#108, 27th Main, Sector 2, HSR Layout, Bangalore - 560102, 

Karnataka, India

Cloudkata®. Incorporated By Staxa LLP

10 Factor Security

The Objective

Client:

Services Organisations

This is a Cloudkata® case study to help Service Organisations in securing their Intellectual Property hosted on a Public Cloud.

 

Derived from the 5 Key Trust Principles:

  • Security: The system is protected, both logically and physically, against unauthorized access.

  • Availability: The system is available for operation and use as committed or agreed to.

  • Processing Integrity: The completeness, accuracy, validity, timeliness, and authorization of system processing.

  • Confidentiality: The system’s ability to protect the information designated as confidential, as

  • committed or agreed.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice.

The objective is to design and implement a security policy for Cloud Infrastructure based on industry-accepted norms to get them ready for third party infosec audit.

The Challenge

Timeline:

Dec 2016 - March 2017

​​

  • Automation of infra components

  • Application compatibility

  • Portability across cloud platforms

  • Continuous Integration and delivery of security as code

  • Testing the policies on infrastructure and application.

The Initiative

Techstack:

AWS, Chef, Cloudformation, CIS

The 10 Factor Security:

  1. Identity and Access Management: RBAC for accounts, web-console, and APIs

  2. Perimeter Security: Securing Network, Systems, and Services

  3. System Security: Hardening, Patching, Vulnerability Scanning for operating system and platforms

  4. Data Security: Protecting and securing database system and platform for data at rest and data in transit.

  5. Application Security: Security Testing, Auditing, penetration testing of application

  6. Release Management: Processes for Prod-deployment, Risk & Mitigation Factors(RMF), Security Review

  7. Logging and Auditing: Server, appliance and system logs, API and console logs, database logs

  8. Reporting: Alerting and Notification

  9. Availability: Guidelines for Recovery Time Objective/Recovery Point Objective (RTO/RPO)

  10. Disaster Recovery: Guidelines for DR and rollback, backups

 

Guided by :

  • CIS_Amazon_Web_Services_Foundations_Benchmark_v1.0.0

  • CIS_Ubuntu_14.04_LTS_Server_Benchmark_v2.0.0

  • AWS SOC2 Compliance

  • AWS-Security-Check-List

 

The 10 factors are catered to in the form of Infra as Code and are version controlled making every configuration change auditable and traceable. Every time an environment is spun up for applications or IT operations, these principles are enforced making it easy for the client to begin their Compliance related activities.

The Impact

Result:

Benchmarks for SOC2 Compliance in Cloud

​​

  • The security policies are enforced in the code as a  first-class member of their Infrastructure creation making it a default feature in every stage of the application lifecycle.

  • Version-Controlled Security as Code made it auditable and traceable.

  • Security settings are no longer mysterious or to be feared. Thanks to automation, the impact of configuration changes can be ascertained quickly. 

  • This approach permits portability across cloud providers, as well as tenant-specific customization and review

  • Facebook Social Icon
  • Twitter Social Icon
  • LinkedIn Social Icon
  • RSS Social Icon