Cloud Security Implementation Project
FY24 Cloud strategy efforts are a continuation of work started in FY23 where the focus was to identify and prioritize security risks primarily of infrastructure as a service (IaaS) and platform as a service (PaaS). FY24 focus is identifying solutions and planning how to best reduce the identified risks. It must be noted that this must be a cross functional approach as the identified areas involve several areas like governance, vulnerability management, configuration, service ownership, etc. These subject matter expert areas will be key to achieving greater security and service delivery.
Key Contacts: Brett Cosma, Rich Nagle
What are the priority issues?
- Vulnerability management – Create a cross functional work team to recommend and implement a technical solution to identify and remediate software vulnerabilities in AWS and Azure. This work will include making recommendations for funding, RACI, etc.
- Security Misconfigurations – Create a cross-functional work team focused on two objectives:
- To develop a cohesive strategy to identify and address existing AWS and Azure services configured by end users in a manner that presents unknown risk and deviate from OSU’s security standards.
- Develop a recommended technical approach for AWS and Azure administrators to manage security settings for all users to prevent future misconfigurations.
What strategic pillars does it support?
- Operational Excellence & Innovation
Why is it important?
This work will increase the university’s ability to comprehensively manage risk in cloud platforms, infrastructures, and services. The work is twofold; first, improve visibility and management of existing cloud environments, and provide a standard set of security expectations, controls, and structured processes for on-boarding future cloud services. Doing so will provide more secure and reliable services to the university.
Who will benefit?
These services are used extensively across the university by faculty, staff, and researchers.
What is the timeline?
The target timeframe is FY24, but depending upon recommended technical solutions may require additional time.
Who are our partners and sponsors?
The primary partners are DST operational teams and OTDI AWS and Azure service owners. Rich Nagle is the sponsor.
How will success be measured?
- # of misconfigurations
- # of Iaas and Paas instances
- # of controls rated at 2 ex or 3