What does a CloudSecOps team do?

Cybersecurity operations have evolved and matured over the past few years. The core functions of security operations, or SecOps, include endpoint and network incident detection, event data correlation, and response and investigation work.

However, the rapid move to the cloud has brought even more changes to SecOps. In fact, we even have an emerging buzzword: CloudSecOps.

What is the difference between CloudSecOps and traditional SecOps?

Let’s start with the definitions. SecOps is a combination of security and IT operations personnel that monitors and assesses risk and protects company assets.

CloudSecOps is an evolution of SecOps that focuses on building controls, implementing monitoring, and implementing security response activities in cloud environments.

It is important to highlight three key differences between CloudSecOps and SecOps:

  1. CloudSecOps requires full integration with DevOps and cloud engineering. Security teams should work alongside cloud operations teams to ensure controls are built into deployment practices. Governance practices may also require changes. Senior stakeholders need to reorganize to enable more cohesive and continuous integration across teams and disciplines.
  2. Security should focus more on cloud-specific topics and categories, such as identity management and other software-defined infrastructure controls. Many of these are cloud-native and specific to one or more cloud service provider environments, for example, Security Group Network Access Controls in AWS or Network Security Group Access Controls in Azure.
  3. CloudSecOps must define and configure background checks in cloud environments. Known as bodyguard, these are intended to operate continuously and ensure that unacceptable or unexpected actions are detected and stopped. This requires in-depth knowledge and understanding of cloud service environments and how they work, as well as the configuration and management of cloud guardrail services in particular – for example, Amazon GuardDuty, Azure Monitor or Google Cloud Security Command Center.

CloudSecOps Team Responsibilities

CloudSecOps teams are responsible for a range of functions. These responsibilities include the following:

  • Define incident detection and management workflows and playbooks for cloud environments.
  • Adapt on-premises discovery and management workflows and playbooks for cloud environments.
  • Implement cloud-native and third-party security controls and safeguards in cloud deployments.
  • Collect logs and event data from the cloud, and implement advanced analytics processing for security telemetry. This will likely extend and transcend traditional SIEM systems to encompass data on a much larger scale, with a focus on cloud-specific attacks and threat models.
  • Perform threat detection practices, such as threat hunting, in cloud environments. Focus on unique indicators of compromise and tactics, techniques, and procedures that align with cloud attack patterns, such as Miter ATT&CK for the cloud.
  • Apply vulnerability management tools and operations in cloud environments. While some traditional vulnerability scanners have integrated well with mainstream cloud services, tools better suited to scanning containers, serverless objects, and other cloud-specific objects and workloads may be required. Similarly, assessing security postures for images and cloud workload components may require changes to existing risk management standards and reporting.
  • Revise and automate asset discovery and configuration management tools and practices. These responsibilities can be shared with IT operations and even DevOps and DevSecOps teams. CloudSecOps teams, however, should be involved in creating cloud asset inventories and ensuring that configuration standards are defined and enforced for cloud objects and workloads.
  • Perform configuration and vulnerability management for the cloud fabric itself. Large cloud service environments offer enterprises an array of configuration options, many of which can be easily misconfigured or exposed, leading to new vulnerabilities and an expanded threat surface. Implementing and overseeing tools such as Cloud Security Posture Management will likely fall to CloudSecOps

In addition to the aforementioned responsibilities, CloudSecOps teams must ensure that security controls are built into all teams they work with. This includes, for example, working with DevOps and cloud engineering teams to embed controls into infrastructure-as-code models. While corporate DevOps teams are responsible for implementing and maintaining their own security tools and controls, CloudSecOps teams should help set standards and provide monitoring and reporting capabilities.

Next steps

SecOps and Cybersecurity Basics for NetOps Teams

3 Ways to Apply Security by Design in the Cloud

9 Cloud Migration Security Considerations and Challenges

This was last published in July 2022

Go deeper into cloud security

About Donnie R. Losey

Check Also

Supporters of better pay and benefits for feds win re-election

While the broader implications of the midterm election results for policies that affect the civil …