The fifth pillar to actionable cloud security - Incident Response (IR)

This post is the seventh in a series of eight on the five pillars to actionable cloud security.  For the rest of the series, visit the Five Pillars blog page here.

For a number of organizations, Incident Response (IR) is the first symptom of a non-actionable cloud security framework.  Often, incidents aren’t even identified until well after they have occurred, and damage has been done.  In those cases, response quickly escalates to remediation, and there are numerous cautionary tales of companies being irreparably harmed by large and undetected breaches and incidents.

Within an actionable IR Framework, the notion of IR is more basic.  Incidents are typically security failures or non-compliances that can be easily identified and rectified, with the intention of responding to the “incident” before there has been damage.  Solutions that prevent incidents still may have the requirement to identify intentional malicious incidents, even if they were ultimately prevented for occurring. 

IR can take many forms, from simple identification and rectification, or prevention, to changes in policies and strategies that avoid future similar incidents.  Organizations that leverage actionable cloud frameworks as a basis to enforce security and workflow best practices can utilize IR as a way to identify where best practices aren’t being followed and why.  In that way, IR becomes part of a continuous feedback loop to help keep an actionable cloud framework secure. 

Within the Azure infrastructure, the products and services identified here need to be considered as part of an organization’s IR pillar:

To develop an actionable IR pillar, customers must:

• Unify IR strategy across the board – both cloud and on-premises


• Detect and remediate on a continuous basis


• Leverage all available preventative tools which can prevent incidents