Department For Education
Cloud Security Assurance Initiative
Project: Integration of Technical Solutions
We undertook a cloud security assessment to help the client identify its security posture and devise a roadmap to address risks, and continuously monitor its compliance state against industrial frameworks
Background:
Talent has been working with a client in the education sector that has multiple cloud environments that have evolved over years and incurred technical debt due to the ever-changing government landscape and cloud evolution. The result is a lack of effective governance and control, especially on provisioning and ownership of resources, lack of security model & expertise in the cloud, identification of risks/vulnerabilities, ensuring compliance, lack of consistent management across the different clouds and tenancies etc. This is coupled with the inherent weaknesses of the cloud, such as vulnerable APIs, compromise of credentials, broken authentication, etc. Talent was brought in to assess the client’s security posture against industrial benchmarks; we provided a strategic roadmap that covers identified risks covering all security domains, architectural guidelines, and compliance dashboards to help promote continued visibility and progress overtime. Working alongside the CSO, Talent also provided an assessment on their working practices and a to-be security model with special emphasis on identity and access management of their users in the cloud.
Approach:
Understanding the current security state
One of the objectives of the cloud security assurance initiative was to provide an insight into the client’s current security posture across their tenancies in Azure, against best practices. To achieve this, we’ve performed the following:
Assessed the current as-is Identity and Access Management (IAM) operating model for each of their 7 Azure tenancy
We’ve conducted stakeholder interviews to understand the processes & workflows; how user access is managed (JML), how permissions are elevated, use of MFA, etc.
Reviewed current Azure AD structures to identify whether management of all tenancies is centralised through automated processes, and to collect evidence to support risk identification.
We uncovered areas of security and financial risks associated with cloud identity relevant threats, compliance threats, and provide a strategic roadmap that is tailored to the client’s organisation to improve their cloud security posture.
Leveraging common industrial frameworks like the Center for Internet Security (CIS), we helped our clients understand their cloud security risk posture and compliance status and provided architectural guidance for improving cloud security's governance and cyber resilience.
Provided prioritised and actionable next steps to help the client make decisions and build strong defence against cyber risks
Created several security and compliance monitoring dashboards to help the client visualise their current state across all tenants, which covers
Presented the compliance results over few months period in a Power Bi report to allow the client to maintain an overtime view of their compliance the overall security score in Azure against tenancies and subscriptions, and associated recommendations for each tenant/subscription.
The health status of resources vs security recommendations
Assessed their documented policies, as well as those implemented in Azure
Reviewed 27 documented security policies to understand customer requirements and to ensure that Azure policies align with customer policies
We uncovered gaps and misalignments in both documented policies and Azure policies, and the risk associated with inconsistent policies.
Ongoing Security consultation
As part of ongoing efforts to improve the client’s security posture, Talent also provides on-demand consulting advise on many aspects of security; examples include but are not limited to
performing Security Design Assurance on projects (e.g. network designs, cloud economics, etc.)
performing investigations on potential exposure of risks due to risky configuration, such as lack of security logging and ways to cost and enable logging; reviews of public IP address usage along with recommendations of appropriate controls to minimise the risk of exposure; etc.
Performing security application scanning where needed (e.g. to discover presence of vulnerabilities such as log4j.
Results:
Overall, Talent helped the client achieve security visibility across its multiple Azure tenants and provided visual aids to help the client maintain an overtime compliance view. This allows the client to benchmark its security maturity against leading industry standards & frameworks. The proposed security operating model for IAM, which allows a smoother move to a single tenancy was accepted and a roadmap for this change was reviewed and communicated to Senior leadership teams. The client is now progressing with remediations and identified risks as agreed in the roadmaps, with continued support from Talent. Reports generated since the initiative began in November 2021 enabled leadership to make informed cyber risk-based decisions, improve deployment of policies, and identify ROI on cloud security investments.
.
.
.
-
-