Adopting Native Cloud Security Controls

• Technology: Cloud service provider (CSP) integrated security controls have matured to the point where many of them meet our stringent security requirements.
• Process: We standardized our cloud security processes so that we can better understand and work with CSPs.
• People: Our team embraces change and has acquired the necessary skillset.

Examples of native cloud security controls that we are using include threat detection as a service, key management service, web application firewall, vulnerability assessment agents, and integrated security consoles. It is important to note that where needed and as part of due diligence, we continue to use some third-party solutions to augment native controls. We evaluate each cloud-based security control to verify that it meets our minimal viable product requirements. This helps us provide Intel with “defense in depth.”

We apply security policies to support different environments’ lifecycle and risk requirements. For instance, a development environment may have different requirements than a production environment. Similar accounts are grouped into an organizational unit (OU), and all accounts are governed by the same policies and controls. For example, we prevent network management for accounts that are connected directly to Intel networks by placing these accounts in a special OU and blocking network management with policies applied at the OU level.

Using native cloud security controls doesn’t occur in a vacuum. We developed a strong working relationship with the CSPs, with a collaborative conversation about features and the user experience. Because Intel IT is similar to many large corporate IT shops, when we ask for a certain feature, the CSPs understand that feature is probably desirable across the IT industry. This collaboration benefits us, as well as the CSP. We become aware of their roadmap for cloud security posture management, and our feedback helps them to fine tune features, fix issues, and decide what’s next for their product. The CSPs also work with the Intel business unit account owners. When a business unit account owner asks for something, the CSP can communicate best practices for security controls to help them avoid security vulnerabilities. The resulting three-way conversation between Intel IT, the CSPs, and the business unit account owners, with mutual responsibility for maintaining security, is a win-win for all involved.

We’ve been adjusting and streamlining our multicloud strategy for several years, and the process is not yet over—there is still much to learn and more changes to make. But the move to native cloud security controls has produced significant business benefits, including faster deployment and business agility; more consistent, cloud-native user and developer experience; and reduced complexity and costs.