I happened to read the below article that draws a very nice map of all the security controls that exist in Azure and how to choose between them. It's impressive and at the same time there are many decisions to be made and how could you show more visual, that there is not one control to rule them all, but literally dozens.

There is that perceived reality among IT people, that moving things to the cloud(s) is easy, it is fast and you suddenly get agile and people think you are moving at the speed of light compared to your legacy environment. And this is partly true.

However, when you look at the below mindmap of all the decisions you need to make and of all the security features and controls you have in a modern cloud like Azure (and there will be more products and services in AWS), you could argue that to make things secure in the cloud you will need to touch many different controls and be trained to actually know all of those controls.

We all know that touching more than 3 controls at the same time is a recipe for failure because those controls will soon be out of sync and there will be no process to keep them in sync unless you automate your entire workflow. The amount of accidentially exposed MongoDB or Elasticsearch databases speaks to this.

Which opens up another problem, your security people now also need to be automation people and know how to effectively automate the security in a complex, probably multi-cloud environment. People like to refer to those individuals as DevSecOps engineers, but to be honest, the percentage of people that have a great combination of security skills and automation skills is very low.

My recommendations for fixing this:

  • If you go to the cloud, automate anything or as much as you possibly can
  • train your staff to be able to automate everything in the corresponding cloud
  • invest time in training them on the security controls in the corresponding cloud service like Azure Security Engineer or AWS Security Speciality
  • Visualize as much as possible, visibility is key to uncover problems and will help you to spot controls that are off the rails
  • Think how you can reduce the number of security controls and how you manage to have one set of controls for your entire infrastructure including your legacy applications