud

 Comprehend the underlying guiding principles  Look at ways and means of providing assurance
of governance and deliberate on ways of with respect to data ownership and availability
leveraging those for achieving trust in cloud of data for building higher levels of resiliency

 Unveil the key drivers for having a robust cloud  Bring out the key aspects of shared
security governance program responsibility model to shed light on
collaborative relationship between service
 Comprehensively capture the capabilities,
provider and user organization
references, resources, and areas that hold
importance from standpoint of governance  Evaluate the managed security services in the
paradigm of cloud

Cloud Security Governance & Assurance

6 |
A DSCI-Infosys Point of View
Cloud Security
Governance
Overview

March 2022 | 7
The proposed framework endeavors to bring together the key elements and components of cloud security
governance & assurance to provide better comprehension of the theme

Cloud Security Governance and Assurance Framework

Posture Workload Managed Detection Intelligent Zero Trust
Solutions
Management Protection & Response Compliance Architectures

Identity & DevOps & Vulnerability Threat

Areas Data Infra Sec Resiliency
Access Container Mgmt. Mgmt.

Focus Ownership Policies & Procedure Processes Technologies Con guration Monitoring Assurance

Principles Visibility Transparency Continuity Discipline Orchestration Business Aligned Policy Driven

Regulation Processing Memory Storage Data/ Databases Apps CSP Capabilities

(Speci c/ Granular)
Workload (Solutions, Tools, Resources)
Nodes Microservices Container Platforms APIs

Threats & Attacks Design Develop Test Deploy Production

(Speci c/ Granular)
Environment 3rd Party Capabilities
DevOps
(Solutions, Tools, Resources)

Resources/ References
In-house Services Managed Services
Service Disruptions Management
(Project/ FTE)
Frameworks & Standards
Drivers

(CSA, ISO27001, etc.)

Privacy Concerns & Cloud Native
Cloud Enabled Cloud Based
Obligations Adoption (Cloud Architected)
(Migration) (Leveraging Capabilities)
(GDPR, CCPA, PDPB)
Skills and Experience
(Expertise and FTEs)
Business/ Monetary
Types Multi Cloud Hybrid Cloud Public/ Private Cloud
Loss
Service Models
(Service types and
Reputation Loss Models IaaS
procurement models)
PaaS SaaS

The encapsulate of cloud security governance in the being talked about in the right of the diagram. At
form of a framework can be referred by enterprises the center of these different layers and sections is
looking to implement a comprehensive security the cloud infrastructure and its various models and
governance program for their cloud environments. elements that need to be secured in accordance with
The top layer lists the various cloud security solutions the cloud security governance principles and best
that are implemented to secure workloads. The practices.
second layer enumerates the broad areas that form
The framework hinges upon four key pillars, first
part of the cloud security governance while the third
being the key drivers underscoring the importance
layer talks about the focus areas of the same. This is
of cloud security; second being the nature of
followed by the guiding principles which form the
cloud infrastructure; third talks about the existing
essence of the overall governance program and need
references and resources which are being referred
to be operationalized at an enterprise level.
while managing security and finally the fourth pillar
This encapsulate also captures the key drivers provides the template to structure and plan the
which shall be elaborated in the next section and security governance & assurance.
finally the resources, capabilities and references are

Cloud Security Governance & Assurance

8 |
A DSCI-Infosys Point of View
Key Drivers
for Security
Governance

March 2022 | 9
 There is rising expectation from enterprises to proactively manage the security affairs of their cloud setups. This
is driven by several intrinsic and extrinsic factors which can have significant implications for businesses and
their stakeholders. The key drivers for security governance are outlined below:

Business/Monetary Loss Service Disruptions

Business/monetary loss owing to the cloud security Continuity of business & operations can be the
breaches have been reinforcing the significance of most pressing concern for most organizations,
cloud security governance strategy as there have especially the ones operating in the critical sectors
been numerous instances where enterprises data like healthcare, power, manufacturing, et. al cyber
is exposed owing to poor patch management, intrusions and attacks can result in, among other
misconfiguration, weak access control, etc. The things, disruption of critical services which can
financial effect of a data breach is unquestionably have far-reaching implications. A robust security
one of the most immediate and severe repercussions governance program can preempt these service
that businesses have to face. Compensation for disruptions and ensure continuity of operations.
impacted consumers, incident response activities,
investigation of the data breach, investment in new Privacy Concerns & Obligations
security measures, legal fees, and the regulatory fines With the existing data privacy laws across the globe
that can be levied for non-compliance with the data e.g., GDPR, and Indian Data Protection Bill which is
protection rules are just a few examples of monetary underway, the liabilities and obligations pertaining
loss. to safeguarding personal data would need to be
Reputation Loss factored into enterprises’ cloud security governance
strategies.
Reputational harm from cloud security breaches
may be severe for a company since customers would Regulation
avoid doing business with companies that have Obligations emanating from national legislations,
been breached. This unfavorable situation, along regulatory directives form one of the primary drivers
with a loss of consumer trust, can inflict irreversible for ensuring reasonable and effective security &
reputation damage to the organization that has privacy of data on the cloud. There are several facets
been breached, as cloud consumers are highly to this driver, including but not limited to, creating
concerned about data security. Reputation loss trust in digital economy, adequate measures around
not only results in losing existing customers, but protection of sensitive data of end consumers,
also impacts an enterprise’s ability to attract new extending support for crime investigation and
customers, as the way an enterprise manages and ensuring national security.
mitigates its cyber risk is closely related to its brand
and reputation. A robust cloud security governance
strategy helps enterprises to mitigate the cyber-
attack which further helps enterprises to maintain
their reputation.

Threats & Attacks

The advances in the threat landscape and the
increasing attempts by the malicious elements to
target cloud environment is pushing organizations to
have sound cloud security practices in place and this
is yet another driver from viewpoint of governance.
Taking adequate measures to comprehensively
address the vulnerabilities, threats and risks on cloud
would be absolutely imperative.

Cloud Security Governance & Assurance

10 |
A DSCI-Infosys Point of View
Security
Governance
in Cloud
Environment
March 2022 | 11
 The underlying guiding principle when it comes  Is there a mechanism available for validation of
to governance is that you take care of even the security controls and their effectiveness against
smallest element as it might lead to larger security cyber risk in cloud?
ramifications. Hence, robust security assurance &
 Are enterprises aware of their security risks in
governance framework is imperative for enterprises.
cloud and potential business impact?
Any governance mechanism essentially comprises
 Is security risk is getting reduced to an
of three things, that is - taking every possible step to
acceptable level?
prevent unwanted instance, capability to identify and
remediate any undesirable event, and lmechanism to  Have we established a security-conscious
minimize its impact. culture within the enterprise?
Security governance in cloud environment helps Security assurance and governance for cloud
to solve challenges around business outcomes/ infrastructure is directly or indirectly associated
objectives, risk management etc. Right planning with service models, cloud deployments, adoption
and procedures around cloud security assurance pattern and specific workloads. Security assurance
and governance shall help to answer some of the and governance architecture, and responsibilities
following questions : may change with following
 Are security investments on cloud yielding the 1. Service model and cloud deployments
desired returns?
2. Adoption pattern and specific workload

Service Model and Cloud Deployment

Cloud
Public Cloud Virtual Private Cloud Hybrid Cloud Multi Cloud
Deployments

IaaS PaaS SaaS

Procurement, Implementation of Security Technology/Controls

Data Protection (Classi�cation, Encryption and Access Management)

Security
Assurance and Risk �uanti�cation and Compliance
Governance
Network Traffic Protection
by Application: Vulnerability
MSSP/ Clients VM/ Instances/Container / Host Assessment and Testing
Security

Network Traffic Protection Security Operations-Monitoring, IR

Infrastructure Operating System Applications

Hypervisor Layer Networking Operating System

Security Physical Layer Networking
Infrastructure
Assurance and
Governance Hypervisor Layer Infrastructure
by CSP Physical Layer Hypervisor Layer

Physical Layer

Cloud Security Governance & Assurance

12 |
A DSCI-Infosys Point of View
Service Model and Cloud Deployment each other. Organizations need to set up own
monitoring and alerting for security threats,
Cloud governance in the context of different incidents, and responses for those domains that
service models and deployment is based on remain under organization’s control. These are
shared responsibility model of security, in which responsibilities of customer whether running
cloud service providers, client and MSSPs share on any cloud service provider, or any other
responsibility of data security and compliance on public cloud provider’s systems.
cloud. Whether in the data center, or using a server-
based IaaS instance, serverless system, or a PaaS Adoption and Workload
cloud service, user organizations are responsible for
Organizations with varying scale, maturity and
securing what’s under direct control.
nature, usually adopt different service models,
1. Security Assurance and Governance by CSP deployments and services.

Cloud service provider is responsible for risk 1. Cloud Based

quantification, mitigation through applying
Cloud based approach leverage some of
necessary security controls and protecting the
the capabilities of the cloud such as higher
infrastructure that runs all the services offered
availability and scalability but do not
by CSP. For instance, in IaaS, cloud service
completely redesign applications to use
provider is mainly responsible for protecting
cloud services. Once applications moved to
and assuring security of infra, hypervisor and
cloud provider, user no longer responsible for
physical whereas In PaaS and SaaS, additional
managing the resources for the application, so
security governance responsibilities around
there’s no need to maintain a server or worry
networking, operating systems and applications
about backup.
gets added.
A cloud-based applications/ services running in
2. Security Assurance and Governance by User
the cloud may include SaaS-based applications,
Organization / MSSP
as well as PaaS and IaaS-based. While SaaS-
User organizations or their managed security based applications will almost be cloud-based,
service providers are accountable to protect but cloud-based services may not always be
host instances, network traffic, application SaaS-based.
security, procurement of security controls,
Security concerns pertinent to cloud-based
active monitoring of incidents – response, data
applications are as follow :
classification- encryption and compliance in
IaaS- Infrastructure as service set up. In PaaS  Lack of visibility into what data is within cloud
and SaaS, user organizations do not govern applications
security of operating systems, applications, but  Theft of data from a cloud application by
still responsible for vulnerability management, malicious actor
risk quantification and implementations of
 Incomplete control over who can access
security controls to ensure confidentiality
sensitive data
and integrity of own data. Additionally,
organizations maintain responsibility for  Inability to monitor data in transit to and from
securing everything in organization that cloud applications
connects with the cloud, including your on-  Inability to prevent malicious insider theft or
premises infrastructure stack and user devices, misuse of data
owned networks, and applications, and the
 Lack of consistent security controls over multi-
communication layers that connect users,
cloud and on-premises environments
both internal and external, to the cloud and to

March 2022 | 13
 Security assurance and governance view

2. Cloud Enabled applications or as the first step towards cloud

adoption.
Cloud-enabled applications are traditionally
built and migrated to the cloud infrastructure, 3. Cloud Native
applications usually get designed in a
monolithic fashion and depend on local Cloud-native applications are architected
resources and hardware. In the migration of from the ground up to run in a public cloud
the application to the cloud, the application using cloud-based technologies. Cloud-
is refactored to use virtual resources, but the native is comprised of continuous integration,
underlying architecture remains the same. orchestrators, and container engines; it’s about
Cloud enabled can be an approach for legacy how applications are created and deployed.

Cloud - Native
Security Assurance and Governance

1 Security Policy and Governance

Architecture

2 Realtime Threat Modelling and

Enforcement of Controls
Application
Application Container Configurations and
3
Security
Private Cloud
Platform
Public Cloud 4 Vulnerability Management
On Premise
5 User and Access Management

6 Runtime Monitoring and Security

Security assurance and governance view

Cloud Security Governance & Assurance

14 |
A DSCI-Infosys Point of View
Resources &
References for
Cloud Security
Governance

March 2022 | 15
 The role played by frameworks and standards in the overall security governance architecture and in providing
assurance highlights its importance to achieve certain level of security. Cloud security solutions facilitate
securing workloads, applications, and data in the cloud. The solutions can be used in public or private clouds
and often have features for hybrid or multi cloud deployments.

Cloud Security Standards and with the ISO-27001 standard. Compliance with ISO-
Frameworks 27001 demonstrates to your customers that your
organization takes information security seriously
Any organization with workloads processing and has implemented the best-practice information
sensitive data should strongly consider compliance security methods.
with at least ISO-27001, SOC 2 and the CIS AWS
Foundations benchmark as a starting point. ISO-27017

Implementing processes and controls for these An extension of ISO-27001 incorporating clauses
standards will go a long way to ensuring data specific to information security in the context of
security. Taking it to the next level; certification with the cloud. Compliance with ISO-27017 should be
ISO and attestation with SOC 2 will increase trust in considered alongside ISO-27001.
your organization and can gain your organization
Although the number of standard and control
competitive advantage amongst security-conscious
frameworks may seem overwhelming at first,
customers. There are other clear business benefits to
common themes appear across many of the
implementing these frameworks such as avoiding
standards. Striving for compliance with one will often
financial loss resulting from a security breach,
get you a long way to achieving compliance with
ensuring data privacy and integrity, regulatory
another.
compliance, and defining information-handling roles
and responsibilities. Cloud Security Alliance (CSA) Cloud Controls
Matrix
ISO-27001 / ISO-27002
The CSA has published a cloud controls matrix
Any organization that has sensitive information can that provides insight into the key security control
benefit from ISO 27001 implementation. ISO-27001 considerations when assessing cloud provider
contains a specification for an Information Security services. This document is helpful in establishing
Management System (ISMS). ISO-27002 describes effective cloud security governance.
controls that can be put in place for compliance

Cloud Security Governance & Assurance

16 |
A DSCI-Infosys Point of View
Gaps/ Challenges in Cloud Security Assurance and Governance
Resources, references, and standards shall help there is a possibility that organizations may lag
organizations to achieve certain level of security behind with regard to certain security gaps and
governance and assurance. However, due to the challenges. These challenges or gaps may not be
surge in number of business transactions, multi- limited to the following:
stakeholder environment and complex scenarios,

1 Lack of understanding about dynamic and 5 Implementation inappropriate security

sophisticated cloud-based threats controls with no validation

2 Non-alignment of businesses objectives/ 6 Weak cloud security policies with limited

values with risk mitigation plan coverage

3 Insufficient or fragmented cloud assurance 7 Inability to comply with multiple regulations

and governance framework and legislations

4 Multi/hybrid cloud makes assurance and 8 Lack of third party or vendor risk
governance complex management strategy/ plan

March 2022 | 17
 Cloud Security
Assurance and
Governance
Framework
Cloud Security Governance & Assurance
18 |
A DSCI-Infosys Point of View
1. Principle
Cloud security governance principle may differ from organization to organization but there are seven cloud
assurance and governance principles used to monitor cloud environments. By taking these principles into
account, organizations will be able to better manage compliance, governance, business goals, cost and data
security.

Visibility Transparency Continuity Discipline

Principles
Orchestration Business Aligned Policy Driven

I. Visibility II. Transparency

According to the Oracle and KPMG Cloud Threat Today, organizations are almost ready than
Report, 82% of cloud users have experienced ever to embrace the cloud, whereas many
security events due to not having enough remain concerned about having transparency
visibility on shared security responsibility model over data security readiness of cloud service
and the lack of clarity on this foundational providers. Organizations are also remained
cloud security construct. worried about their ability to enforce security
requirements at the cloud services.
When it comes to creating visibility on cloud,
many user organizations are not fully aware Transparency over cloud service providers
about cloud infra, running assets, applications, capabilities, own security controls, traffic, data
and necessary security controls. Enterprises are and processes shall ensure better governance
also skeptical and have certain questions such on cloud. This includes:
as
 Mitigating security concerns, through
 What happens to data if organization leave several practices, such as allowing onsite
a service provider? audits, adopting industry standards,
conducting background checks on
 What if organization do a Proof of Concept
employees, or maintaining interoperability
(POC) with a cloud service provider and I
with existing enterprise security controls.
put up data up there?
 Transparency over dense data transactions,
 What if we decide not to renew after two
network traffic, and processes through
years, then what is the disposition of that
continuous monitoring and automation.
data in the cloud and who will erase it?
Organizations seeing security as critical to cloud
 Does it get erased? This can become a big
adoption, greater transparency is one of the
problem, especially around compliance
key components and become a competitive
and an issue around some of the visibility.
differentiator.
Creating good visibility over data, assets,
III. Continuity
applications, processes, and procedures on
cloud is one of the key principles of cloud Continuity remains a strategic imperative,
security assurance and governance. growing in importance as business sees

March 2022 | 19
 challenges from uncertain events, and highly the organizations – People, Process and
targeted cyber-attacks. However, there is need Technologies that aligns with the business
of the hour to examine gaps in existing security objective.
programs and cyber resiliency plans which shall
Business understands the value of security
stay sustained in years to come.
assurance and governance on cloud and
Moving to cloud systems can make business sees it as a component of managing business
more efficient, more adaptive, and ultimately risk, whether it be operational, regulatory,
more profitable but it requires careful planning, or reputational. In cloud environment cyber
especially when it comes to thinking about risks are discussed in line with the enterprise
business continuity in the cloud. Sometimes risk management function and the discussion
businesses/ user organizations are forgetting of those risks is shifting from a qualitative to
about critical aspects of their business quantitative view of potential impacts to the
continuity planning and assuming their cloud business.
provider will be handling them. In the context
VI. Policy Driven
of different cloud adoption patterns and service
models, understanding continuity/recovery A cloud security policies and governance are
principles and ownerships are key elements of pivotal to the success of a business’s operations
cloud governance. in the cloud. Policy driven cloud security
can be combination of people, processes,
IV. Orchestration
technology, working together—the people
Orchestration enables the creation and being stakeholders and the executive level,
execution of predictable, repeatable processes the processes being the procedures for
of security compliance, monitoring and amending policies when necessary, and the
governance which can be automated. Not technology being the mechanisms that monitor
only does this help in terms of establishing a compliance with the policies.
consistent, reliable IT environment, but it also
eliminates costly human error, security gaps
and non-compliance which ultimately improves
the organization’s business efficiency on cloud.

 Managing security policies is an arduous

task that requires automation, and Security
policy, compliance orchestration has
emerged in response to numerous factors
happening in tandem.

 Security policy orchestration helps to

alleviate that pressure, enabling operation
teams to keep up with the demands of
the business while ensuring security and
preventing an outage or data breach.

V. Business Aligned

Risk and security should partner with

leadership and the board to create good
security assurance and governance across

Cloud Security Governance & Assurance

20 |
A DSCI-Infosys Point of View
2. Focus
Data breaches, system vulnerabilities, insufficient identity, and credential and access management are some
of the typical security challenges in the cloud environment that enterprises must address as a priority. An
enterprise may lack adequate focus on operationalization and enforcement of policies, procedures, a formal
operating model, or even a properly constituted organizational function to effectively manage security in the
cloud, close focus around following seven areas adds good value to cloud security governance.

Ownership Policies & Procedure Processes Technologies

Focus
Configuration Monitoring Assurance

Ownership is listed as one of the important focus developing policies to facilitate security practices
areas as part of the proposed governance framework can’t be a siloed exercise. The business objectives
in order to address the critical concern of users have to necessarily be considered and this in turn
around control of the data residing on the cloud. necessitates involvement of various business areas
The real ownership may be incumbent upon the and the senior management.
nature of data stored as well as the fact as to where
Monitoring compliance with the cloud security
it was created. Thus, it is important to appreciate the
governance policies can be effectively accomplished
specific meaning of data ownership in context of
by leveraging technological tools.
cloud.
Cloud configurations can be intricate in nature and
Putting in place policies and enforcing them in a
even a single misconfiguration in any of the services
meaningful way would be vital part of cloud security
may have serious security ramifications by leaving
governance strategy. Making complete sense
applications vulnerable to intrusions. Proactively
of data and classifying it so that the appropriate
identifying and remediating misconfigurations
security measures can be implemented according
to reduce risk and ensure compliance is critical to
to the varying levels of data sensitivity. Also,
maintaining a robust cloud security posture.

3. Areas & Solutions

Posture Workload Managed Detection & Intelligent Zero Trust

Solutions Management Protection Response Compliance Architectures

Identity & Data DevOps & Infra Sec Vulnerability Threat Resiliency
Areas Access Container Management Management

Identity & Access troublesome authentication methods. Identity-as-

a-service is expected to grow aggressively over the
As more companies migrate to the cloud, companies
next few years as more businesses look to reap the
search for security measures to authorize and
benefits of cloud computing. The goal for companies
authenticate internal and external users, but they do
is to validate the identities of both consumers and
not want to negatively impact the user journey with
employees from the cloud, but in a seamless and

March 2022 | 21
 painless manner for users. One component of a Resiliency
strong security posture takes on a particularly critical
The right decisions on cloud are critical for
role in the cloud – identity. Public cloud providers
organizations to reduce the overall spending and
offer a rich portfolio of services, and the only way to
increase the ability to respond to cloud related risks,
govern and secure many of them is through identity
threats, and opportunities. Yet however necessary,
and access management. IAM is a cloud service that
identifying requirements, risks, prioritizing them
controls the permissions and access for users and
and allocating funds to address them is not always
cloud resources. IAM policies are sets of permission
easy. In order to do this, organizations need to
policies that can be attached to either users or cloud
gather and analyze the right information to make
resources to authorize what they access and what
value-driven decisions regarding the cost-effective
they can do with it. IAM is a crucial, aspect of cloud
management of risks related to resiliency. Whether
security. Businesses must look at IAM as a part of
migrating workloads to cloud-based platforms or
their overall security posture and add an integrated
pursuing a Disaster Recovery as a Service (DRaaS)
layer of security across their application lifecycle.
model, cloud requires a fundamental shift in thinking
Beyond identity, how to enterprises are governing
about integrated enterprise risk management. While
& reconciling the identities, roles and access
there is a pervasive lack of resiliency planning in
management policies is key aspect of cloud IAM.
most cloud implementations today, better up- front
DevOps & Container assessment and planning can help organizations
realize the enormous potential cloud offers for
Container users need to ensure they have purpose-
improved, more agile resiliency and strike the
built, full stack security to address vulnerability
right balance between business service availability
management, compliance, runtime protection, and
requirements and tolerance for risk.
network security requirements of their containerized
applications. the container security solutions that Intelligent Compliance
organizations can rely on have grown in terms of
The expectations and obligations arising from the
both capabilities and sophistication. Regardless of
increasingly complex compliance and regulatory
what level of DevSecOps maturity has been attained,
landscape merit meticulous attention from
container security tools are now more accessible
governance standpoint. Vis-à-vis cloud environment,
than ever. The shift left approach of security where,
complying with various legislations pertaining to
security solutions are embedded as part of the
protection of sensitive personal information and data
infrastructure and application provisioning through
becomes critical for enterprises. When moving to
codification ensures that cloud security governance
the cloud it is important to know in which countries
and assurance is built in from day zero.
your data will be processed, what laws will apply,
what impact they will have, and then follow a risk-
based approach to comply with them. Financial
Vulnerability Management
institutions must confront the reality of dramatically
Vulnerability management plays an essential role in increasing costs while also keeping pace with the
cybersecurity. Traditional vulnerability management legislative and regulatory changes arising from
of on-premises hosts (physical or virtual machines) numerous regulatory bodies. Global organizations
cannot scale to cloud environments. To cope with have the added burden of even more international
rapidly-changing cloud environments, vulnerability and nation-specific regulations. Noncompliance
management needs a new approach. Vulnerabilities has costs. Regulatory violations involving data
of workloads are not only the key challenges but protection, privacy and disaster recovery can have
also the cloud control plane which includes security severe and unintended consequences
misconfigurations needs to be addressed well to
ensure cyber resilient cloud environment.

Cloud Security Governance & Assurance

22 |
A DSCI-Infosys Point of View
Cloud security governance through automation Cloud Security Solutions
e.g. auto remediation, auto scaling to ensure no
business disruption happens There are an increasing number of cloud security
solutions available from both cloud vendors and
Integration of automation with the cloud security third parties. While cloud providers offer many
governance strategy enables organizations to clouds native security features and services,
ensure to have continuity in business operations. supplementary third-party solutions are essential to
Automation tools and governance policies help achieve enterprise-grade cloud workload protection
enterprises to achieve consistency and control from breaches, data leaks, and targeted attacks in the
over the cloud environment and also it alerts cloud environment. Only an integrated cloud-native/
stakeholders of policy infractions and automates third-party security stack provides the centralized
corrective procedures so that change may be visibility and policy-based granular control necessary
implemented to ensure cloud security. Implementing to deliver the following industry best practices.
auto-remediation in a cloud environment helps
enterprises to build a cloud management platform Cloud Security Posture Management
that supports policy-driven automation to enhance
Lack of visibility may turn out to be the greatest
the business’s cloud governance by automatically
vulnerability. In environments as complex and fluid
remedying the event that caused the policy
as the typical enterprise cloud, there are hundreds of
violation. On a similar hand, enabling auto-scaling
thousands of instances and accounts, and knowing
with cloud computing supports users with an
what or who is running where and doing what is
automated approach to increase or decrease the
only possible through sophisticated automation.
compute, network service, and storage and to meet
Without this support, vulnerabilities arising from
the workload demand to ensure business continuity
misconfigurations can remain undetected for days,
with no disruption.
or weeks, or until there is a breach.
Disaster recovery and business continuity
Cloud security posture management addresses
through right design can ensure the assurance of
these issues by continuously monitoring risk in the
the cloud environment.
cloud through prevention, detection, response, and
Disaster Recovery (DR) is an important aspect of prediction of where risk may appear next.
business continuity and to ensure the assurance
of the cloud environment. After a disaster over a
cloud or data loss in cloud, DR lets organization to Zero Trust for Cloud Security
swiftly restore important systems/data/files and
provide remote access to systems in a secure virtual The basic principle of zero trust in cloud security
environment. Disaster Recovery as a Service (DRaaS) is not to automatically trust anyone or anything
by security service providers allow enterprises within or outside of the network—and verify (i.e.,
to backup and store data to regain access and authorize, inspect and secure) everything. Zero trust,
functionality to IT infrastructure after a disaster. for example, promotes a least privilege governance
Disaster in cloud or data loss in cloud can happen strategy whereby users are only given access to the
owing to the natural disaster, technical glitch/ resources they need to perform their duties. Similarly,
hardware failure, power loss/interruption, accidental it calls upon developers to ensure that web-facing
data deletion, cyberattack on cloud, etc. To mitigate applications are properly secured. For example, if
data loss, to reestablish business-critical directories the developer has not blocked ports consistently or
and to prevent costly service outages organizations has not implemented permissions on an “as needed”
are adopting DR tools/service. basis, a hacker who takes over the application will
have privileges to retrieve and modify data from the
One of the key governance issues is related to database.
Data whether it is data ownership , data life cycle
management secure disposal of data etc.

March 2022 | 23
 RECOMMENDATIONS

Recommendations

Cloud Security Governance & Assurance

24 |
A DSCI-Infosys Point of View
Governing security affairs of your cloud environment is no longer a choice, and it requires a focused approach
that is contextualized to cloud setup and is in accordance with the principles outlined in the framework
being proposed by this POV. This section enumerates a few suggested pointers that could be construed as
recommendations by enterprises that are looking to bolster their cloud security posture.

Leveraging Frameworks, Standards, Best they need to be carefully looked at and should find
Practices, and other References a place in the overall cloud security governance
and assurance framework. It is imperative to
Developing a contextualized and comprehensive establish a common understanding on the services
cloud security governance framework should to be provided and enforce guarantees around
certainly be the first step in this endeavor. Standards performance, transparency, conformance, and data
and frameworks could play a vital role in guiding protection.
the organizations in planning and executing their
governance & assurance journey. The POV has also Managing Change Management Processes on the
tried to come up with a holistic approach towards Cloud
governance of Security on the cloud.
Leveraging proper tools for configuration and
Coming Up with Ownership and Accountability change management process on the cloud is an
for Critical Cloud Assets and Services important element of the recommendations for
better security governance. These tools help them
Effective governance on cloud can be accomplished capture information like cloud resources currently
by working towards a shared responsibility matrix being used, what has changed, how the relationships
that clearly delineates the responsibilities of between cloud resources have changed and so on.
the organization and the CSP when it comes to
implementing cloud security controls. The cloud, Building a Robust Cloud Security Architecture
assets, services business objectives and processes
and policies must be documented along with their In accordance with its business needs, obligations
operational relationships. and risks, an organization should embark on the
task of building a robust cloud security architevcture
Use of Cloud Security & Governance Policies which suitably incorporates the shared responsibility
model along with the cloud security best practices
Cloud services providers have developed security and the technologies including but not limited to
frameworks which establishes security and container security, infrastructure as a code, CI/CD
governance policies through cloud guardrails tools and frameworks, CASB et. al.
therefore ensures the efficacy and efficiency of cloud
security controls are from day zero. These security Continuous Discovery of Assets and improvement
and governance policies designs the boundaries of Asset Security Posture
of enterprises cloud security policies, processes,
controls and compliance adherence. For a dynamic environment such as cloud, inventory
management is a dynamic discipline. Organizations
Conducting a Comprehensive Evaluation and must put in place provisions for continuous discovery
Assessment of the Cloud Threat & Risk Landscape of assets that will allow the governance team to keep
up with the pace of change.
A thorough evaluation of the cloud threat landscape
and associated risks for the organization should be Regular Review of the Cloud Security Governance
undertaken with the object of having meaningful Strategy
security governance and effective assurance. This
assessment would pave the way for safeguarding the While its essential to build a comprehensive
stakeholders involved from any potential exposure. strategy for governing the security affairs on the
cloud, periodically reviewing the same would be
Governance of SLAs and Performance critical from relevance standpoint. This will ensure
effectiveness as the review would provide the
Given the fact that SLAs play an exceedingly scope for revisiting the threat landscape for cloud
important role in overall cloud service delivery, environment which would indeed be dynamic

March 2022 | 25
 Frequently Asked
Questions

Cloud Security Governance & Assurance

26 |
A DSCI-Infosys Point of View
Q1: What are the key tenets of cloud governance Q3. Can we have comprehensive cloud strategy
enterprises should ensure to consider while in the context of using single, multi or hybrid
creating the cloud security strategy? cloud?

Cloud infrastructure is very dynamic and agile Yes, comprehensive cloud strategy in multi/
because of the speed & nature of cloud assets hybrid cloud environment can help to mitigate
provisioning and de provisioning & availability larger risk. Standardized/uniform security
of huge number of services and lack of skilled across hybrid or multi cloud can ensure “single
administrators. Due to this very fluid nature of identity”, extension of on-premises controls
the cloud platform, it is essential to have real to the cloud & ensure single view security
time visibility of cloud assets & any security mis management, administration, and governance.
configurations present. The cost effectiveness,
Q4. How to ensure security assurance and
cloud security policies or guardrails, access
governance with dynamic nature cloud?
reviews and security baselining for every cloud
environment (prod., non-prod, test etc.) are Automated cloud governance that includes API
some of the other tenet’s enterprise should look based integration with cloud platforms which
at. Regulatory, compliance & risk management provides visibility of security misconfigure, asset
are some of the regulatory compulsions inventory, compliance score & auto remediation
enterprises will have to adhere while embarking helps to keep pace with dynamic nature of
on their cloud journey. Infosys cloud security cloud. Cloud Security Posture Management
posture and compliance management service (CSPM) capabilities can be beneficial to ensure
offering ensures to provide effective cloud good cloud governance.
governances & compliance management
services covering all facet of it. Q5. What can be the good strategy to implement
security controls on the cloud?
Q2: What are different solutions and tooling
required for enterprises to strengthen their Native security controls + 3rd Party next gen
cloud governance approach. controls. Maximum use of native security
controls which are tightly integrated with cloud
Most of the Cloud Services Providers (CSPs) infrastructure & has better understanding of
have multiple built-in solutions which cloud platforms. Complementing native and
can ensure the basic hygiene for cloud 3rd party controls ensures fool proof security on
governance. Setting up the cloud security cloud.
policies & guardrails from day zero through
azure, AWS and GCP service control policies Q6. In shared cloud security responsibility
are the foundational steps to secure and model, who is responsible for ‘in cloud
adhere to compliance requirements. In multi- assurance and governance’?
cloud environments implementing Cloud
Security and compliance in the cloud is a
Security Posture Management (CSPM), Cloud
shared responsibility between the Cloud
Workload Protection Platform (CWPP), micro-
Service Providers (CSP) and their customers.
segmentation, entitlement management,
Under the Shared Responsibility Model, the
access reviews, and network rule analyzers
CSP is responsible for “security of the cloud”
are some of the advanced security controls
which includes the hardware, software,
which can provide effective cloud security
governance.

March 2022 | 27
 networking, and facilities that run the cloud Governance over configurations,
services. Organizations, on the other hand, vulnerability management, identities and
are responsible for “security in the cloud” access management and visibility across
which includes how they configure and use the data/ application, cloud infrastructure and
resources provided by the CSP. compliance remain key responsibility of
customers.

Cloud Security Governance & Assurance

28 |
A DSCI-Infosys Point of View
Index
1. BFSI – Banking Financial Services and 7. PDPB- Personal Data Protection Bill
Insurance
8. CCPA- California Consumer Privacy Act
2. IaaS – Infrastructure as a Service
9. CSP – Cloud Service Provider
3. PaaS – Platform as a Service
10. MSSP – Managed Security Service Provider
4. SaaS – Software as a Service
11. SOC- Security Operation Centre
5. API – Application Programming Interface
12. ISO – International Organization for
6. GDPR- General Data Protection Regulation Standardization

March 2022 | 29
 AUTHORS
Infosys Data Security Council of India

Vishal Salvi Vinayak Godse

CISO & Head of Cyber Security Senior Vice President
Infosys Limited DSCI

Darshan Singh Aditya Bhatia

Head of Cloud Security & Senior Consultant
Emerging Technologies Security DSCI
Infosys Limited
Vivek Sarkale
Senior Consultant
DSCI

Cloud Security Governance & Assurance

30 |
A DSCI-Infosys Point of View
Infosys Cyber Security practice has over 5,000 professionals serving 2000 global clients with
end-to-end security services in consulting, transformation and managed services. We believe
in assuring digital trust by driving a mindset towards “Secure by Design”, building a resilient
cybersecurity program to “Secure by Scale” and adopting newer technologies to “Secure
the Future”. We build robust and holistic cybersecurity programs by following our four-
dimensional approach of Diagnose-Design-Deliver-Defend. This defines the Infosys Cyber
Security philosophy - Digital–trust. Assured.

Infosys Cobalt is a set of services, solutions and platforms for enterprises to accelerate their
cloud journey. It offers 35,000 cloud assets and over 300 industry cloud solution blueprints.
Cobalt acts as a force multiplier for cloud-powered enterprise transformation. Infosys Cobalt
helps businesses redesign the enterprise, from the core, and also build new cloud-first
capabilities to create seamless experiences in public, private and hybrid cloud, across PaaS,
SaaS, and IaaS landscapes. With Infosys Cobalt’s community leverage, enterprises can rapidly
launch solutions and create business models to meet changing market needs while complying
with the most stringent global, regional and industry regulatory and security standards.

Data Security Council of India (DSCI) is a premier industry body on data protection in India,
setup by NASSCOM®, committed to making the cyberspace safe, secure and trusted by
establishing best practices, standards and initiatives in cyber security and privacy. DSCI brings
together governments and their agencies, industry sectors including IT-BPM, BFSI, Telecom,
industry associations, data protection authorities and think-tanks for policy advocacy, thought
leadership, capacity building and outreach initiatives. For more info, please visit www.dsci.in

DATA SECURUTY COUNCIL OF INDIA

NASSCOM CAMPUS, 4 Floor, Plot. No. 7-10, Sector 126, Noida, UP - 201303
For any queries contact
+91-120-4990253 | [email protected] | www.dsci.in

All Rights Reserved © DSCI 2022

March 2022 | 31