The document outlines best practices and governance strategies for multi-cloud security and compliance, emphasizing the importance of automation and continuous monitoring. It highlights the need for organizations to adopt a comprehensive governance framework that includes policy enforcement, risk management, and visibility across cloud assets. Additionally, it introduces the Cloudnosys Security and Compliance Platform as a solution for continuous security and compliance monitoring.

1. Multi-Cloud
SECURITY & COMPLIANCE
GOVERNANCE & BEST PRACTICES

2. • Kamran Mehboob
• Dir of Product Management
Security & Compliance
Meet Our Speakers

3. What we will learn today?
• What to govern in a multi cloud?
• Governance best practices
• Where and how to to start
• CIS control for all clouds
• Cloudnosys Security & Compliance Platform
• Q & A

4. Why even have a Multi Cloud Strategy
1. 85% of Enterprises now have Multi-Cloud
Strategy for Public Clouds. McKinsey, Forrester,
Gartner
2. Merger and Acquisions forcing companies to
quickly develop a model to govern and effectively
manage acquired company’s Cloud footprint.
3. Technology, Costs and Talent
Multi-Cloud is the new norm

5. Cloud COE Governance Core Focus
Areas
1. Security and Compliance (Today’s session focus)
2. Financial – Cost Control (Utilization, Capacity, Reserve
Instances, Tagging – FinOps.org)
3. Performance Management – (Machine Metrics, RightSizing,
APM)
Build : Automation, Enforcement and Self Healing Cloud

6. What are the common threads to Govern
security for Public Clouds at Scale?
1. Software define infrastructure controls – Core
2. Mostly process and technology automation – Very little People
Governance = Configurations + Collaboration + Enforcement + Self healing

7. Cloud Velocity requires Automations
Cannot humanly see or govern thousands of
configurations everyday and fix them!
• Need compliance framework control testing
• Need continuous monitoring & automation
• Need DevSecOps Governance for CI/CD automation

8. Security Governance for Public Clouds
1. Build a set of granular Corporate policies for Security and
Compliance configurations and OS levels for all cloud
services (Firewalls, Access, Encryption, IAM and more)
2. Enforcement of Policies in near time and analyzing any
additions or changes to existing cloud configuration services.
3. Monitor and measure risks continually then either allow or
deny services requests for out of policy actions
Invest in open source and commercial tools to deliver a 360 view
of all cloud assets running globally in a single pane of glass.

9. Key Focus areas to reach Scale on
Governance
1. Visibility - Considerable attention to Visibility and Change in
your Cloud services
2. Speed - Increase speed by “continues delivery or monitor
changes” Reduce human intervention
3. Self Healing – Fix the problems before they go into
production and while in production fix on the fly via
automation.
4. Leverage Partners and Vendors to understand what “Good”
looks like. You don’t have to build it yourself

10. Start here but end with a 360 view of all
cloud policies and risks?
AWS Azure GCP
Configuration
Management Config, CFT
Azure Policy, Azure
Security Center (ASC)
Configuration Mngt,
Anthos, Forseti
OS Management Inspector ASC
Security Command
Center (SCC) (in
beta)
Log Management
GuardDuty,
WatchTower ASC StackDriver
Automation - Self Healing Lambda Azure Functions GCP Functions
Monitoring PII Data usage
in DB Macie
MS Information
Protection DLP - SCC
Risk Management none none none
Best Practice Policies CIS CIS CIS

11. How to build, manage and enforce
Policies at scale in addition
understand risks?
1- CIS First
2- Custom Signatures
3- Automation
My budget is Zero and we have no time

12. • The Center for Internet Security is a non-profit entity
that harnesses the power of a global IT community to
safeguard private and public organizations against
cyber threats.
• CIS AWS Benchmarks
44 AWS Controls
• CIS - OS hardening & AWS
Configurations
• https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foun
dations_Benchmark.pdf
Sample AWS CIS Controls
© 2018 - Cloudnosys | Security, Compliance, Cost.
1. Unauthorized API calls
2. Management Console sign-in without MFA
3. Usage of “root” account
4. IAM policy changes
5. CloudTrail configuration changes
6. AWS Management Console authentication failures
7. Disabling or deletion of customer created CMKs
8. S3 bucket policy changes
9. AWS Config configuration changes
10. Security group changes
11. Changes to Network Access Control Lists (NACL)
12. Changes to network gateways
13. Route table changes
14. VPC changes
15. Ensure security contact information is registered
16. Ensure appropriate subscribers to each SNS topic

13. How we govern and audit S3 Bucket?
Note; 23 policies just for AWS •AWS S3 Bucket Authenticated 'FULL_CONTROL'
Access
•AWS S3 Bucket Authenticated 'READ' Access
•AWS S3 Bucket Authenticated 'READ_ACP' Access
•AWS S3 Bucket Authenticated 'WRITE' Access
•AWS S3 Bucket Authenticated 'WRITE_ACP' Access
•Enable S3 Bucket Default Encryption
•Enable Access Logging for AWS S3 Buckets
•Enable MFA Delete for AWS S3 Buckets
•S3 Bucket Public Access Via Policy
•Publicly Accessible AWS S3 Buckets
•AWS S3 Bucket Public 'READ' Access
•AWS S3 Bucket Public 'READ_ACP' Access
•AWS S3 Bucket Public 'WRITE' Access
•AWS S3 Bucket Public 'WRITE_ACP' Access
•Enable Versioning for AWS S3 Buckets
•DNS Compliant S3 Bucket Names
•Enable S3 Bucket Lifecycle Configuration
•Review S3 Buckets with Website Configuration
Enabled
•AWS S3 Unknown Cross Account Access
•Secure Transport
•Server Side Encryption
•Limit S3 Bucket Access by IP Address
https://docs.aws.amazon.com/AmazonS3/latest/dev/ex
ample-bucket-policies.html
You write these rules via API

14. How should we Govern VPC?
• Unused VPC Internet Gateways
• Use Managed NAT Gateway for AWS VPC
• Ineffective Network ACL DENY Rules
• Unrestricted Network ACL Inbound Traffic
• Unrestricted Network ACL Outbound Traffic
• Enable Flow Logs for VPC Subnets
• VPC Endpoint Unknown Cross Account Access
• AWS VPC Exposed Endpoints
• Enable AWS VPC Flow Logs
• AWS VPC Peering Connection Configuration
• AWS VPN Tunnel Redundancy
• AWS VPN Tunnel State
• Unused Virtual Private Gateways
• VPC Peering cross accounts
• Easy to turn on and collect
• Requires Log Correlations
• Information Latency
• Requires automation, integration & Analysis
All via APIs - Requires expert understanding
of AWS security at the component level.
Compliance as code is the new norm!
Custom Rules: Written by YOU!
You write these rules via API

15. Governance Model for Resources
Collection and Reporting
AWS Infra Logs and Config
Config, CloudTrail, Cloudwatch, VPC Flow
Logs
Easy
AWS Service Logs
S3 logs, RDS logs, Lambda etc.
Easy
Host Based Logs
Server logs, Audit logs, Applications etc.
Easy
Machine Meta Data and related
Configurations changes, limit reached etc.
All API based collections (Automations)
Very
Hard
Policies Output Collection
Policy Analysis for
Governance
Evidence based Governance/
Compliance Reporting -
PASS/FAIL with RISK
Ratings
All raw data but a core foundation of your compliance and security
gap reporting. It is not in a business ready usable format.

16. Security and Compliance Reporting for
“Governance and Security Risk Posture”
GDPR Compliance Reporting:
Date 6/20/2018
AWS Account Name: GDPR Prod
Inventory of Assets 10 EC2, 10 VPC, 20ELB, 18 S3, 12 RDS
Data Privacy By Design Article 25
Data controller is required to implement appropriate
technical and organisational measures both at the
time of determination of the means for processing
and at the time of the processing itself in order to
ensure data protection principles such as data
minimisation are met. Any such privacy by
design measures may include, for example,
pseudonymisation or other privacy-enhancing
technologies
FAIL
Access Control 100 29 129
Encryption RDS 200 32 232
Encryption S3 105 95 200
Encryption ELB - TLS 1.2 200 29 229
IAM Audit Controls 120 200 220

17. Summary : A quick checklist for your Cloud
Start with your Cloud native provided tools
GuardDuty, Security Center, Configuration Manager
Organizational Responsibilities
Assign a Data Protection and Security officer which will govern and benchmark the program.
Technical Responsibility and Obligations
CIS controls first then to NIST Controls- Inventory data, and implement strong
controls to maintain data privacy, build your “collection” expertise. Pay attention to DLP, Encryption, and
CIS/PCI/HIPAA equivalent controls around Cloud configuration monitoring. Audit trail management.
Implement cloud compliance automation to manage these controls and continually monitor in near real time.

18. Introducing…
CLOUDNOSYS
Cloud Security Governance
@ Scale
SECURITY & COMPLIANCE PLATFORM

19. Cloudnosys Security and Compliance Platform
CloudEye Continuously Secure your cloud services and automate
compliance. Over 150+ Cloudnosys best practice rules track and monitor
your AWS services for security and compliance violations. Dashboard and
reports keep you fully informed of any Risks. – Agentless!
• Continuous Security & Compliance Scanning
• Alert on Vulnerabilities
• Audit Reports on Security and Compliance
• Fast Remediation
• Supports GDPR, PCI-DSS, HIPPA, AWS CIS Benchmark and FISMA
mandates
© 2020 - Cloudnosys | Security, Compliance.

20. CloudEye Active Security Defence System
Visibility
• Asset Discovery
• Configurations
• Alerts & Drifts
• IAM Controls
Everything visible and secure
Governance
• Policy Guardrails
• Auto Enforcement
• DevSecOps Management
• Custom Policies
Accountability and control
Compliance
• PCI, HIPAA, NIST & more
• Risk Assessments
• Audit Reports
• Vulnerability & Remediation
Continuous compliance

21. Compliance Simplified – All Controls Mapped
Generate auditor ready compliance reports without specialized knowledge

25. Reporting: Compliance and Security
Security and Compliance reports shows, alerts, violations and how to
remediate these quickly to avoid any Cyber attacks. This is generated on the
fly after scanning all Cloud Services
© 2020 - Cloudnosys | Security, Compliance

26. Q & A - ANY QUESTIONS?
Type in your questions in chat box now…
Try Cloudnosys
For 14 Days Free
Start monitoring,
optimizing and securing
your AWS.
No Limits evaluation.
© 2020 - Cloudnosys | Security, Compliance.
info@Cloudnosys.com