CONTACTUS:703.714.1588|info@assursec.com|assursec.com

SecuringYourDataintheCloud

ACloudCenterofExcellencecreatesabalancebetweenspeedandsecurity.

Securing Your Data in the Cloud

2

AboutASSURSECASSURSEC is a growing Cybersecurity consulting firm specializing in Cloud Security, Cyber Security, and Information Assurance. Over the years, we have organically built expertise in Secure Enterprise Architecture, Mobile Security, Infrastructure support, Digital Forensic and PenTest, Acquisition and Procurement, Policy and Governance, Technical Management, System Integration, Enterprise Solutions (Storage, Data Consolidation, Disaster Recovery), Health IT, Incident Response, Secure Web Solutions, and Application development capabilities.

Since 2009, ASSURSEC has successfully managed large and significant Federal programs. We have proven experience prioritizing client satisfaction, project quality, and providing innovative, cost-effective solutions to Federal clients.

ASSURSEC–CloudCenterofExcellence(CCoE)Business and technical agility are core objectives of most IT organizations, and a CCoE is a function that creates a balance between speed and stability. ASSURSEC’s CCoE model requires collaboration between each of the following domains as depicted in Figure 1 below.

Figure 1: Cloud Center of Excellence Model

Cloudadoption(specificallysolutionarchitects)• Cloud adoption functions enable the implementation of technical solutions in the cloud. Like

any IT project, the people delivering the actual work will determine success.

Cloudstrategy(specificallytheprogramandprojectmanagers)• A cloud strategy team defines motivations and business outcomes, and validates and

maintains alignment between business priorities and cloud adoption efforts. In the absence of a defined cloud strategy team, someone must still provide the functionality that aligns technical activities to business outcomes.

Cloudgovernance• A cloud governance team ensures that risk and risk tolerance are properly evaluated and

managed, as well as ensures the proper identification of risks that can't be tolerated by the business.

Cloudplatform• Cloud platform functions are usually provided by a select group of architects who focus on

learning about the cloud platform. These architects then aid others in decision making and the proper application of controls to cloud environments.

Securing Your Data in the Cloud

3

Cloudautomation• Cloud automation functions unlock the potential of DevOps and a cloud-native approach.

The primary duty of cloud automation is to own and advance the solution catalog which is a collection of prebuilt solutions or automation templates.

CloudSecurity• Cloud security is the protection of data stored online via cloud computing platforms from

theft, leakage, and deletion. Methods of providing cloud security include firewalls, penetration testing, obfuscation, tokenization, virtual private networks (VPN), and avoiding public internet connections.

A CCoE model will create a significant cultural shift in IT. The fundamental premise of a CCoE approach is that IT serves as a broker, partner, or representative to the business. This model is a paradigm shift away from the traditional view of IT as an operations unit or abstraction layer between the business and IT assets. As team practices mature, quality indicators will improve, including reliability, performance efficiency, security, maintainability, and customer satisfaction. These gains in efficiency, agility, and quality are especially vital if the company plans on implementing large-scale cloud migration efforts or has a desire to use the cloud to drive innovations associated with market differentiation.

ASSURSEC–CloudSecurityTeamFunctionsThe following Cloud Security functions is included in our comprehensive approach to cloud security:

• Policy and Standards • Security Operations • Security Architecture • Security Compliance Management • People Security • Application Security and DevSecOps • Data Security • Infrastructure and Endpoint Security • Identity and Key Management • Threat Intelligence • Posture Management • Incident Preparation

ASSURSEC–InfrastructureasCode,CloudSecurityControls,RiskManagementFrameworkInfrastructureasCodeInfrastructure as Code (IaC) is the management of infrastructure (networks, virtual machines, load balancers, and connection topology) in a descriptive model, utilizing the same versioning as DevOps team uses for source code.

Securing Your Data in the Cloud

4

The ASSURSEC Cloud Architects and Engineering team will provision and deploy cloud infrastructure resources using CloudFormation (AWS), ARM Templates (Azure), or Terraform (Cross Platform).

CloudSecurityControlsCloud security control is a set of security controls that protects cloud environments against vulnerabilities and reduces the effects of malicious attacks. Cloud security control includes the best practices, procedures, and guidelines that will be implemented to secure cloud environments. Cloud security controls help government organizations evaluate and implement cloud security.

RiskManagementFrameworkforCloudEnvironmentsThe NIST SP 800-37 Revision 1 Risk Management Framework (RMF) provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. An RMF operates primarily at tier 3 in the risk management hierarchy but it can also have interactions at tier 1 and tier 2. Some example interactions include providing the risk executive with feedback from ongoing monitoring and from authorization decisions.

In a cloud ecosystem, individual missions, business processes, and their supporting information systems require an integrated, ecosystem-wide risk management framework that addresses all cloud platforms. As with any information system, for a cloud-based information system, our team will be responsible for evaluating their acceptable risk, which depends on the threshold set by their risk tolerance to the cloud Ecosystem-wide residual risk.

SummaryASSURSEC is a proven leader, providing the knowledge, experience, and resources necessary to successfully research, architect, design, test, implement, audit and manage information security, assurance and risk management solutions for Federal and commercial clients.

Applying methodical and strategic management from the start allows us to deliver cybersecurity solutions within budget and tight deadlines. Our commitment extends beyond our team to protect and enrich human lives by striving to have an unquenchable desire to learn.

ASSURSEC is a HUBZoned Certified Small Business headquartered in historic downtown Leesburg, Virginia.

Figure 2: Risk Management Framework (NIST SP 800-37 Rev. 1)