Continuous integration / delivery / deployment / verification (CI/CD/CV) all need to be segmented in org's processes.
While this may be more difficult for on-premise deployments (Jenkins / Bamboo), most cloud PaaS offerings make this easier, especially AWS with their Code* portfolio (CodePipeline / CodeBuild / CodeDeploy).
https://techbeacon.com/enterprise-it/7-container-design-patterns-you-need-know
When performing a threat model for cloud-native environments I advocate for a comparison to the design patterns articulated above, especially how security-centric services are deployed. To execute on segregation of duties one must abide by said best practices.
https://kubernetes.io/docs/concepts/security/overview/
The 4C's described above do not explicitly include securing the data. Orgs need to secure their data (crytpo, masking) before it goes to the cloud, onsite, or otherwise...
While some Cyber solutions certainly deliver as promised, there is a multitude of solutions that seem to be wanting.
Namely, cloud security posture management (CSPM) and secure access service edge (SASE) solutions.
Akin to first-generation web application firewalls (WAFs), CSPM and SASE solutions seem to promise a lot while skeptically delivering value. Like WAFs, I believe organizations will see these as a tool in the Cyber toolbox that can COMPLIMENT solid hygiene versus SUPPLEMENT said governance.
Many orgs use a control framework (NIST 800-53, HITRUST CSF, COBIT, SIG, ISF SoGP, ISO 27002, CSA CCM) that doesnt completely express that orgs security/privacy/risk mgmt posture.
It behooves those orgs to use a hybrid mapped back to those frameworks.
Many orgs focus too long on assessing the risk before deciding to onboard a vendor.
Multiple control frameworks (COBIT, ISF, ISO, NIST, HITRUST) include hundreds of questions that are often redundant.
Furthermore, these assessments couple the vendor governance witht the actual solution. Hence, orgs spending weeks on evaluating each vendor.
The solution here is a laser-focused framework that includes a base for the vendor, along with specific questions for the solution. I would also advocate for a vulnerability scan of the solution by the specific org doing the assessment.
A vendor's (security/privacy) holistic governance is not the same as the security/privacy posture of the solution a larger organization is looking to procure.
The reality is that many startups/SMBs have solutions that are (considerably) different, from a cyber perspective, then their general posture. Many (startup/SMB solutions) are based/hosted with cloud service providers (CSPs), and.therefore, require a separate level of review.
Third-party risk management (TPRM) processes and teams are prevalent in corporate organizations; however, experience shows a generic coupling of the solution with the vendor that seems inadequate.
So, it is advocated that larger organizations focus on high-level governance for the vendor-at-large, coupled with low-level verification of the solution at hand.
How is this accomplished? Well, focus on control frameworks (NIST, ISO, SIG, HITRUST, ISF, COBIT) for the vendor, coupled with specific deep-dives on the solution at large. Deep-dives should include recent vulnerability scans/penetration tests/risk assessments of the specific solution from an objective third-party, with a control mapping of said solution back to organizational governance, as well as benchmarks against CSP well-architected frameworks (that are prevalent these days).
