101 Guide on Cloud Security Architecture for Enterprises

Based on the CSA Enterprise Architecture Reference Guide and the CSA Security Guidance v4.

Cloud security is cybersecurity. As cloud adoption grows, it has also become the basis for new ways of organizing compute, such as containerization and DevOps, which are inseparable from the cloud.

In this blog, we’ll provide an overview of cloud security architecture and a model your enterprise can use. If you want to take a step back and understand how cloud differs from on-premises security, read this blog first.

Before You Get Started

Since different cloud projects, even on a single provider, will likely leverage entirely different sets of configurations and technologies, each project should be evaluated on its own merits. The key is to identify requirements, design the architecture, and then identify the gaps based on the capabilities of the underlying cloud platform. That’s why you need to know the cloud provider and architecture before you start translating security requirements into controls. This blog will provide you with an overview of a reference architecture you can use when operating in the cloud.

Cloud Security Reference Architecture

*The CSA Enterprise Architecture was adopted by the National Institute of Standards and Technologies in NIST SP 500-299 and NIST SP 500-292.

Cloud security models are tools to help guide security decisions. Reference architectures are a type of model that can be used as a template for implementing cloud security. The CSA Enterprise Architecture is a comprehensive approach for the architecture of a secure, identity-aware cloud infrastructure. It leverages four industry standard architecture models: TOGAF, ITIL, SABSA, and Jericho. By combining business drivers with security infrastructure, CSA’s architecture increases the value proposition of cloud services within an enterprise business model.

How to Use the Enterprise Architecture

The Enterprise Architecture can be used to assess opportunities for improvement, create road maps for technology adoption, identify reusable security patterns and assess various cloud providers and security technology vendors against a common set of capabilities. Below, we’ll explain each of the main 4 domains in this architecture and summarize how each domain impacts cloud security.

Business Operation Support Services

Example Scenario

The security monitoring tool alerts an analyst that a customer withdrawal transaction was initiated from a workstation in the IT department instead of the customer contact center. A special investigation is held with the help of HR and Legal to determine that a disgruntled system administrator has been stealing from the company.

Explanation

This domain is all the corporate support functions such as Human Resources, Compliance, and Legal that are critical to a security program. It is also the place where the company’s operations and its systems are monitored for any signs of abuse or fraud.

A common concern when organizations decide to integrate services with cloud providers is the level of security the provider will offer and the amount of exposure when data is hosted on a multi-tenant model. This domain outlines aspects that must be considered besides the technological solutions, such as legal guidance, compliance and auditing activities, human resources, and monitoring capabilities with a focus on fraud prevention.

Learn more by reading the EA reference guide.

Information Technology Operation & Support

Example Scenario

An employee receives a suspicious email, which she thinks may contain a malware program. She notifies the help desk. The help desk opens a security incident, and a response team works to block the sender, identify other affected users, and restore any damage that may have been done.

Explanation

This domain is the IT Department. It is the help desk that takes the call when a problem is found. It is the teams that coordinate changes and roll them out in the middle of the night. It is the planning and process that keep the systems going even in the event of a disaster.

Essentially, this domain outlines all the necessary services an IT organization will have to support its business needs. It provides alignment of industry standards and best practices (PM BOK, CMMI, ISO/ IEC 27002, COBIT, and ITIL v3), providing a reference from two main perspectives that enable the organization to support its business needs. However, relationships between technology components are not intended to be a one-to-one match to the process touch points described in PM BOK, ISO/IEC 27002, CMMI, COBIT and ITIL v3.

Learn more by reading the EA reference guide.

Technology Solution Services

Example Scenario

When an administrator creates a user account, the ID and Password are stored in a user directory. When that user logs into the system, a log entry showing the date and time of that log-in is stored in the security-monitoring database.

Explanation

IT solutions can be thought of as a technology stack: at the top level are the actual interactions that the users have with the stack, with applications that accept the interactions and push data down where it may be manipulated, followed by the data that runs on them, with the computers and networks at the bottom layer. The four technology solution domains (Presentation Services, Application Services, Information Services, and Infrastructure Services) are based on the standard multi-tier architecture used to build these solutions.

Learn more by reading the EA reference guide.

Security and Risk Management

Example Scenario

An employee working from home must log into the corporate VPN using the one-time password token on his key fob. A new website being built is tested for compliance with corporate security policies. A thief cannot read data on a stolen laptop if its hard drive has been encrypted.

Explanation

This domain encompasses the services that most people think of when they think of cybersecurity. It covers the passwords, firewalls, and encryption that protect computer systems and data. It is the processes that define policies and audit systems against those policies. It uses ethical hackers and tools to test for weak spots in the systems. This domain provides the core components of an organization’s Information Security Program to safeguard assets and detect, assess, and monitor risks inherent in operational activities.

Learn more by reading the EA reference guide.

This blog is based on the CSA Enterprise Architecture Reference Guide. If you are interested in learning more, you can download the publication for free.