By Ben Kast   /   Feb 25th, 2020

Security & Your Cloud Strategy: An Overview of the AWS Cloud Adoption Framework

Cloud adoption requires a closer alignment between business strategies and IT strategies, making security increasingly crucial to business enablement. As you consider your cloud adoption strategy, there are many factors you need to evaluate. Today we start with an overview of the AWS cloud adoption framework.

An Overview of the AWS Cloud Adoption Framework

The AWS Cloud Adoption Framework (CAF) is broken down into six areas called perspectives:

  • Business
  • People
  • Governance
  • Platform
  • Security
  • Operations

Central to the framework — which was developed by AWS to be cloud agnostic — is the argument that to successfully carry out an organization’s cloud adoption strategy, an accurate evaluation and understanding of its current IT state (current state) is required. Correspondingly, the organization’s target IT state (target state) must also be understood in order to plot out the organizational transformation required for attaining it.

The focus is to identify gaps in skills and organizational processes between the current state and target state and use those gaps as the base point for understanding what the organizational transformation will require in order to remove the gaps necessary for cloud adoption.

When we look at “An Overview of the AWS Cloud Adoption Framework,” the first three perspectives (business, people, governance) should be viewed as business capabilities, while the last three (platform, security, operations) should be viewed as technical capabilities.

Historically, traditional IT has been viewed as a service center for business. In the traditional sense, business interests defined the agenda and IT worked to support that agenda. The shift in thinking that cloud adoption presents — and the CAF seeks to address — is a much closer alignment between an “organization’s business strategies and goals and IT strategies and goals.” (pg. 5)

In traditional IT environments, IT played a secondary role in business strategy. In a strong cloud adoption strategy, business strategies and goals, as well as IT strategies and goals, are more closely aligned than in traditional IT environments. That is, IT strategies and goals are no longer playing second fiddle to business strategies and goals. They are on a much more equal footing.

This is because, at least in part, cloud environments ideally allow organizations to track IT consumption in a way that is easier to associate IT costs with business results. In short, it is easier for organizations to measure the business outcomes of their IT spending.

An Overview of the AWS Cloud Adoption Framework – Where Security is Job Zero

But what about security? How does cloud adoption create the context where security becomes central to business enablement?

To start, security is one of the six perspectives and is closely integrated with — yet independent of– both the platform and operations perspectives, which together make up an organization’s technical capabilities.

The heavy reliance on DevOps in your cloud adoption strategy presents all the standard organizational obstacles related to DevOps and security. It also presents the benefits, namely the secure speed to market that a successful cloud adoption strategy enables. At its core, security in DevOps organizations relies increasingly on automation. As Bill Gates is well known for articulating, “automation applied to an inefficient operation will magnify the inefficiency.” If your security operations are not tight, the weaknesses will be magnified in the cloud.

Therefore, when determining the current state, the degree to which DevOps and security automation have already been implemented operationally will decrease the amount of IT and security related gaps in pursuit of the target state. The opposite is also true: the degree to which DevOps and security automation have yet to be operationally implemented will increase the amount of IT and security related gaps that need to be addressed in pursuit of the target state. That is, the DevOps engineering model is central to successful cloud adoption. This also contributes to one of the biggest obstacles in cloud adoption across all the perspectives. Technical and non-technical skills gaps must be planned for and addressed to ensure security is adequately addressed.

Implicit in all of this is the understanding of a shared security responsibility that cloud platform adoption presents to cloud customers. The CAF is helpful as a guide in assisting organizations to better understand their role within the shared security reasonability model, and places emphasis in the following areas: Identity and Access Management, Detective Control through native logging, Infrastructure Security, Data Protection, and Incident Response. Interestingly, with Incident Response, as cloud security automation and orchestration are implemented as part of the cloud adoption, it will “shift the primary focus of the security team from response to performing forensics and root cause analysis.” (pg. 14)

Cloud platform customers who do not fully understand their responsibilities within the shared responsibility model will be operating in very high-risk territory, rife with threats. Making the move to the cloud without addressing the cloud customer’s security responsibilities at that onset is a recipe for disaster. The cloud customer’s shared security responsibility should be a central component of the cloud adoption strategy from the very beginning. For more information regarding cloud storage risks, please see our blog on the 4 most common cloud storage security risks.

In summary, when it comes to the organizational transformations required for cloud adoption, as AWS is fond of saying, “Security is job zero.” If you need help creating policies or testing your cloud security strategies, contact us.

About the Author

Ben Kast

Ben Kast is a Senior Security Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).