Using Cloud Security Frameworks for Cloud Governance

Eric Kedrosky
, Corporate Information Security Officer
, Sonrai Security

From original Post at Sonrai Security

Navigating the world of the cloud can be overwhelming – on a good day. The nature of the cloud supports promising growth, but with that comes the concern of managing risks across all that data and information. To ease this overwhelming responsibility, cloud security frameworks have emerged to help both providers and the customer utilize the cloud securely. Many vendors today, including AWS, Azure and GCP, recommend using a defined framework to meet cloud security compliance standards. In this blog we’ll explore what a cloud security framework is, why it’s important and how these frameworks benefit your cloud governance program.

What Is a Cloud Security Framework? 

Cloud Security Frameworks are broad or specialized guidelines that encourage security measures for cloud use. This includes outlining the policies, tools, configurations and rules needed for secure cloud use. They can be industry specific – for example, healthcare – or offer validation and certification in different security programs. Overall, these frameworks provide a set of controls with specific guidance for secure cloud use.

Why Are Cloud Security Frameworks Important? 

Cloud Security Frameworks are picking up traction quickly today and rightfully so. Not only do they offer customers a strategy for securing their cloud use, but they also help Cloud Service Platforms (CSP) communicate best practices to their customers. Any cloud practitioner knows that securing cloud environments is a challenge. The scale of the cloud allows for exponential growth, meaning the complexity of environments only grows. Other challenges include the reality of rapid and sometimes unplanned cloud migration. 

Fortunately, focusing your security strategy around cloud security frameworks can help to remedy these challenges and offers a number of benefits. Having a defined list of security controls helps businesses  know where to invest their time and offers guidance on picking a vendor. Furthermore, taking the time to implement these processes goes a long way in gaining consumer trust and offering your business a competitive edge. A notable benefit of using security frameworks on the customer side is the baseline for evaluation they provide. If you’re a customer navigating picking out a provider, you have a benchmark of criteria to evaluate providers against, making your life just that much easier. 

Overall, these controls and regulations offer both customers and providers guardrails for navigating technology safely, and ultimately result in less financial loss, fewer data breaches, and affirms integrity.

What Are the Main Components of Cloud Security Frameworks? 

At this point you know what a cloud security framework is, and how they can be useful to your organization. Let’s dig a bit deeper into the actual components comprising your average framework. These factors can be broken down into several categories:

Cloud Governance Controls

Governance controls include preset controls aimed at protecting sensitive data from public exposure. Broad areas addressed through governance include asset management, cloud strategy and architecture, and financial controls.

Misconfigurations & Identity

Because of the scale of the cloud, it is extremely hard to keep up with changes in your environment. As a result, misconfigurations arise frequently. A common misconfiguration, relates to excessive privileges assigned to an identity given that hundreds if not thousands of identities live in cloud  environments today, this type of misconfiguration, spread across your cloud is a very serious, and oftentimes, and unknown risk.. Some best practices include monitoring root accounts, using MFA, using role based access, following least privilege, and much more. 

Continuous Monitoring

Continuous monitoring aims to assist in the complex nature of the cloud by monitoring and logging all activity to capture the who, what, when, where, and how of events in your environment. A few best practices include enabling logging on all resources, and defining metrics and alarms and vulnerability management.


Compliance Reporting

Finally, reporting is essential as it proves current and historical proof of compliance. Keeping up with this will only pose as useful when it’s time to audit.

Common Cloud Governance Security Frameworks

Now that we have reviewed what cloud security frameworks are, let’s review some of the most common compliance efforts out there.

NIST: The NIST cybersecurity security framework is a template from the National Institute of Standards and Technology. It consists of five action areas we will list below. This template guides the tools you deploy and the policies you establish to guide user behavior in your cloud. Below we define each pillar of NIST compliance and the questions they cover:

  • Identify: this pillar helps develop an understanding of the cybersecurity risks in systems, people, assets, data and capabilities.
  • Protect: this pillar helps outline the appropriate safeguards to ensure the delivery of infrastructure services. 
  • Detect: this pillar helps define the activities to identify the occurrence of a cybersecurity event. 
  • Respond: this pillar helps establish the right processes to take action regarding a detected cybersecurity incident.
  • Recover: this pillar addresses defining the processes necessary to maintain resilience and restore impaired services.

ISO 27001/ 27017: This template is by the International Organization for Standards. It is a specific set of standards for information security systems. You can view this framework as the gold standard for information security and compliance. Your company must prove it has completed rigorous security practices to protect its data.

CIS Controls: CIS Controls are a set of open source, consensus based guidelines, aimed at securing systems. All controls experience thorough review from experts until a consensus is made. Sometimes these are adapted to fit CSPs, for example you can find tailored CIS benchmarks for AWS.

CSA STAR: The Cloud Security Alliance (CSA) and Security Trust And Risk Assurance (STAR) paired together to create a comprehensive cloud security assurance program. By adhering to this STAR framework relevant to your CSP, your organization demonstrates strong security posture and secure cloud controls.

HIPAA: This Act aims to protect individual’s health-related information, however contains certain criteria specific to information security. Organizations under HIPAA must complete risk analyses and establish risk management policies. If you’re in the cloud, it is your duty to ensure your CSP is HIPAA compliant.

SOC 2: This is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of your clients.This is a minimal requirement when considering a SaaS provider. SOC2 defines criteria for managing customer based data based on five principles – security, availability, processing, integrity, confidentiality and privacy. 

PCI-DSS: The Payment Card Industry Data Security Standard, is a set of security standards covering all merchants processing credit or debit payments. This protects card users against credit card fraud and identity theft. Common compliance efforts include antivirus software, firewalls, and vulnerability testing.

Improve Cloud Governance, Security and Compliance With Sonrai

One thing uniting the healthcare, banking, government and any other industry out there, is the critical need for information security regulations and cloud security standards. After reading this blog, it should be apparent just how much guidance and material there is out there helping you and your providers function safely in the cloud. However, there are limits to external help, and at a certain point, responsibility lies in the organization at hand to take control over their security practices.

Related posts

Discover more information