Security – Definition

What is Security in the WAF++ context?

Cloud Security in WAF++ refers to the state in which an organization has implemented verifiable, technically enforceable protective measures for its cloud infrastructure:

Cloud Security = Protection across all dimensions:
  ├── Identity & Access Management (who is allowed to do what?)
  ├── Encryption (data at rest & in transit)
  ├── Network Security (segmentation, egress control)
  ├── Secrets Management (no hardcoded credentials)
  ├── Vulnerability Management (patches, container scanning)
  ├── Security Monitoring (detection of attacks)
  └── Incident Response (response to incidents)

Security is not the same as:

A completed compliance questionnaire without technical implementation
A one-time penetration test without subsequent remediation
A firewall as the only protective measure (perimeter model)
The assumption that the cloud provider handles security completely (Shared Responsibility!)

Security vs. Compliance

A common confusion: Compliance is not Security, and Security is not Compliance.

	Security	Compliance
Goal	Protection against actual threats	Fulfillment of regulatory requirements
Measure	Effectiveness of protective measures	Conformity with norms and laws
Approach	Risk-based, adaptive	Rule-based, documented
Measurement	MTTD, MTTR, vulnerability density, patch compliance	Audit results, certificates, evidence
Relationship	Security can produce compliance as a by-product	Compliance without security does not protect

Security

Compliance

Goal

Protection against actual threats

Fulfillment of regulatory requirements

Measure

Effectiveness of protective measures

Conformity with norms and laws

Approach

Risk-based, adaptive

Rule-based, documented

Measurement

MTTD, MTTR, vulnerability density, patch compliance

Audit results, certificates, evidence

Relationship

Security can produce compliance as a by-product

Compliance without security does not protect

WAF++ follows a Security-First approach: controls are selected primarily by protective effectiveness, not by audit compatibility. Regulatory mappings (ISO 27001, BSI C5, GDPR) are secondary attributes of the controls.

An organization that fully implements all WAF-SEC controls automatically satisfies large parts of the requirements of ISO 27001:2022, BSI C5:2020 and GDPR Art. 32.

The WAF++ Security Spectrum

Security is not a binary state. It exists on a spectrum from reactive to proactive:

Level	Label	Characteristics
Reactive	Ad-hoc Security	Security is only improved after incidents. No systematic controls. No monitoring. Manual processes. No separation of permissions. Passwords in plaintext.
Basic Protection	Documented & Defined	Security policies exist and are documented. Basic encryption active. MFA for admins. But: little automated checking, no continuous monitoring.
Enforced	Enforced & Monitored	Security controls technically enforced (IaC validation, CI gates). Monitoring active. CMK for sensitive data. Least privilege enforced. Vulnerability scans automated.
Measured	Measured & Automated	Security metrics continuously captured. Automated threat detection. SIEM in use. Policy-as-Code in CI/CD. Incident response playbooks tested.
Proactive	Optimized & Continuously Improved	Threat modeling for new features. Auto-remediation on findings. Red team exercises. Zero trust fully implemented. Continuous compliance evidence pipeline.

Level

Label

Characteristics

Reactive

Ad-hoc Security

Security is only improved after incidents. No systematic controls. No monitoring. Manual processes. No separation of permissions. Passwords in plaintext.

Basic Protection

Documented & Defined

Security policies exist and are documented. Basic encryption active. MFA for admins. But: little automated checking, no continuous monitoring.

Enforced

Enforced & Monitored

Security controls technically enforced (IaC validation, CI gates). Monitoring active. CMK for sensitive data. Least privilege enforced. Vulnerability scans automated.

Measured

Measured & Automated

Security metrics continuously captured. Automated threat detection. SIEM in use. Policy-as-Code in CI/CD. Incident response playbooks tested.

Proactive

Optimized & Continuously Improved

Threat modeling for new features. Auto-remediation on findings. Red team exercises. Zero trust fully implemented. Continuous compliance evidence pipeline.

The Six Security Core Domains

1. Identity & Access Management (IAM)

IAM is the foundation of all cloud security. Anyone who gains access without authentication or with excessive permissions can undermine all other controls.

WAF++ addresses IAM with two dedicated controls:

WAF-SEC-010 – Baseline: MFA, no root usage, IAM password policy
WAF-SEC-020 – Least Privilege: no wildcard policies, RBAC, JIT access

2. Encryption

Encryption protects data even when access controls fail. WAF++ distinguishes:

Encryption at Rest (WAF-SEC-030): CMK for sensitive data, KMS rotation, no unencrypted volumes or databases
Encryption in Transit (WAF-SEC-040): TLS 1.2+, no outdated protocols, certificate management

3. Network Security

Network segmentation limits lateral movement of attackers. WAF++ requires:

Private-by-default VPC design
Granular security groups (no 0.0.0.0/0)
NACLs as a second layer of defense
VPC endpoints instead of public internet routes for cloud services

WAF-SEC-050 operationalizes these requirements.

4. Secrets Management

Hardcoded credentials in IaC code, container images or CI/CD pipelines are one of the most common attack sources. WAF-SEC-060 requires:

No secrets in Terraform code, ENV variables or Git repositories
Secret rotation (automatic where possible)
Use of AWS Secrets Manager, Parameter Store or Vault

5. Vulnerability Management

Unpatched software is an invitation to attackers. WAF-SEC-070 defines:

Container image scanning (ECR, Trivy, Grype)
Patch SLAs by CVSS score
SBOM generation for auditable traceability

6. Monitoring, Policy-as-Code & Incident Response

Security monitoring detects attacks that have overcome all other controls. Three controls cover this domain:

WAF-SEC-080 – Threat Detection: GuardDuty, CloudTrail, SIEM
WAF-SEC-090 – Policy-as-Code: OPA, wafpass in CI/CD
WAF-SEC-100 – Incident Response: playbooks, runbooks, exercises

Relationship to Other WAF++ Pillars

Security ──────────────── delivers: IAM, Encryption, Network Controls, Monitoring
Sovereign ──────────────── extends: Jurisdiction, key ownership, exit capability
Governance ─────────────── frames: Policy decisions, audit processes, responsibilities
Operations ─────────────── integrates: Monitoring stack, incident management, change processes
Reliability ────────────── links: Backup security, recovery validation
Cost ────────────────────── uses: Security guardrails for budget protection (no unauthorized deployment)

Security delivers the technical protective measures. Sovereign extends Security with jurisdictional requirements. Governance steers Security through policies and processes.

Target Picture

A security-mature platform (Level 4-5) is characterized by:

All privileged accesses are minimal, time-limited, MFA-protected and fully logged
All sensitive data is encrypted with CMK, keys rotate automatically
No hardcoded secrets in code, IaC or CI/CD
Security groups allow only explicitly permitted traffic
Container images are checked for CVEs before deployment
Security findings automatically trigger alerts and remediation workflows
Incident response playbooks are tested and regularly exercised

The target picture depends on maturity level. Not every organization needs Level 5 immediately. Start with the most critical: IAM Baseline (WAF-SEC-010) and Least Privilege (WAF-SEC-020).