Highlights
- Automated multi-cloud security assurance solution implemented.
- Significantly improved risk posture in identified risk areas.
- Increased awareness of security threats, risks, vulnerabilities, and controls across the developer community.
- Gamification led to enhanced cloud security compliance across the business.
- Customised KPIs to track and encourage cloud security control effectiveness.
The Problem
Managing security compliance across multi-cloud environments is a daunting task, especially when the goal is to foster innovation without stifling agility.
This becomes even more challenging when the technology stack is diverse and continuously changing. Our global natural resources client was grappling with these challenges, struggling to maintain and monitor security compliance across various cloud service providers, their data lake, and other security systems. The complexity and fluid nature of the tech stack meant that traditional methods of security compliance management were not efficient or effective.
The Opportunity
With the increasing demand for agile and innovative business operations, multi-cloud environments are becoming increasingly prevalent. This, however, comes with the challenge of maintaining robust security and compliance across all these environments.
The opportunity here lies in automating security compliance and monitoring across multi-cloud environments. By addressing this challenge, companies can not only ensure seamless security compliance but also improve overall business agility and innovation.
The Solution
The solution implemented was the Continuous Controls Assurance accelerator by the Mantel Group. This tool provisioned a multi-cloud security dashboard rapidly to inform risk mitigation priorities and encourage teams across the business to enhance their cloud security posture.
The benefits of this solution were as follows:
- Real-time visibility into security compliance across multi-cloud environments.
- Improved risk management with prioritised mitigation strategies.
- Gamification to motivate teams to improve their cloud security posture.
- Customised KPIs to reflect the effectiveness of technical cloud security controls.
Our Approach
The first step in the process was to partner with the client to understand their unique challenges related to multi-cloud security compliance and the specific configurations of their tech stack.
The next step was to implement the Continuous Controls Assurance accelerator. This involved setting up the multi-cloud security dashboard that would serve as the central hub for monitoring security compliance across the various cloud environments.
Once the dashboard was set up, it was customised to reflect the client’s specific risk mitigation priorities. This was done by developing key performance indicators that accurately reflect the effectiveness of technical cloud security controls, including controls related to workloads.
The reporting and distribution of KPI data was next, which was executed using a BI system. The system was designed to allow data to be filtered by business unit, business service, environment, cloud service provider account, and public-facing status.
Subsequently, the KPIs were categorised into cloud security domains. Service level objectives were defined for security controls that target key cloud security risk areas.
Several specific KPIs and Service Level Objectives were developed, targeting areas such as aged or unused credentials, over-privileged identities, compliance with tagging standards, backup recovery point objectives, vulnerability patching standards, and cloud secure configuration baseline standards.
Lastly, the solution was rolled out across the organisation, which led to a significant change in risk posture for identified risk areas. The use of gamification to improve cloud security compliance was found to be successful, leading to a significant increase in awareness of security threats, risks, vulnerabilities, and controls across the developer community.