Posted: August 15, 2019
To accelerate large scale cloud adoption while mitigating security risks and maintaining compliance with regulatory requirements, large organizations must establish a unified approach to cloud security that balances control and autonomy. This can be especially challenging as entities are just beginning their cloud journey, with limited organizational knowledge of the cloud and security processes developed for traditional infrastructure.
The California Department of Technology (CDT), Office of Information Security (OIS) recognizes the importance of preparing for State entities to migrate significant internal and customer applications into the public cloud. To ensure that these efforts are realized with appropriate secure development processes, security architecture, configuration, and monitoring/management capabilities, CDT sought out a consultant with strong cloud development, security architecture, and operation expertise.
In June of 2019, Infiniti was chosen by competitive bid to be the CDT’s cloud technology security partner with the expertise and authority to develop a unified approach to secure cloud adoption and operation across cloud providers. Infiniti has built a strong cloud services practice made up of experts who have garnered the experience and education to ensure entities’ assets are safely migrated to the cloud with minimal to no downtime or interruption to their daily services.
It is important that critical preventive controls, detective tools, and response capabilities be established and utilized in the early stages of the cloud adoption process, and Infiniti has been brought in to CDT to setup the framework to ensure this happens. This project will define the policies, controls, and centralized services and products that 150+ state entities will utilize to ensure security and compliance as they adopt cloud services. Our approach is to empower them to build upon baselines, providing guardrails for safety and centralized services to minimize effort and complexity.
These security standards are being set with the knowledge and input of key government officials. We are assessing current infrastructure management and policies and adapting them to the cloud. Infiniti will be developing DevOps/SecOps tools and processes to support both multicloud and hybrid cloud environments.
Progress To Date:
Infiniti has developed a plan for CDT to develop and implement policies, controls, services, and products in alignment with the NIST Cybersecurity Framework (CSF). For each subcategory in the NIST CSF, Infiniti has recommended specific capabilities to support State entities. Infiniti has developed an approach to governance at scale, utilizing centralized ITSM for account management, security and compliance automation, and budget and cost control. Infiniti is supporting CDT’s infrastructure services team in defining infrastructure management and application delivery tools and processes, including utilizing version control, infrastructure as code, and automated deployment.
AWS Services Utilized:
• AWS Direct Connect (Hybrid Cloud)
• AWS CloudFormation
• AWS Organizations
• AWS Service Control Policies
• AWS Permissions Boundaries
• AWS Artifact