Cloud Security Best Practices from the Cloud Security Alliance

Cloud is becoming the back end for all forms of computing and is the foundation for the information security industry. It’s a model for enabling convenient and on-demand network access to a shared pool of computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

When moving to the cloud, it’s important to remember that cloud security is distinct from traditional on-premises security, and a new set of best practices must be implemented.

Why Use the Cloud?

Cloud computing offers tremendous benefits in agility, resiliency, and economy. Organizations can move faster (since they don’t have to purchase and provision hardware, and everything is software defined), reduce downtime (thanks to inherent elasticity and other cloud characteristics), and save money (due to reduced capital expenses and better demand and capacity matching).

Security Best Practices for Cloud Computing

The 14 domains within the CSA Security Guidance for Critical Areas of Focus in Cloud Computing promote best practices developed by CSA for providing security assurance within cloud computing utilizing a practical, actionable roadmap. The CSA Security Guidance is built on dedicated research and public participation, incorporating advances in cloud, security, and supporting technologies. Here are the 14 domains of cloud security best practices that you should be considering:

1. Cloud Computing Concepts and Architectures

Define cloud computing, set your baseline of terminology, and detail the overall logical and architectural frameworks to be used.

2. Governance and Enterprise Risk Management

Governance and risk management are incredibly broad topics that have their own nuances within cloud computing. Make sure you understand the distinctions.

3. Legal Issues, Contracts and Electronic Discovery

Several legal issues are raised when you move data to the cloud, including contracting with cloud service providers and handling electronic discovery requests in litigation. Be aware of the legal implications of public cloud computing and third-party-hosted private clouds.

4. Compliance and Audit Management

Customers and providers alike need to understand and appreciate jurisdictional differences and their implications on existing compliance and audit standards, processes, and practices. Understanding the interaction of cloud computing and the regulatory environment is a key component of any cloud strategy.

5. Information Governance

When migrating to the cloud, use it as an opportunity to revisit information architectures. Moving to the cloud creates an opportunity to reexamine how you manage information and find ways to improve things. Don’t lift and shift existing problems.

6. Management Plane and Business Continuity

Gaining access to the management plan is like gaining access to your data center. Overall, a risk-based approach is key: not all assets need equal continuity, don’t drive yourself crazy by planning for full provider outages, and strive to design for RTOs and RPOs equivalent to those on traditional infrastructure.

7. Infrastructure Security

Infrastructure security is the foundation for operating securely in the cloud. Focus on two aspects: cloud considerations for the underlying infrastructure and security for virtual networks and workloads.

8. Virtualization and Containers

For cloud computing, we focus on specific aspects of virtualization used to create our resource pools, especially: compute, network, storage, and containers. Understanding the impacts of virtualization on security is fundamental to architecting and implementing cloud security.

9. Incident Response

Identify the gaps pertinent to incident response that are created by the unique characteristics of cloud computing. Use this as a reference when developing response plans and conducting other activities during the preparation phase of the incident response lifecycle.

10. Application Security

There will be changes to application security due to the shared security model. Some of these are tied to governance and operations, but there are more in terms of how you think and plan for an application’s security.

11. Data Security and Encryption

Data security is a key enforcement tool for information and data governance, and its use should be risk-based since it is not appropriate to secure everything equally. Focus on those controls related to securing the data itself, of which encryption is most important.

12. Identity, Entitlement, and Access Management

IAM is deeply impacted by cloud computing in both public and private clouds. Be aware of how the cloud changes identity management.

13. Security as a Service

Security as a Service (SecaaS) refers to security capabilities that are offered as a cloud service from dedicated SecaaS providers, as well as packaged security features from general cloud computing providers.

14. Related Technologies

It’s important to understand key technologies that are interrelated with cloud. Some, such as containers and Software-Defined Networks are tightly intertwined. Breaking these out provides flexibility to update coverage, adding and removing technologies as their usage shifts and new capabilities emerge.

Dive deeper into each of these critical areas of cloud security here.