Chapter 8. Providing Internal Security Services

As part of managing a growing cloud estate, a security function needs to be able to provide scalable services. These services provide a secure baseline that ensures that known vulnerable resources are automatically rectified and that recovery is possible during a potential incident.

First, you must be able to control your identity perimeter. Delivery teams will require the ability to self-manage identity in order to be able to move at speed. As their architectures evolve, to maintain the principle of least privilege, they need to create roles without the delay of going through a centralized team. As the ability to create roles is decentralized, it is key that they are not able to accidentally or intentionally escalate their privilege and start to compromise the guardrails in the cloud estate.

Second, being able to manage the virtual machine fleet becomes critical. The highly volatile nature of resources in a cloud environment needs modern tooling built for that reality. Each cloud service provider has services dedicated to giving overviews of the active machines while also enabling drilling down to specifics such as inventory. As new machines emerge continuously, your tooling needs to build a real-time lens onto the vulnerabilities that exist.

Third, running scheduled patches and updates is mandatory for proactively handling vulnerabilities and operating a healthy fleet. All three providers again provide a managed service that allows ...