Cloud Security, Security Program Controls/Technologies

How to Establish Baseline Cloud Security Controls

Author: John Turner, director of cloud security, Optiv
Author: John Turner, senior director, cloud security, Optiv

It’s no secret – organizations are moving to the cloud faster than their security teams can secure those cloud assets. The daunting task of catching up to the security needs of the cloud can overwhelm and frustrate security professionals and business transformation leaders.

While a thorough cloud security strategy is an essential part of cloud adoption, this process can take more than a year to implement. During this period, cloud adoption will continue to happen without any validated security program.

While many cloud architects and developers will follow established “best practices,” there is little to no validation or verification that can be applied to the security work done.

Baseline Cloud Security Controls

What’s needed is a set of baseline cloud security controls and capabilities that can be applied to any cloud environment to establish a minimum level of security competency. More than a simple control matrix, the cloud critical controls lay out provider-specific capabilities that can be implemented without slowing down the dev-ops process.

Optiv has established a comprehensive cross platform set of cloud critical controls based on a combination of the Cloud Security Alliance’s Cloud Control Matrix (CCM), Center for Internet Security (CIS) consensus-based benchmark and our own experience. Implementing critical security controls for the 10 cloud domains listed below will give your organization insight into the following questions:

  • Architecture 
    • Is your architecture designed for cloud consumption?
    • Do you fully understand the “shared responsibility model?”
  • Identity and Access Management 
    • Are you giving too much access privilege to users?
    • How are you maintaining user access?
  • Data 
    • Is your data protected at all times?
    • What is your level of visibility into whom and how different types of data are being shared?
  • Visibility 
    • How are you monitoring the usage of cloud applications and the transfer of data for malicious activity?
  • Threat Protection 
    • Do you have processes in place to address the full lifecycle from identification, analysis, treatment, risk management and resolution?
  • Application Security 
    • Do you follow software development lifecycle (SDLC) and stage gate process during development?
    • What security architecture principles defines your development of applications?
  • Governance, Risk and Compliance 
    • Have you built baseline security requirements for your cloud implementation?
    • How do you deal with deviation from it?
  • Incident Response 
    • How do you respond to incident-level alerts from verification to event closure as a holistic enterprise incident management function?
  • Business Resilience (Business Continuity and Disaster Recovery) 
    • Do you have a consistent unified framework for addressing business resiliency, including disaster recovery, continuity and reliability as it relates to cloud workloads (and security)?
  • Legal and Privacy 
    • How do you address legal and privacy considerations such as the EU General Data Protection Regulation (GDPR), data sovereignty, and other local and regional applicable regulations in the cloud?

Many of these controls can be verified through the cloud providers’ API delivering continuous validation. Others will help establish baseline policies and awareness that can be applied with minimal effort.

These critical controls covering cloud service providers such as AWS, Azure and Office 365 are maintained on a regular basis and updated to reflect new security feature releases from the cloud providers.

While not a complete cloud security program, implementing security controls in each of these cloud domains is a strong start to a comprehensive cloud security program.

John Turner is senior director, cloud security at Optiv. Read more Optiv blogs here.