Designing End User Area Cybersecurity for Cloud-based Organization
Jauhiainen, Heikki (2021)
2021
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202103093065
https://urn.fi/URN:NBN:fi:amk-202103093065
Tiivistelmä
This work was conducted for a Nordic company as a part of a larger cloud transformation initiative. The company started to fully utilize public cloud services. The company’s security postures needed to be aligned with the new cloud operating model. The outcome of this thesis will form the baseline for a forthcoming Cybersecurity project.
The cyber defense model for public cloud computing differs from the traditional on-premises model. Due to those differences it’s important to renew cybersecurity postures when moving to public cloud. This thesis analyzes these differences and tries to provide a holistic view of required cybersecurity functions for public cloud use.
The scope of this thesis is to identify the best practices of Cybersecurity protection for end users on a public cloud-based environment. In creating a cybersecurity strategy and choosing the right tooling for the defenses, the Sherwood Applied Business Security Architecture (SABSA) model as well as the ISF Standard of Good Practice for Information Security (ISF SOGP) were used as guidelines throughout this thesis.
The key results of this study are from a top-down description of how cybersecurity defense postures can be created with industry best practices by starting from business requirements and ending in evaluating the security measures. The study makes good use of National Institute of Standards and Technology (NIST) recommendations and the MITRE ATT&CK knowledge base.
This thesis also attempts to provide an overall description of the automation and tooling needed for cloud-based end user cybersecurity.
The key finding is that even when a company relies on public cloud and the responsibility of managing the infrastructure is passed to the cloud vendor, the implementation challenges that enable secure and modern end user experience remain.
The other key finding is that current level of security automation is not sufficient to replace trained cybersecurity professionals, but rather these new tools bring forth additional competence requirements.
The availability of trained professionals for certain types of technology needs to be considered when planning for new cloud security tools or acknowledging that the company needs to rely on a consulting company (partner).
The cyber defense model for public cloud computing differs from the traditional on-premises model. Due to those differences it’s important to renew cybersecurity postures when moving to public cloud. This thesis analyzes these differences and tries to provide a holistic view of required cybersecurity functions for public cloud use.
The scope of this thesis is to identify the best practices of Cybersecurity protection for end users on a public cloud-based environment. In creating a cybersecurity strategy and choosing the right tooling for the defenses, the Sherwood Applied Business Security Architecture (SABSA) model as well as the ISF Standard of Good Practice for Information Security (ISF SOGP) were used as guidelines throughout this thesis.
The key results of this study are from a top-down description of how cybersecurity defense postures can be created with industry best practices by starting from business requirements and ending in evaluating the security measures. The study makes good use of National Institute of Standards and Technology (NIST) recommendations and the MITRE ATT&CK knowledge base.
This thesis also attempts to provide an overall description of the automation and tooling needed for cloud-based end user cybersecurity.
The key finding is that even when a company relies on public cloud and the responsibility of managing the infrastructure is passed to the cloud vendor, the implementation challenges that enable secure and modern end user experience remain.
The other key finding is that current level of security automation is not sufficient to replace trained cybersecurity professionals, but rather these new tools bring forth additional competence requirements.
The availability of trained professionals for certain types of technology needs to be considered when planning for new cloud security tools or acknowledging that the company needs to rely on a consulting company (partner).