Security

Cloud platforms will not guarantee your IP(Intellectual Property) security, your security configurations and policies will. Perimeter & intellectual property must be secured by enabling following key trust principles -

1. The system is protected, both logically and physically, against unauthorised access.

2. The completeness, accuracy, validity, timeliness, and authorisation of system processing.

3. The system’s ability to protect the information designated as confidential, as committed or agreed.

4. Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice.

Attacks like DDoS, brute force etc are inevitable on the internet. It can bring down an entire business without even entering your perimeter.

Protect your entry points by whitelisting sources and enabling a zero trust policy. Communications with abstracted cloud services (i.e not within the same account tiers) are encrypted.

Credentials/secrets must be stored in a centralised secret management system with strong password policy, periodic rotation, runtime access, configuration management. For example, Hashicorp Vault, Gitlab secrets etc.

Regular security testing, auditing, penetration testing, vulnerability scanning must be enabled for all infrastructure resources. Version-Controlled Security as Code to make it auditable and traceable. This approach permits portability across cloud providers, as well as tenant-specific customisation and review.

These security policies must be enforced in the code as a first-class member of their infrastructure creation making it a default feature in every stage of the application lifecycle.

Summary

Your objective must be to design and implement a security policy for cloud infrastructure based on industry-accepted norms to get them ready for third party information security audit.