Your company decides to deploy the CRM system, which is developed by an in-house integrated product team (IPT) located at a remote branch, to PaaS provisioned by a public cloud services provider. As a security professional, you are reviewing the security plan. Which of the following least contributes to cloud security?
A. Enforce granular access control by implementing XACML.
B. Fulfill Zero Trust authorization by incorporating threat intelligence.
C. Deploy the CRM application to the PaaS from the remote branch by DevOps.
D. Trust the cloud services provider but verify by conducting periodic field audits.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Deploy the CRM application to the PaaS from the remote branch by DevOps.

DevOps features engaging stakeholders and streamline the development and collaboration processes by automation. Continuous integration, testing, delivery, deployment, monitoring, and authorization can be achieved by DevOps.

• However, authorization to operate (ATO) is a typical issue in DevOps in terms of continuous deployment practice.
• Some use the term DevSecOps or Secure DevOps to emphasize the participation of security team, embed security across the SDLC, and implement continuous authoriztion introduced in the NIST RMF.

Continuous Deployment

This question can be vague. Option C should be revised as “Deploy the CRM application continuously to the PaaS from the remote branch by DevOps.” to be complete and specific. Continuous deployment means the CRM release is deployed to the production environment. In this situation, ATO can be a concern, as mentioned above.

Field Audit

Preserving rights to audit in the contract and conducting periodic field audits to cloud service providers (CSPs) helps a lot even though it depends on the vendor relationship, and CSPs may be reluctant or refuse to accept the clause. That is especially challenging for SMEs to negotiate with public-owned CSPs for field audits. However, some small or private-owned CSPs may be more willing to cooperate with their cloud customers.

Granular Access Control

Attribute-based access control (ABAC) controls access through attributes of a subject, object, and the environment. It can provide granular access control. XACML supports ABAC.

Threat Intelligence

The policy engine of Zero Trust employs the Trust Algorithm (TA) to to ultimately grant or deny access to a resource. Threat Intelligence is one of the inputs of the TA.

The TA take various inputs as the following diagram shows:

Source: NIST SP 800-207

Reference

• Zero Trust
• Trust and Application Security, v. 1.0
• When “Trust but Verify” Isn’t Enough: Life in a Zero Trust World
• Zero-Trust Architecture in a Nutshell
• In a World of Multi-tenant Platforms, Trust, but Verify
• Trust, but verify: A modified Zero Trust standard applied to your personnel
• Cloud provider assurance: Trust but verify
• DevOps
• What is DevSecOps?
• What is DevSecOps? Why it’s hard to do well
• Understanding the Differences Between Agile & DevSecOps – from a Business Perspective
• DEVOPS SECURITY CHALLENGES AND HOW TO DEAL WITH THEM
• DevOps Security Challenges and How to Overcome Them
• 3 THINGS TO WATCH OUT FOR WHILE INTEGRATING SECURITY INTO DEVOPS
• DevOps Security Challenges
• What Is High-Performance Computing?

您的公司決定將由位於遠程分支機構的內部集成產品團隊（IPT）開發的CRM系統部署到由公共雲服務提供商提供的PaaS。 作為安全專家，您正在審查安全計劃。 以下哪項對雲安全性的貢獻最小？
A. 通過實施XACML實施細化(粒度)訪問控制。
B. 納入威脅情資來實現零信任授權。
C. 透過DevOps將CRM應用程序從遠程分支部署到PaaS。
D. 信任雲服務提供商，但通過進行定期的現場審核進行驗證。