Cloud is a journey every enterprise is undertaking for various reasons, and due to the current crisis, it has assumed an accelerated mode. The new normal has tremendously increased remote working, which means potential increase in threat vectors and attack surfaces. This puts business resilience at the forefront.
Common concerns and challenges which the enterprises go through with their cloud journey involves misconfigurations, risky changes, vulnerabilities due to patching, regulatory/compliance non-adherence, DevSecOps to Zero Trust, and so on. In the market, there are solutions which address one or couple of these areas and fall into the category of Cloud Security Posture Management and Cloud Workload Protection Platform. However, these fall short of the need.
The need for a holistic risk management solution
The need in the industry today is to have a single pane of glass solution that delivers holistic risk and threat view, and at the same time, provides automated compliance adherence view of cloud-based business applications.
There is also a pressing need to have a uniform methodology and framework in place that helps assess hundreds of business applications hosted on data center for fitment to migrate to cloud, based on various security, compliance and regulatory scenarios.
Think of a solution or framework that automatically recommends security controls needed to protect your business applications identified for cloud migration and provides ability to perform gap assessment against identified security controls to ensure there is a sufficient plan in place to protect applications once they migrate to cloud. How about enabling an ability to store all those controls evidences, which can then be referred in future when you appear for internal and external audit?
A structured approach to cloud application risk management
We realized this need working with multiple customers and built a solution called Cloud Application Risk Governance (CARG) as a framework to address a customer’s need starting from pre-migration to cloud to continuous controls and threat monitoring of business applications once in cloud. Figure 1 shows various building blocks for CARG.