Cloud Security Best Practices from the Cloud Security Alliance
Published 04/23/2022
Cloud is becoming the backend for all forms of computing and is the foundation for the information security industry. It’s a model for enabling convenient and on-demand network access to a shared pool of computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
When moving to the cloud, it’s important to remember that cloud security is distinct from traditional on-premises security, and a new set of best practices must be implemented.
Why Use the Cloud?
Cloud computing offers tremendous benefits in agility, resiliency, and economy. Organizations can move faster (since they don’t have to purchase and provision hardware, and everything is software defined), reduce downtime (thanks to inherent elasticity and other cloud characteristics), and save money (due to reduced capital expenses and better demand and capacity matching).
Security Best Practices for Cloud Computing
The 12 domains within the CSA Security Guidance for Critical Areas of Focus in Cloud Computing promote best practices developed by CSA for providing security assurance within cloud computing utilizing a practical, actionable roadmap. The CSA Security Guidance is built on dedicated research and public participation, incorporating advances in cloud, security, and supporting technologies. Here are the 12 domains of cloud security best practices that you should be considering:
1. Cloud Computing Concepts & Architectures
Define cloud computing and understand the baseline terminology, controls, deployment, and architectural models.
2. Cloud Governance
Understand the role of security and how enterprise governance helps align the strategic, tactical, and operational capabilities of information and technology with the business objectives.
3. Risk, Audit, & Compliance
Understand cloud security, risk, audit, and compliance; evaluate cloud service providers; and establish cloud risk registries.
4. Organization Management
Manage your entire cloud footprint, including securing and validating service provider deployments.
5. Identity & Access Management
Understand how Identity and Access Management works between an organization and cloud providers or between cloud providers and services.
6. Security Monitoring
Understand the unique security monitoring challenges and solutions for cloud environments, including the distinct aspects of cloud telemetry, management plane logs, service and resource logs, and the integration of advanced monitoring tools.
7. Infrastructure & Networking
Manage the overall infrastructure footprint and network security and understand the CSP's infrastructure security responsibilities.
8. Cloud Workload Security
Understand the related set of software and data units that are deployable on some type of infrastructure or platform.
9. Data Security
Address the complexities of data security in the cloud with essential strategies, tools, and practices that protect data in transit and at rest.
10. Application Security
Understand the unique challenges and opportunities presented by application security in the cloud environment from the initial design phase to ongoing maintenance.
11. Incident Response & Resilience
Explain best practices for cloud incident response and resilience.
12. Related Technologies & Strategies
Understand the foundational concepts of Zero Trust and Artificial Intelligence security.
Dive deeper into each of these critical areas of cloud security here.
Updated on 7/15/24 to align with Security Guidance v5.
Related Articles:
Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation
Published: 11/04/2024
To Secure the AI Attack Surface, Start with Fundamental Cyber Hygiene
Published: 10/10/2024
CSA Community Spotlight: Guiding Industry Research with CEO Jason Garbis
Published: 10/09/2024
How to Set Up Your First Security Program
Published: 09/26/2024