Cloud Security Requirements -part 2

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: DevSecOps and CI/CD

Sub-DomainReq. NameReq. Description
GovernanceApplication Risk CategorizationAll applications shall be categorized by risk. Risk can be categorized as internal, external, or strategic (e.g., weak cryptographic standards can get the app compromised during production phase. So this can be marked as high risk.) 
ConstructionThird-Party ComponentsAny third-party components that may be used in any software development cycle shall be documented
VerificationAutomated Code Analysis Tools — SecurityAutomated code analysis tools with specific components for monitoring for security issues shall be used
VerificationPenetration TestingPenetration tests prior to release to production shall be performed
DeploymentThird-Party Components Security UpdatesThird-party software components’ websites for any security-related updates shall be regularly reviewed
DeploymentPatch Management ProcessSingle process for applying upgrades and patches to applications shall be used
DeploymentOperational Environment AutomationSoftware Engineering shall use automated tools to evaluate operational environment and application-specific health
DeploymentSecurity Alerts and ErrorsSecurity-related alerts and error conditions for all released applications
DeploymentChange Management ProcessUse of common change management process, and all software engineers shall be trained on the process
DeploymentSecure Code SigningAll released code for a single consistent process shall be securely signed on

Are you ready to audit and secure your cloud environment? Contact our security specialists, today!