PranjalUncodes

Empowering Cloud Security Professionals

Pranjal Ruhela's photo
Pranjal Ruhela

Why should only people working in security be responsible for security?

We have almost all the work shifted from on-premises to the cloud. A lot of employees work in a company. Along with engineers we have GRC people working in regulatory compliance. We have managers and resources looking after operations inside the company. Most of them are using the cloud.

The measures start with the employees, so the best practices to stay protected should be people-centric too.

  • Free and frequent training should be made available to employees. Most are not gonna attend though right off the bat, so it’s best to put incentives forth. This should be made fun and immersive to such a level that an employee soon shifts from a handout to a self-learning approach.
  • Also, encouraging people to take up certifications and courses that are heavy on pockets might not be the best method, WHY?

Companies release certification courses with an upgrade within years as the material should be similar to the recent trends in the tech industry. This makes certificates harder to crack for the employees that might not be in a role where they are using all that knowledge. NO NEED for these certs or courses if the person is not even using this knowledge to apply it in order to turn all that knowledge into useful actual skillsets.

  • If a new person joins the company, then the team should be cooperative with the employee and not expective of the newly joined person. He should not be in a situation even if experienced to come up to the place at work and say “I know how this should be done”.
  • He should be first given proper instructions as to what services are used in the cloud and what controls need to be set in order to meet the requirements instead of him taking a risk and using the same techniques they used at their previous employer. The requirements are not gonna be the same at both places.
  • In case the newly joined is a fresher then managers need to be ready for a bit of hand-holding for the initial stage till the person acquires a mindset where he is ready to take decisions on his own.

What about GRC?

Regulations keep changing with time and bring in more challenges. They need to meet global standards at a granular level. There is no single and final solution to meet the challenges that are brought up by fast-changing regulations. Regulatory compliance is not something you do at the end of a project, it is a part of the design of the cloud services that are used by us.

For every regulation that you need to adhere to, the regulations should be baked into the service adoptions to avoid the situation where you come to find out that a service was adopted which couldn’t meet the regulatory requirements. For example → The data storage locations, physical locations, where the data is transmitted should become a part of our data security models because that needs to be represented to a regulator. Asking questions like can this data be moved to such and such location can the metadata be exported to a location for analytics or backup purposes?

Tools like the NIST framework, and control matrix pave the way for cross-mapping across the framework.