Verizon White Paper: CISO’s Guide to Cloud Security

A 5-step process to evaluate and purchase Cloud security products and services

Verizon security recently published a white paper titled “CISO’s Guide to Cloud Security: What to know and what to ask before you buy” that points out five steps to help decision making on purchasing Cloud products and services. For each step, the white paper also provides recommendations to consider. This is a summary of this white paper.

Step 1: Assess your situation

According to Forrester research, 28% of enterprises have already moved to public Cloud, 44% are actively building private clouds. When you assess your situation, consider:

  • Where are you in the process of migrating to Cloud
  • What is your Cloud strategy? Cloud-first or Cloud-only?
  • Is this right time for you to move to Cloud?
  • Are you ready to move to Cloud?

Step 2: Define your requirements

To make sound decisions, defining security requirements and making sure the selected Cloud platform meets these requirements is essential. Following are recommendations from this white paper.

  • Scalability – Will the Cloud solution grow as your needs grow?
  • Extensibility – Does the platform offers APIs and other means to extend it?
  • Automation – Will you be able to automate routine security tasks in the Cloud?
  • Intelligence – Can you get contextual information for analysts and threat hunters?
  • Ease of Use – Is the user interface easy to use?

Step 3: Identify Use Cases

Legacy products may not be effective in Cloud environment. Adding new products for Cloud may not a good idea either. The recommendation is to identify use cases and consider the following:

  • IDS/IPS – Consider products that provide machine learning, full packet capture capability, passive visibility and help in investigations.
  • SIEM and Analytics – Consider capability in terms of your requirements mentioned in step 2 and support of new types of logs including IoT and support for 5G.
  • Incident Response – Responding to Cloud incidents brings new challenges in terms of visibility and ownership.
  • Threat Hunting – Consider speed, visualization, contextual data and packet capture capability.

Step 4: Define Success Metrics

How would you prove success of any Cloud security product or service? Consider building success metrics and dashboard with the following in mind:

  • Reduction in false alarms
  • Improvement in threat detection
  • Reduction in time for detection, deployment and dwell time
  • Increase in visibility and network coverage

Step 5: Evaluate your options

The white papers provides a sample table for evaluating different solutions that you can modify based upon your needs defined in steps 2 to 4 above.

When it comes to making purchase decisions for Cloud security products and services, this white paper provides a systematic approach for planning, evaluation, and decision making. The approach is not limited to a particular product or service and can be applied universally to any Cloud solution.


Verizon White Paper on CISO’s guide for moving to Cloud –

Subscribe to my blog for latest posts

About Rafeeq Rehman

Consultant, Author, Researcher.
This entry was posted in InfoSec and tagged , , . Bookmark the permalink.

Comments are closed.