Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How to Operationalize a Cloud Security Solution

Tenable Cloud Security

How to successfully operationalize your cloud security solution in 4 easy steps — and why fast and effective operationalization matters.

Smooth and incremental operationalization of your cloud security platform ensures that your implemented solution will be fast to provide measurable value. But when it comes to operationalization, not all cloud security solutions are created equal. In this blog post, we discuss the obstacles and provide four actionable steps for successful operationalization.

What is operationalization in cloud security?

Cloud security operationalization is the process of turning the abstract concept of “cloud security” into an implemented solution that drives measurable value. When operationalizing a solution, security teams seek to ensure it is tightly integrated into organizational processes and actively contributing to the organization’s security posture. A successfully operationalized cloud security solution helps reduce risk, save time, cover its own expense (and more) and be fast to value — all in a measurable way.

Cloud security operationalization challenges

Operationalizing a cloud security solution helps an organization achieve its strategic goals while deriving the most possible value from the investment. However, the process of operationalization comes with challenges. These include:

Cloud infrastructure is notoriously complex

Cloud infrastructure is convoluted, spanning many services and often multiple cloud providers, accounts, organizations, tech stacks, dependencies and diverse and overlapping cloud security solutions. All these moving parts need to be seamlessly managed to ensure performance, enable scalability, support agility and provide security, i.e. deliver on the promise of the cloud.

This is not an easy thing to accomplish. Implementing and running cloud computing is technologically complicated. When it comes to security, the challenge is intensified, since security teams are often strapped for cloud computing know-how and resources. Therefore, when attempting to operationalize a cloud security solution, these technical difficulties need to be overcome by ensuring that technical integration, onboarding and maintenance are enablers to the solution’s adoption rather than blockers (as is sometimes the case).

Security solutions with poor UX

In addition to technological infrastructure challenges, security teams often find operationalization difficulties in the security tools themselves. When tools are hard to understand, counter-intuitive, alert-heavy, difficult to implement, hard to gather and share data from, and lack customization and self-service capabilities -- security teams will have a hard time running and operationalizing them, and fitting them to their needs. Security solutions need to be highly usable and actionable so that effective and incrementally expanded use, even by those without specific cloud expertise, is simple, not more complicated.

Cloud security teams need to give context and build trust

A persistent challenge for security teams is that while they are accountable for operationalizing security and delivering findings, DevOps or other roles are typically responsible for executing on them. While the importance of security is apparent to all, the ROI from security solutions is not. False positives and lack of context can create friction and reduce the trust of engineering teams in security team recommendations. In the cloud, requests to rein in privileged access to resources without adequate proof-pointing, for example, can easily be perceived as overzealous or an impediment to faster development cycles.

Ironically, this disconnect — or dichotomy of belief in what is best for the business — can cause even greater damage to the fabric of the organization’s cloud security as teams become more entrenched in doing security their way. As a result, it is critical that security teams bring reliable findings, made more credible by providing visible context and, ideally, clear policy remediation actions. As engineering teams discover they can count on the findings and recommendations, confidence and trust in them — and the security team and/or cloud security solution bringing the insights to their doorstep — will build. Doing so can facilitate the process of operationalizing the solution to the fullest, such as integrating least privilege in infrastructure as code (IaC).

Further, some solutions can ease the way to ramping up cloud security maturity, with the end goal of automating and integrating security best practices across an organization’s processes and stakeholders. Without acceptance of the value that cloud security solutions bring to the table, organizations will have a troubled path to achieving full cloud security maturity.

Siloed organizational structure

In many organizations, security teams tend to be centralized, while DevOps teams work in a more siloed approach. This happens because security was traditionally part of IT, which managed and secured the on-premises infrastructure. However, as mentioned, in the cloud, security teams need DevOps for operationalizing solutions and enabling unified governance.

This organizational dependency and the inherently different focus of these two groups — security and DevOps — makes it hard for security teams to convince DevOps of the value of the tools and ensure that they prioritize implementing and managing them while adhering to security best practices. This also happens because DevOps supposedly have conflicting service-level agreements (SLA) like ensuring high performance for the product, which is considered an organization-wide business goal, whereas security is considered a specific team’s turf. On the contrary, by not giving security requirements such as careful management of permissions and configurations their due, DevOps may unknowingly introduce or increase cloud risks that can upend a company’s goals.

How to operationalize your cloud security solution in 4 easy steps

Let’s cut to the chase — how do you effectively operationalize a cloud security solution in your organization? Based on extensive customer experience, here are the four steps we recommend:

Step 1 - Choose the right cloud security solution

Like choosing the right partner can improve chances for a successful marriage, the first step to ensuring successful operationalization is finding a solution that is easy to operationalize while answering your security needs. We’ve written extensively in the past about choosing a vendor, questions to ask a cloud security vendor and questions to ask during a POC, so we won't go into the whole process in-depth again.

In addition to what we’ve written before and with respect to operationalization, we recommend choosing a solution that reflects investment in easy and detailed visibility into risk and that offers flexible remediation options. These two capabilities go far in minimizing technological and organizational overhead and make it easier to extract value from the solution both in its findings and in communicating on them (more on this below).

Step 2 - Educate your users

The next step is to educate users about the new cloud security solution and demonstrate how using it can simplify and favorably impact their work effort, while measurably improving the organization's cloud security posture. Focus on how the solution takes the complex security problem the company is dealing with and makes it simple to manage, prioritize and solve. It is important to show how the tool’s automated analysis of risk and even policy recommendations can do the heavy lifting.

Education usually consists of:

  • Explaining cloud security risk. Don’t assume they know already. Taking the time to explain how securing the cloud is different and why doing so is complex will help teams — including those whose focus is not security — understand the gravity of the matter.
  • Hands-on workshops. Provide practical training in how to use the tool in different ways to address and resolve risk. Training should include walking users through the onboarding process (which should be easy, not intimidating) and how to use the solution in their day-to-day, including leveraging customization and self-service features.
  • ROI. Speak to the value! Give examples of time saved and how the tool simplifies collaborating on security. Risk visibility, context and remediation play a key role in providing — and illustrating — ROI. Understanding how visualization into access and prioritization of risk can save hours of manual effort is a natural motivator for increasing interest in using the tool.

Education should be in everyday language, without too many buzzwords or technical terms. You can ask your vendor to assist with the education phase, to help bridge the gap between security and engineering, as well as provide any additional cloud security expertise that is required.

Important tip: An excellent way to gain buy-in to cloud security operationalization is to involve non-security stakeholders — engineering, DevSecOps, IAM, data scientists, compliance and risk, you name it — during the solution evaluation phase. Once the purchase is made, include them in the education process and give them platform access. Doing so will increase their confidence in the tool and its value, and help make them willing partners in giving security greater focus.

Step 3 - Ensure smooth integration with your cloud security solution

Operationalization is about getting the solution to work within your security team and across the relevant operational workflows. To do so, technical integration needs to work smoothly. We recommend the following steps:

  • Set up technical integrations with the day-to-day tools of your cloud security process stakeholders. For example, for infrastructure engineers, ensure the solution integrates with your ticketing systems like Jira and ServiceNow.
  • Assign owners and users to ensure everyone knows and can take ownership of their role and responsibilities, including use of self-service features.
  • Deploy gradually. Start by onboarding a focused number of users and use cases. For example, use the tool to first quickly visualize your asset inventory and the relationships between identities and resources. Let the tool identify the most critical risk issues needing attention. Focus on “easy wins” first, move on to cover more ground as you go.
  • Include automation and workflows to make implementation easier while improving ROI. Use the offering’s customization capabilities and API to tailor it to your organizational standards and needs.
  • Monitor every day, week or month according to predefined criteria. Create a Slack channel with team members and other stakeholders for your monitoring cadence.

Step 4 - Collaboration, review and evangelism

A big part of successful operationalization comes from being able to advance toward better security. Use your cloud security solution as a springboard for working collaboratively across teams to resolve security issues, educate about cloud security, and review and improve processes.

Use it, too, to win the hearts and minds of decision makers, like management leadership and boards. As mentioned, everyone is on the same page in wanting to avoid a ransomware attack or cloud security threats such as this year's cloud data breach headlines. Turn security into a leading principle — rather than an afterthought — that helps protect and grow the business rather than stifle it. Your evangelism should focus on presenting quality information showing the solution’s KPIs, such as how it increases governance, improves security metrics and improves compliance. Make a point of using reports, benchmarks, G2 reviews and other easily consumable information and data to convey how the chosen cloud security solution is helping the business achieve its goals.

Conclusion

Operationalizing a cloud security solution can be daunting, especially for security teams who have had poor experiences with solutions that were hard to manage and generated many false positives. Security teams can overcome this by:

  • Choosing a solution that is easy to deploy and consume for both security and cloud engineering, and has a track record for reliable findings
  • Technically integrating gradually, with increasing use of automation and customization
  • Educating users while focusing on simplicity and the value to their jobs
  • Evangelizing how effective cloud security is tied to business value and growth

Successful operationalization will make a huge difference in how the solution is used, the ROI gained and how secure your company’s cloud environment is. Plan and execute operationalization purposefully, and you will move the security needle forward. Operationalizing a cloud security solution goes hand in hand with taking incremental steps to using the solution to its fullest. 

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.