What about the cloud? Doesn’t this change everything?
A cloud deployment does add a layer of security concerns; with modern container based and server-less models adding even more. There are a lot of technical details associated with securing a cloud instance and the fact that you are running in a cloud opens up an additional set of risks such as being exploited for bitcoin mining.
That said, the first step in securing a cloud instance is to make sure that the application itself is secured, so almost everything here is also relevant to the cloud. There probably will be a few “program level” tweaks to properly accommodate the cloud. For example:
- Appropriate training
- Possibly new policies such as “exercise the AWS security lens”
- Insure that policies such as an Incident Policy accommodate the cloud
- Ensuring security experts are familiar with cloud deployment
- Selection of cloud-specific tooling