Security Principles

Module 6
Cloud Security
Cloud Security
▪ Cloud security encompasses the technologies, applications, controls, and
policies that protect people, data, and infrastructure from cyber-attacks and
compliance risks on cloud computing platforms.

▪ It involves a comprehensive set of security measures designed to address

both external and internal security threats to organizations, including
controlling security, compliance, and other usage risks of cloud computing
and data storage.
Cloud Security Importance
Cloud Security – How it Works?
▪ It utilizes a combination of technical and procedural measures to protect

▪ A secure cloud environment ensures user and device authentication, access

control over data and resources, and data privacy protection.

▪ protect users from cloud-based threats by

▪ Revealing what cloud computing platforms and services their users
access.
▪ Monitoring cloud computing activity to detect attacks and user actions
that unintentionally put the organization at risk.
Cloud Security – How it Works?
▪ Preventing cyber-attackers and other unauthorized users from accessing
sensitive data and resources.

▪ Protecting users’ cloud-based accounts from takeover.

▪ Leveraging advanced threat intelligence and machine learning to predict and

prevent emerging threats.

▪ Controlling third-party applications and services to prevent unauthorized

access and data breaches.
Cloud Security – How it Works?
▪ Encrypting data at rest and in transit, making it unreadable to unauthorized
users.

▪ Enforcing security and compliance policies.

Shared Responsibility Model
CIA TRIAD
Security Threats – Data Breaches
Security Threats
Security Threats – API Threat
Security Threats, Risks and Challenges
▪ Misconfiguration: As one of the most common cloud security
vulnerabilities, misconfiguration occurs when cloud resources are not
properly configured, thereby leaving critical gaps in cloud security systems
and allowing malicious attackers to steal passwords, location data, and
other sensitive information.

▪ Unauthorized access: With excessively permissive cloud access,

unrestricted ports, and secret data management failures (e.g., poorly
protected passwords, encryption keys, API keys, and admin credentials),
malicious attackers can breach cloud-based resources.
Security Threats, Risks and Challenges
▪ Data breaches: This common cloud security risk occurs when sensitive
information is extracted from an organization without its permission or
awareness. Misconfigurations and the lack of runtime protection can leave
data vulnerable to theft, resulting in financial loss, reputational damage,
and legal liabilities.

▪ Insecure interfaces: Failure to properly secure interfaces and APIs provides

a doorway for threat actors to gain access to cloud accounts and steal
sensitive data and information, such as financial information, passwords,
health records, and more.
Security Threats, Risks and Challenges
▪ Account hijacking: Cyber-attackers utilize password-cracking techniques to
guess or steal login credentials and breach access to cloud resources, often
leading to financial losses, compromised information, and reputational
damage.

▪ Unmanaged attack surface: When organizations migrate to the cloud

without understanding how to secure their data, sensitive information and
resources are left vulnerable to exploitation by attackers, resulting in many
issues.
Security Threats, Risks and Challenges
▪ Human error: From using weak passwords to falling victim to phishing
scams, human error is a common issue that puts cloud security systems at
risk. Statistics show that 88% of cloud-based data breaches are attributed
to human error.

▪ Inadequate change control: When change management and control

protocols are inadequate or neglected, unnoticed misconfigurations can
occur, resulting in unauthorized access, data breaches, and data leaks.
Security Threats, Risks and Challenges
▪ Denial of service attacks: As cloud infrastructure relies on constant online
connectivity, it is susceptible to DDoS attacks which attempt to overload
servers and resources with traffic. Protection against these threats requires
strategies like traffic filtering, mitigation services, and redundancies.

▪ Infrastructure vulnerabilities: Despite best efforts, newly discovered

software or hardware vulnerabilities may still affect cloud platforms.
Providers need responsive processes to patch flaws, and customers need
diligence in applying updates. Continuous monitoring assists with rapidly
identifying and fixing issues.
Cloud Risk Management
▪ Risk management plans in cloud computing are implemented by
organizations to mitigate cloud-based risks, improve system security, and
expedite business growth.

▪ Risk management is the process of identifying, assessing, and controlling

threats to an organization's system security, capital and resources.

▪ Effective risk management means attempting to control future outcomes

proactively rather than reactively.
Cloud Risk Management
▪ Risk management is a cyclically executed process comprised of a set of
activities for overseeing and controlling risks. These steps are referred to as
Risk Management Process and are as follows:
▪ Identify the risk
▪ Analyze the risk
▪ Evaluate the risk
▪ Treat the risk
▪ Monitor or Review the risk
Cloud Risk Management
Cloud Risk Management
▪ Identify the risk - The inception of the risk management process starts
with the identification of the risks that may negatively influence an
organisation's strategy or compromise cloud system security.

▪ Operational, performance, security, and privacy requirements are identified.

▪ The organisation should uncover, recognise and describe risks that might
affect the working environment.

▪ Some risks in cloud computing include cloud vendor risks, operational

risks, legal risks, and attacker risks.
Cloud Risk Management
▪ Analyze the risk - After the identification of the risk, the scope of the risk is
analyzed.

▪ The likelihood and the consequences of the risks are determined.

▪ In cloud computing, the likelihood is determined as the function of the

threats to the system, the vulnerabilities, and consequences of these
vulnerabilities being exploited.

▪ In analysis phase, the organization develops an understanding of the nature

of risk and its potential to affect organization goals and objectives.
Cloud Risk Management
▪ Evaluate the risk - The risks are further ranked based on the severity of the
impact they create on information security and the probability of actualizing.

▪ The organisation then decides whether the risk is acceptable, or it is serious

enough to call for treatment.
Cloud Risk Management
▪ Treat the risk - In this step, the highest-ranked risks are treated to
eliminate or modified to achieve an acceptable level.

▪ Risk mitigation strategies and preventive plans are set out to minimize the
probability of negative risks and enhance opportunities.

▪ The security controls are implemented in the cloud system and are assessed
by proper assessment procedures to determine if security controls are
effective to produce the desired outcome.
Cloud Risk Management
▪ Monitor or Review the risk - Monitor the security controls in the cloud
infrastructure on a regular basis including assessing control effectiveness,
documenting changes to the system and the working environment.

▪ Part of the mitigation plan includes following up on risks to continuously

monitor and track new and existing risks.
Primary Risks in Cloud
▪ Data Breach - Data breach stands for unauthorized access to the
confidential data of the organisation by a third party such as hackers. In
cloud computing, the data of the organisation is stored outside the premise,
that is at the endpoint of the cloud service provider(CSP). Thus, any attack
to target data stored on the CSP servers may affect all its customers.

▪ Cloud Vendor Security Risk - The inefficiency of these cloud vendors to

provide data security and risk mitigation directly affects the organisation's
business plan and growth. Also, migrating from one vendor to another is
difficult due to different interfaces and services provided by these cloud
vendors.
Primary Risks in Cloud
▪ Availability - Any internet connection loss disrupts the cloud provider's
services, making the services inoperative. It can happen at both the user's
and the cloud service provider's end. An effective risk management plan
should focus on availability of services by creating redundancy in servers on
cloud such that other servers can provide those services if one fails.

▪ Compliance - The service provider might not follow the external audit
process, exposing the end user to security risks. If a data breach at the
cloud service provider's end exposes personal data, the organisation may be
held accountable due to improper protection and agreements.
Primary Risks in Cloud – Internal Security Risks
▪ Misconfiguration of settings - Misconfiguration of cloud security settings,
either by the organisation workforce or by the cloud service provider,
exposes the risk of a data breach. Most small businesses cloud security and
risk management are inadequate for protecting their cloud infrastructure.

▪ Malicious Insiders - A malicious insider is a person working in the

organisation and therefore already has authorized access to the confidential
data and resources of the organization. With cloud deployments,
organisations lack control over the underlying infrastructure; making it very
hard to detect malicious insiders.
Primary Risks in Cloud – External Security Risks
▪ Unauthorized Access - The cloud-based deployment of the organisation's
infrastructure is outside the network perimeter and directly accessible from
the public internet. Therefore, it is easier for the attacker to get
unauthorized access to the server with the compromised credentials.

▪ Accounts Hijacking - The use of a weak or repetitive password allows

attackers to gain control over multiple accounts using a single stolen
password. Moreover, organizations using cloud infrastructure cannot often
identify and respond to such threats.
Primary Risks in Cloud – External Security Risks
▪ Insecure APIs - The Application Programming Interfaces(APIs) provided by
the cloud service provider to the user are well-documented for ease of use. A
potential attacker might use this documentation to attack the data and
resources of the organisation.
Benefits of Risk Management
▪ Forecast Probable Issues - The risk management process in cloud computing
identifies all the possible risks or threats associated with the cloud service provider,
the cloud vendor, the organisation, and the users. It helps an organisations to
mitigate risks by implementing appropiate control strategies and create a better
business plan.

▪ Increases the scope of growth - Risk management in cloud computing forces

organisations to study the risk factors in detail. Thus, the workforce is aware of all
the possible catastrophic events; and the organisation creates a framework that
can be deployed to avoid risks that are decremental to both the organisation and
the environment. Hence, risk management enables organisations to take a
calculated risks and accelerate their growth.
Benefits of Risk Management
▪ Business Process Improvement - Risk Management requires organisations
to collect information about their processes and operations. As a result,
organisations can find inefficient processes or the scope for improvement in
a process.

▪ Better Budgeting - Organisations implementing risk management strategies

often have clear insights into the finances. Thus, they can create more
efficient budgets to implement risk management plans and achieve the
organisational goals
Computer Security Incident Response Team
▪ A computer security incident response team, or CSIRT, is a group of IT
professionals that provides an organization with services and support
surrounding the assessment, management and prevention of cybersecurity-
related emergencies, as well as coordination of incident response efforts.

▪ The main goal of a CSIRT is to respond to computer security incidents

quickly and efficiently, thus regaining control and minimizing damage.
Computer Security Incident Response Team
▪ Four phases of incident response:
▪ Preparation
▪ Detection and analysis
▪ Containment, eradication and recovery
▪ Post-incident activity
Computer Security Incident Response Team
▪ CSIRTs may take on many responsibilities, including the following:
▪ Create and update incident response plans;
▪ Maintain and communicate information to internal and external entities;
▪ Identify, assess and analyze incidents;
▪ Coordinate and communicate response efforts;
▪ Remediate incidents;
▪ Report on incidents;
▪ Manage audits;
▪ Review security policies; and
▪ Recommend changes to prevent future incidents.
Computer Security Incident Response Team - Attributes
▪ Mission statement

▪ The CSIRT mission is a statement of purpose or its reason for existing. A

CSIRT's mission defines its areas of responsibility and serves to set
expectations with its constituency.

▪ An example CSIRT mission statement may be: "It is the mission of XYZ
CSIRT to protect XYZ Corp. by creating and maintaining the capability of
detecting, responding and resolving computer and information security
incidents."
Computer Security Incident Response Team - Attributes
▪ Constituency

▪ A CSIRT constituency must be clearly defined. This is the customer base or

recipients of incident response services. The constituency is assumed to be
unique to a given CSIRT and is often its parent organization.
Computer Security Incident Response Team - Attributes
▪ List of services
▪ Receive an incident report from a constituent. To receive an incident report
from a CSIRT constituency, the constituency first needs to know the CSIRT
exists. Constituents also need to understand what the CSIRT does and how its
services are accessed, as well as the service and quality levels it can expect.
Thus, the CSIRT needs to have defined its mission and services, announced
itself to its constituency and published guidance on how incident services are
requested. This includes publishing an incident response policy, processes,
procedures, forms and resources necessary to inform and enable constituencies
to file incident reports.
Computer Security Incident Response Team - Attributes
▪ List of services
▪ Analyze an incident report to validate and understand the incident. Once
an incident report has been received, the CSIRT analyzes the report to validate
that an incident or other type of activity that falls under the CSIRT mission has
indeed occurred. The CSIRT then determines if it understands the report and
the incident well enough to create an initial response strategy that fulfills the
goals of regaining control and minimizing damage. Part of being able to analyze
an incident report and respond efficiently is having staff that can perform a
variety of tasks. Members of the CSIRT should have written plans, policies and
procedures that document their specific roles and responsibilities.
Computer Security Incident Response Team - Attributes
▪ List of services
▪ Provide incident response support. Depending on how the CSIRT is
organized and the services offered, a CSIRT may provide incident
response support via the following:
▪ on-site incident response services delivered directly to the constituent;
▪ incident response services delivered over email or the phone; or
▪ coordinated incident response services that combine and allocate the
efforts of multiple incident response teams across multiple
constituents.
Computer Security Incident Response Team - Roles
▪ CSIRT team lead. This executive role, typically occupied by the chief
information security officer (CISO), communicates incidents with C-suite
executives and coordinates the CSIRT budget.

▪ Incident manager. This role coordinates CSIRT meetings, ensures

accountability from CSIRT members across the organization and determines
whether incident findings should be escalated to executives.

▪ Supporting CSIRT staff. These technical roles, such as the security

analyst, incident handler, shift lead or forensics investigator, are responsible
for incident detection, response and reporting activities.
Computer Security Incident Response Team - Roles
▪ Cross-functional CSIRT roles. To carry out its mission, a CSIRT often
incorporates legal, human resources (HR) and public relations (PR)
professionals into the team. For example, a member of the legal team
advises on potential lawsuits from shareholders or employees, as well as the
incident disclosure process. An HR role in the CSIRT manages personnel
issues and communicates incidents to employees. PR staff handle press
releases; employee, partner, customer and stakeholder communications;
and media inquiries regarding security incidents.
Computer Security Incident Response Team - Structure
▪ Centralized CSIRT. In a centralized CSIRT, a single incident response team serves
the entire organization, and all incident response resources are contained within
the dedicated unit. This model is well suited for small organizations or
organizations with limited geographic scope.

▪ Distributed CSIRT. In a distributed CSIRT, several independent incident response

teams exist. The distribution of CSIRT resources may depend on wide geographic
scope of the organization or the location of its major facilities. Other attributes that
include whether a company is organized by a business unit structure or simply by
the distribution of employees and information assets may also influence the
CSIRT's distribution. Additionally, most distributed CSIRT models require a
coordinating CSIRT.
Computer Security Incident Response Team - Structure
▪ Coordinating CSIRT. This CSIRT manages other, often subordinate,
CSIRTs. This CSIRT coordinates incident response activities, information
flow and workflow among distributed teams. A coordinating CSIRT may not
provide any independent incident response services itself. Instead, it focuses
on the efficient and effective use of resources in the distributed teams. For
example, CERT/CC, the Software Engineering Institute's (SEI) computer
emergency response team, is a coordinating CSIRT that orchestrates
activities among national, governmental and regional CSIRTs.
Computer Security Incident Response Team - Structure
▪ Hybrid CSIRT. A hybrid CSIRT combines attributes of centralized and distributed
CSIRTs. The central CSIRT component is often full time, and the distributed
component is composed of subject matter experts (SMEs) who may not be attached
to incident response activities except as needed during security events. In this
model, when the central CSIRT detects a potential event, it analyzes the incident
and determines the response needs. Then, the appropriate distributed CSIRT
experts can be called up to assist in these activities. Though a hybrid CSIRT relies
on SMEs who are not full-time CSIRT members, it is definitively a formal incident
response team. The hybrid CSIRT's distributed units of experts are designated as
incident response professionals with defined roles and responsibilities and receive
formal incident response training. They may also be required to obtain and
maintain incident handler certifications.
Cloud Security Principles
▪ Principle 1: Data in transit protection

▪ The data should be adequately protected against tampering and

eavesdropping as it transits networks inside and external to the cloud. This
should be achieved using a combination of encryption, service
authentication and network-level protections.
Cloud Security Principles
▪ Principle 2: Asset protection and resilience

▪ Data, and the assets storing or processing it, should be protected against
physical tampering, loss, damage or seizure. Protections should include
cover for the legislation that your data is subject to, as well as mitigations
such as encryption, data centre security, secure erasure and service
resilience.
Cloud Security Principles
▪ Principle 3: Separation between customers

▪ A malicious or compromised customer of the service should not be able to

access or affect the service or data of another. It will need to implement
effective security boundaries in the way it runs code, stores data, and
manages the network.
Cloud Security Principles
▪ Principle 4: Governance framework

▪ The service provider should have a security governance framework which

co-ordinates and directs its management of the service and information
within it. This will give you confidence that other controls will continue to be
effective through the lifetime of the service
Cloud Security Principles
▪ Principle 5: Operational security

▪ The service needs to be operated and managed securely to impede, detect or

prevent attacks. It will achieve this through a combination of effective
vulnerability management, protective monitoring, configuration & change
management, and incident management.
Cloud Security Principles
▪ Principle 6: Personnel security

▪ Where service provider personnel have access to your data and systems, you
need a high degree of confidence in their trustworthiness and the technical
measures in place that audit and constrain the actions of those personnel.
Cloud Security Principles
▪ Principle 7: Secure development

▪ Cloud services should be designed, developed and deployed in a way that

minimizes and mitigates threats to their security. This will include a robust
software development lifecycle that uses an automated and audited
integration and deployment pipeline.
Cloud Security Principles
▪ Principle 8: Supply chain security

▪ The service provider should ensure that its supply chain meets the same
security standards that the organization sets for itself. This includes where a
third party has access to customer data or the service, and where the
provider has dependencies on a third party such as when procuring
hardware and software.
Cloud Security Principles
▪ Principle 9. Secure user management

▪ The provider should make the tools available for you to securely manage
your use of their service, preventing unauthorized access and alteration of
your resources, applications and data. This will usually include an access
model that allows you to implement role-based access controls across the
service and the data held in it.
Cloud Security Principles
▪ Principle 10: Identity and authentication

▪ All access to service interfaces should be constrained to a securely

authenticated and authorized identity, which may belong to either a human
user or a machine.

▪ Principle 11: External interface protection

▪ all external or less-trusted interfaces of the service should be identified and

defended appropriately. This includes external APIs, web consoles and
command line interfaces.
Cloud Security Principles
▪ Principle 12: Secure service administration

▪ the design, implementation, and management of the cloud service provider’s

administration systems should follow enterprise good practice, recognizing
their high value to attackers.

▪ Principle 13: Audit information and alerting for customers

▪ you should be able to identify security incidents and should have the
information necessary to find out how and when they occurred. The service
will need to provide you with audit information, and issue security alerts
when attempted attacks are detected.
Cloud Security Principles
▪ Principle 14: Secure use of the service

▪ your cloud provider should make it easy for you to meet your data protection
responsibilities. Services should be secure by design and by default.
Wherever this is not the case, the provider should help you meet your
security responsibilities.
Cloud Security Standards
▪ Cloud security standards are a set of guidelines and best practices designed
to ensure the security of data and workloads in cloud computing
environments.

▪ These guidelines encompass a range of considerations, from the physical

security of data centers to the protocols for data transmission and storage.

▪ They are rules that companies need to follow to ensure that their cloud
operations are protected against potential threats.
Cloud Security Standards - Need
▪ Data is now being stored on servers owned and operated by third-party providers.
This means that businesses must rely on these providers to maintain the security
of their data.

▪ The shift towards third-party computing services, the volume of data being
generated and stored has increased exponentially, and so has the complexity of
workloads operated by organizations.

▪ Cloud security standards outline best practices for cloud security, created by
industry experts based on the collective experience of many organizations, and
provide guidelines for the implementation of these practices.
Cloud Security Standards - Need
▪ They provide a structured framework that allows organizations to ensure
cloud resources are secured against relevant business risks and cyber
threats.
Cloud Security Standards - Types
▪ Standards and Frameworks:
▪ NIST Cybersecurity Framework
▪ ISO 27001
▪ PCI-DSS
▪ HIPAA
▪ GDPR
▪ Cloud Security Alliance (CSA) Cloud Controls Matrix
▪ SOC 2
Cloud Security Standards - Types
▪ HIPAA (Health Insurance Portability and Accountability Act) - HIPAA is a US federal law that regulates the handling of
Protected Health Information (PHI). It aims to ensure confidentiality, integrity, and availability of PHI.

▪ Key Requirements:
▪ Security Rule: Implement administrative, technical, and physical safeguards.
▪ Privacy Rule: Protect PHI from unauthorized disclosure.
▪ Breach Notification Rule: Notify individuals and HHS of breaches.

▪ HIPAA Compliance:
▪ Conduct risk assessments.
▪ Implement access controls.
▪ Encrypt PHI.
▪ Train personnel.
▪ Establish incident response plans.
Cloud Security Standards - Types
▪ GDPR (General Data Protection Regulation) - GDPR is an EU regulation that protects personal data of EU
citizens. It aims to ensure transparency, security, and accountability.

▪ Key Requirements:
▪ Data Protection Principles: Process data lawfully, fairly, and transparently.
▪ Data Subject Rights: Ensure rights to access, rectify, and erase data.
▪ Data Breach Notification: Notify authorities and individuals of breaches.
▪ Data Protection by Design and Default: Implement data protection measures.

▪ GDPR Compliance:
▪ Conduct data protection impact assessments.
▪ Appoint a Data Protection Officer (DPO).
▪ Implement data protection policies.
▪ Ensure data subject consent.
▪ Establish incident response plans.
Cloud Security Standards - Types
▪ Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) - CCM is a framework that provides a set of security and compliance controls for cloud computing. It helps
cloud providers demonstrate security and compliance.

▪ Key Components:
▪ 197 Control Objectives: Cover security, compliance, and operational aspects.
▪ 17 Domains: Organize controls into categories (e.g., security governance, data security).
▪ Implementation Guidelines: Provide guidance for control implementation.

▪ CCM Benefits:
▪ Standardized security and compliance framework.
▪ Simplifies auditing and compliance.
▪ Enhances cloud provider transparency.
▪ Helps customers assess cloud provider security.

▪ CCM Compliance:
▪ Conduct self-assessments.
▪ Implement controls.
▪ Provide documentation.
▪ Undergo third-party audits (e.g., SOC 2).
▪ Maintain continuous monitoring.
Cloud Security Standards - Types
▪ Relationship between HIPAA, GDPR, and CCM:
▪ HIPAA and GDPR require cloud providers to implement robust security
controls.
▪ CCM provides a framework for implementing those controls.
▪ Cloud providers can use CCM to demonstrate HIPAA and GDPR
compliance.
Cloud Security Standards - Types
▪ Cloud Providers' Compliance:

▪ AWS: HIPAA, GDPR, CCM compliant.

▪ Azure: HIPAA, GDPR, CCM compliant.

▪ Google Cloud: HIPAA, GDPR, CCM compliant.

▪ Other cloud providers: Check individual compliance status.

Cloud Security Policy
▪ A cloud security policy is a comprehensive set of guidelines and practices
that organizations adopt to mitigate risks associated with cloud computing.

▪ These policies are designed to help businesses safeguard their sensitive

data, applications, and infrastructure in the cloud while adhering to
compliance requirements and industry standards.

▪ The primary focus of a cloud security policy is to establish a robust defense

mechanism against cyber threats, ensuring the confidentiality, integrity, and
availability of information assets.
Cloud Security Policy
▪ A cloud security policy serves as a blueprint for addressing the challenges
by providing a framework for managing risks, setting controls, and defining
responsibilities within the organization. It is an essential component of an
organization’s overall cybersecurity strategy.
Cloud Security Policy – Why Needed
▪ A well-crafted security policy can mitigate risks associated with data
breaches and cyberattacks, ensuring business continuity.
▪ Data Protection
▪ One of the primary reasons a cloud security policy is essential is to
protect an organization’s data and applications. As more organizations
migrate their workloads to the cloud, it becomes critical to ensure that
data is stored securely, and applications are protected from unauthorized
access. A well-defined policy helps organizations identify potential risks
and implement appropriate security measures to safeguard sensitive
information.
Cloud Security Policy – Why Needed
▪ Regulatory Compliance

▪ Organizations must comply with various industry regulations and standards, such as
GDPR, HIPAA, and PCI DSS, which mandate strict security controls for protecting sensitive
data. A cloud security policy enables organizations to demonstrate their commitment to
meeting these requirements by outlining the necessary controls and monitoring
mechanisms. Failure to comply with these regulations can lead to significant fines,
reputational damage, and loss of customer trust.

▪ To ensure compliance with these and other regulatory requirements, it’s important to
incorporate compliance measures into your cloud security policy. This can include
conducting regular risk assessments, implementing technical and administrative
safeguards, and conducting regular audits to ensure compliance.
Cloud Security Policy – Why Needed
▪ Enhancing Security Posture and Creating a Security Culture

▪ A comprehensive cloud security policy helps organizations strengthen their

overall security posture by providing a systematic approach to managing
risks associated with cloud computing. The policy defines roles and
responsibilities for different stakeholders within the organization, ensuring
that everyone is aware of their obligations and the consequences of non-
compliance. This level of transparency helps foster a security-conscious
culture, where employees are vigilant about potential threats and take
appropriate actions to mitigate them.
Cloud Security Policy – Key Components
▪ Governance and Compliance

▪ An effective cloud security policy must outline the governance structure and compliance
requirements related to cloud security. This includes defining the roles and responsibilities
of key stakeholders, such as the CISO, IT security team, and cloud service providers. The
policy should also detail compliance with industry regulations and standards, as well as the
organization’s internal policies.

▪ Risk Assessment and Management

▪ An effective cloud security policy starts with a thorough risk assessment, which identifies
potential threats, vulnerabilities, and the likelihood of their occurrence. This process helps
organizations determine the appropriate level of security controls required to mitigate these
risks. Regular risk assessments ensure that the policy rem
Cloud Security Policy – Key Components
▪ Security Architecture

▪ The policy should describe the security architecture of the organization’s cloud
environment, including network segmentation, firewalls, and intrusion detection/prevention
systems. It should also outline the use of encryption, secure APIs, and other security
controls to protect data and applications from unauthorized access.

▪ Access Control and Identity Management

▪ Controlling access to cloud resources is a critical component of any cloud security policy.
Organizations must define and implement stringent access control measures to limit
unauthorized access to sensitive data and applications. This includes the use of multi-
factor authentication (MFA), role-based access control (RBAC), and privileged access
management to secure user accounts and prevent unauthorized access.
Cloud Security Policy – Key Components
▪ Data Encryption and Protection

▪ Data encryption is a key element of a cloud security policy, ensuring that sensitive
information remains confidential and secure, both at rest and in transit. Organizations
must establish encryption standards, such as AES-256 or TLS, and use secure key
management practices to protect encryption keys from unauthorized access.

▪ Incident Response and Management

▪ A cloud security policy should outline procedures for handling security incidents, such as
data breaches or unauthorized access. This includes defining roles and responsibilities for
incident response teams, establishing communication protocols, and conducting regular
drills to test the effectiveness of the response plan. A well-defined incident response plan
can help organizations minimize the impact of security incidents and swiftly recover from
them.
Cloud Security Policy – Key Components
▪ Third-Party Risk Management

▪ Organizations must evaluate the security posture of their cloud service providers
and other third-party vendors. A cloud security policy should establish guidelines
for assessing and managing third-party risks, including periodic security audits,
contractual obligations, and incident response coordination.

▪ Monitoring and Auditing

▪ Continuous monitoring and auditing of cloud environments are crucial to

maintaining a strong security posture. The policy should define the types and
frequency of security audits, as well as the tools and processes used to monitor
cloud resources for potential threats and vulnerabilities.
Cloud Security Policy – Key Components
▪ Employee Training and Awareness

▪ Employees play a critical role in maintaining the security of an

organization’s cloud environment. A cloud security policy should emphasize
the importance of regular security training and awareness programs,
equipping employees with the knowledge and skills needed to identify
potential risks and report suspicious activities.
Cloud Security Policy – Zero Trust Security
Cloud Security Policy – Zero Trust Security
Cloud Security Policy – Zero Trust Security
▪ Zero trust as an evolving set of cybersecurity paradigms that move defenses
from static, network-based perimeters to a focus on users, assets, and
resources.

▪ Assumes there is no implicit trust granted to assets or user accounts based

solely on the physical or network location—local area networks versus the
internet—or on whether an asset is enterprise or personally owned.
Cloud Security Policy – Zero Trust Security
▪ The expectation is that threat actors are already operating in the network, so IT should
presume breaches.

▪ A zero trust environment denies access by default; all technical and human resources are
queried to provide authorization/authentication at the transaction level.

▪ The level of asset protection is based on value. Resources may be accessed only after
authentication and with the required authorization. Further, continuous verification of
permissions should take place, and unneeded access should be revoked.

▪ The network is segmented, and there is no asset or space that does not need security.

▪ Advanced analysis, often using AI, is used to spot anomalous behavior and act immediately
to lock out intruders.
Cloud Security Policy – Zero Trust Security
▪ A zero-trust architecture follows six tenets as laid out by NIST.
▪ All data sources and computing services are considered resources that require security
considerations. Nothing is to be left unsecured.
▪ All communication must be secure regardless of network location; network location does
not imply trust.
▪ Access to individual enterprise resources is granted on a per-connection basis; trust in the
requester is evaluated before the access is granted.
▪ Access to resources is determined by policy, including the observable state of user identity
and the requesting system. Evaluation may include other behavioral attributes.
▪ The organization ensures all owned and associated systems are in the most secure state
possible and will monitor systems to ensure that they remain that way.
▪ User authentication is dynamic and strictly enforced before access is allowed; this is a
constant cycle of access, scanning and assessing threats, adapting, and authenticating
Service Level Agreements - Example
Service Level Agreements - Example
Service Level Agreements - Example
Service Level Agreements
▪ A formalized contract between a cloud service provider (CSP) and a cloud
service customer (CSC).

▪ This agreement delineates the expected quality and performance of cloud

services, framed within a taxonomy of cloud computing-specific terms.

▪ SLAs are instrumental in establishing measurable properties that define the

business and technical quality of the services rendered.
Service Level Agreements
▪ An SLA serves as both a rule book and a legal contract, underscoring its dual role
in governance and legal compliance.

▪ It specifies the minimum service levels, availability, security measures, control

mechanisms, processes, communications, support protocols, and other critical
business elements.

▪ The primary objective of an SLA is to document explicit parameters, set minimum

service levels, and outline remedies for any failures to meet the specified
requirements.

▪ Additionally, an SLA affirms data ownership and outlines the procedures for data
return and destruction.
Service Level Agreements - Components
▪ Cloud System Infrastructure Details and Security Standards:

▪ This section details the underlying infrastructure provided by the CSP,

including hardware, software, and network components. Security standards
are also specified to ensure robust protection against cyber threats.

▪ Customer Right to Audit Legal and Regulatory Compliance:

▪ Customers are granted the right to audit the CSP's adherence to legal and
regulatory standards. This ensures transparency and compliance with
relevant laws and regulations.
Service Level Agreements - Components
▪ Rights and Costs Associated with Continuing and Discontinuing Service
Use:

▪ This section outlines the financial implications and rights of the customer in
continuing or discontinuing the service. It includes terms related to service
fees, penalties, and other costs.

▪ Service Availability:

▪ Service availability specifies the uptime percentage guaranteed by the CSP.

This is a critical metric, often expressed as a percentage (e.g., 99.9%
uptime), indicating the reliability of the service.
Service Level Agreements - Components
▪ Service Performance:

▪ Performance metrics detail the expected response times, transaction speeds,

and overall efficiency of the cloud services. These benchmarks are crucial for
maintaining optimal operational performance.

▪ Data Security and Privacy:

▪ Data security and privacy clauses outline the measures taken to protect
customer data. This includes encryption standards, access controls, and
privacy policies to safeguard sensitive information.
Service Level Agreements - Components
▪ Disaster Recovery Processes:

▪ Disaster recovery plans are essential to ensure business continuity in the

event of a catastrophic failure. This section describes the processes and
timelines for data recovery and service restoration.

▪ Data Location:

▪ Data location specifies the geographical regions where customer data will be
stored and processed. This is significant for compliance with data
sovereignty laws and regulations.
Service Level Agreements - Components
▪ Data Access:

▪ Data access provisions define the rights and methods by which customers
can access their data. This includes APIs, interfaces, and other tools
provided by the CSP.

▪ Data Portability:

▪ Data portability ensures that customers can transfer their data to another
provider or system without significant hindrance. This is crucial for
maintaining flexibility and avoiding vendor lock-in.
Service Level Agreements - Components
▪ Problem Identification and Resolution Expectations:

▪ This section outlines the procedures for identifying, reporting, and resolving
service issues. It includes response times, escalation processes, and
resolution timelines.

▪ Change Management Processes:

▪ Change management processes govern how changes to the service will be

communicated and implemented. This ensures that customers are informed
and can prepare for any modifications.
Service Level Agreements - Components
▪ Dispute Mediation Processes:

▪ Dispute mediation processes provide a framework for resolving conflicts

between the CSP and the CSC. This includes mediation steps, arbitration
clauses, and legal recourse.

▪ Exit Strategy:

▪ An exit strategy outlines the procedures for terminating the service

agreement. It includes data migration, service termination processes, and
any associated costs.