Introduction
As the adoption of cloud services continues to rise globally, Gartner predicts that the combined markets for IaaS, PaaS, and SaaS will grow by over 17% annually through 2027. This shift necessitates a corresponding change in security strategies and technologies; traditional methods are becoming less effective as organizations move towards cloud-native and SaaS solutions. The focus now needs to be on platform configuration and identity risk, requiring a new security approach and spending model. These efforts must be supported by business-relevant, not just technology-focused, metrics.
The cloud represents more than just remote computing; it is a complex network of interconnected services. Therefore, investments in cloud security need to be measured differently. Security and risk management leaders must align their cloud security investments with business outcomes. By customizing and applying the outcome-driven metrics (ODMs), leaders can assess and adjust their current security posture to combat risks and achieve business-appropriate results. In this blog we will explore ODMs that will help guide future investments in cloud security control.
The Necessity of Outcome-Driven Metrics
An outcome-driven metric (ODM) is designed to align security controls and their associated investments with the desired security outcomes of a business, providing clear visibility into the effectiveness of security measures.
Why Use ODMs?
Key Areas of Focus
- Third-Party Risk Assessment: Crucial for managing and securing cloud usage, especially relevant for SaaS platforms, but also applicable to IaaS, PaaS, and individual services.
Business Continuity: Metrics should ensure operational continuity despite potential outages. While long-term outages of major providers are unlikely, planning for short-term disruptions of smaller providers or specific services is essential.
Major Categories of Outcome Driven Metrics:
- Governance Metrics: Metrics that oversee and manage cloud usage, typically on a per-tenant basis. Each cloud provider, regardless of delivery model, starts with at least one tenant used by an organization. Most environments are multitenant, with organizations often managing multiple tenants within a single provider.
- Operational Metrics: Metrics that assess the actual usage and configuration of each cloud tenant.
- Identity Metrics: Metrics that focus on identity management, crucial for cloud security at both the account and individual level. Effective management of access and permissions enhances overall security posture.
Practical Examples of Outcome-Driven Metrics for Cloud Security
A) Cloud Governance ODMs
You should have a reliable estimate of how much of your cloud infrastructure is actively monitored. Without comprehensive tracking of these assets, all other metrics become irrelevant, as substantial risks may exist beyond visibility and control. This challenge is exacerbated by the fact that much of cloud adoption in organizations is driven not by IT but by business units, which may lack direct accountability.
Many of the metrics listed below assume visibility into “known cloud accounts,” assuming these represent the majority of an organization’s cloud presence. To identify additional accounts, utilize compensating controls such as active approval processes, expense audits, and technical measures like security service edges and network firewalls. For optimal metric effectiveness, these controls should aim to provide a comprehensive view of all existing accounts.
|
---|
B) Cloud Operation ODMs
In managing cloud operations, standard security metrics are essential, but they can vary based on how your cloud services are set up. These metrics directly affect how well your security measures work. One common issue is that measuring these metrics properly is hard without the right tools. These metrics cover your entire cloud setup, but it’s often necessary to look at them account by account or group them based on how important they are to get a clear picture.
|
---|
C) Cloud Identity ODMs
Cloud Identity ODMs Identity management in the cloud encompasses more than just user identities, particularly in Infrastructure as a Service (IaaS). Workloads possess their own machine identities and privileges, necessitating lifecycle management and governance. In Software as a Service (SaaS), identity often stands as the primary control directly managed by the application consumer. Cloud providers observe that overprivileged identities are a prevalent issue. Like operational metrics, accurately assessing many of them can be challenging without appropriate tools. Therefore, we have identified categories of tools that may be necessary.
|
---|
Steps to Put Outcome-Driven Metrics into Practice
Define Success:
- Clearly articulate the desired outcomes for the initiative or project.
- Ensure these outcomes are specific and measurable.
Set Goals:
- Establish achievable goals and benchmarks derived directly from the defined outcomes.
- Create a roadmap for success and facilitate progress tracking.
Choose Metrics:
- Select measurable indicators closely linked to the defined outcomes.
- Metrics should effectively measure progress, effectiveness, and areas needing improvement.
Monitor:
- Consistently track selected metrics to assess strategy effectiveness over time.
- Use monitoring to drive continual improvement and adaptation as necessary.
Final Thoughts
Visibility and understanding of the cloud services used within an organization are crucial for effective cloud security efforts and metric development. While some metrics used on-premises can be adapted for cloud environments, the dynamic and business-driven adoption of cloud services requires a different approach. Cloud-specific outcome-driven metrics (ODMs) offer a framework for investing in cloud controls based on targeted security outcomes, rather than simply allocating a percentage of overall cloud spending.
Automation plays a critical role in managing these controls in the rapidly evolving cloud landscape. It’s essential to automate tracking, reporting, and configuration management metrics whenever possible. Organizations are often hesitant to automate remediation in production environments to avoid disrupting business operations. Achieving many of the metrics discussed requires substantial automation capabilities.