Cloud audit: improving security, compliance and ways of working
Wagering / Gaming
Our customer is Australia’s first licensed, and biggest online, corporate bookmaker.
Our customer has been undergoing cloud migration for several years. Over time the client has tried several different account structures and deployment techniques as they built knowledge on what works best for them. Throughout this discovery period, getting workloads up and working was the main focus.
An internal cloud audit highlighted that governance, compliance, and security had been de-prioritised for speed to market resulting in higher than acceptable risk.
Our customer required help in addressing the audit, particularly regarding procedure design.
Audit response methodology
The approach undertaken by Cevo addresses the following facets:
For this particular audit the focus areas were: procedure, implementation and verification. The existing policy at the customer was deemed sufficient.
Cevo’s major role involved design of the procedure with the Cloud Engineering team, and ensuring that implementation and verification were completed on time.
A key for quick resolution of audit items is having clearly defined responsibilities, especially regarding decision making. To achieve this, the number of stakeholders involved in addressing the audit was kept to a minimum. In this case, the main stakeholder groups and responsibilities were:
When designing any security procedure, a trade off between certain factors must be considered:
- Cost of implementation.
- Reduction of security risk.
- Impact on business operations.
A perfectly secure, zero risk system may be possible. For example a completely isolated network with no user access. However it may not be very useful for business operations.
The approach taken by Cevo when designing security procedure was to:
- Use cloud native services where possible.
- To reduce implementation time and ongoing maintenance.
- Iteratively reduce security risk.
- To reduce implementation risk and reduce business impact.
- Automate where possible.
- To reduce human error and procedural burden.
The benefits of this iterative, low risk, and automated approach were further reinforced by the recent announcements at AWS re:Invent. Many new cloud native security governance services were announced such as Control Tower and Security Hub
Using this approach to audit remediation, our client was able to close a significant number of outstanding items with minimal disruption to business as usual. Improved security monitoring and alerting has made it easier to for teams to know when a particular resource or configuration has breached security standards. This has lead to a general knowledge uplift across the organisation and improved ways of working.
For example, any time a publicly accessible S3 bucket is created, an alert gets sent to Cloud Engineering who immediately follow up with the person that created the bucket (who can be identified through AWS CloudTrail logs). This rapid response has lead to a behavioural change, with less and less public buckets being created over time.
Due the the implementation approach taken, they are now well positioned to further leverage any advancements in product offerings from AWS.