Cloud security standards and frameworks to consider
Cloud computing is complex. Whether companies are securing financial data or managing DevOps teams, no two cloud environments are the same. Multi-cloud environments with diverse apps and cloud providers present a major security challenge. But businesses can meet this cybersecurity challenge by adopting the right cloud security standards.
Cloud security standards and frameworks have been developed by industry experts and regulators. They provide off-the-shelf advice and guidelines for securing cloud resources that are tailored to regulatory needs. So there is no need to improvize cloud security architecture. Working from expert frameworks is a better security strategy.
This article will look at how cloud security standards and frameworks work. It will also introduce the main cloud security organizations and explain some of the most popular frameworks.
What are cloud security standards?
Cloud security standards are documents containing cloud security best practices. Standards are developed by expert organizations. They provide practical guidance from the academic, corporate, and regulatory sectors. This guidance allows readers to implement effective cloud security controls.
There are many types of cloud security standards. Some refer to security frameworks connected to important regulations. For instance, they may provide best practices to meet GDPR or HIPAA regulations. Others are provided by international organizations like the ISO. These standards seek to raise global security levels and respond to changes in the cybersecurity landscape.
With so many competing standards choosing the right cloud security standards is not always easy. That's why it helps to understand the options, and take some time to select guidelines that apply to the cloud-based services you use.
The importance of cloud security standards
Cloud security standards are important because securing cloud assets is complex. Many businesses struggle to understand the shared responsibility model. They need guidance about security areas covered by cloud providers, and areas that are the responsibility of users.
Companies must know how to migrate data and applications to the cloud safely. Digital transformations can result in security gaps. Data may be exposed during cloud implementation and when using cloud platforms. Applying the right standards minimizes the risk of security failures as companies embrace the cloud.
Security failures are a major business risk. Hackers often target poorly secured cloud assets. The threat surface grows as businesses attach new cloud containers, activate Virtual Machines, and add new SaaS apps to their workloads. Security standards help manage the threat surface and maintain control.
Cloud security standards provide a baseline for risk assessments. Companies can use them to calculate security risks for new services. And they can ensure that cloud architecture conforms to internationally accepted standards.
The most important role of cloud security frameworks and standards is turning confusion into clarity. Securing cloud environments is an ongoing task with multiple challenges. Any tools that make the task simpler are extremely valuable.
Consequences of being non-compliant with cloud security standards
Can you afford to ignore cloud security standards when expanding your IaaS or SaaS deployments? Most experts recommend implementing at least one set of standards to handle cloud security risks.
Security frameworks created without expert guidance may neglect critical security areas. And they generate uncertainty about whether cloud resources are as secure as they could be.
The result can be non-compliance with cloud security regulations. Organizations that fail to apply cloud security frameworks may suffer reputational damage and financial costs when data breaches occur. They will also incur huge regulatory fines due to non-compliance.
Cloud security standards & frameworks
Many non-profit and governmental organizations have emerged to serve the security needs of cloud users. These bodies create frameworks that meet regulatory requirements. They also take into account the diversity of business operations in the cloud.
Security frameworks include sets of standards. Standards are recommendations regarding security best practices. When implemented correctly, they provide robust cloud security. The main challenge is matching cloud security standards to specific business goals. So let's run through the major standards bodies and introduce some core cloud security documents.
Introducing the main standards organizations
Each of the following bodies is a reputable, widely consulted source of security expertise. The framework you choose should be dictated by your core business operations. In some cases, multiple security frameworks may be appropriate. Choose the right mix to secure critical business assets.
National Institute of Standards and Technology
NIST is a sub-group in the US Department of Commerce that disseminates standards across a huge range of technical areas. National Institute of Standards documents are made for government agencies. But they are also written with private business in mind.
In the world of cloud security, NIST's Special Publications (SP) range is the most important category. Crucial framework documents include:
NIST SP 500-291 (2011), the NIST Cloud Computing Standards Roadmap
NIST SP 500-291 brings together the main cloud computing standards, including material from outside NIST. It also highlights areas where experts are unsure of security best practices, and notes areas where security gaps remain. This is a good starting point for researching cloud security architecture.
NIST SP 500-293 (2014), U.S. Government Cloud Computing Technology Roadmap
NIST SP 500-293 complements NIST SP 500-291. It provides an introduction to best practices in constructing cloud networks. It acts as a solid introduction to improving your security posture in complex cloud environments.
NIST SP 800-53 Rev. 5 (2020), Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-53 Rev. 5 is a broadly focused InfoSec standard that includes specific recommendations about cloud data protection.
NIST SP 800-144 (2011), Guidelines on Security and Privacy in Public Cloud Computing
NIST SP 800-144 is focused on creating security controls for public clouds. This is a good starting point for client-facing cloud deployments.
NIST SP 800-145 (2011), The NIST Definition of Cloud Computing
NIST SP 800-145 is a fundamental framing document that sets out a definition of cloud computing. It can be used to benchmark different cloud providers. Companies can also use it to war-game different security strategies. It is a useful reference point for most cloud security projects.
NIST SP-800-210 (2020), General Access Control Guidance for Cloud Systems
NIST SP-800-210 is NIST's main access control document for cloud systems. It offers assistance around access management for SaaS, IaaS and PaaS deployments.
NIST Standards Acceleration to Jumpstart Adoption of Cloud Computing
This NIST framework document has three areas of focus. It provides a basic introduction to companies beginning cloud deployments. Areas covered include recommended standards, contributions from third-party experts, and existing security gaps.
NIST Cloud Computing Program
NCCP is a wide-ranging document offering a suggested cloud security framework. Relevant for IaaS, Paas, and SaaS, it covers:
- Wide network access
- Resource pooling
- Flexible deployments
- On-demand self-service applications
- Measured services
NIST Cybersecurity FrameworK
This security framework is a go-to reference document for large infrastructure bodies. Designed for official organizations, it has wide relevance to private companies. Areas of focus extend beyond cloud computing, but certain sections are highly relevant for digital infrastructure in the cloud.
International Organization for Standardization
IOS was founded in 1947 (well before the cloud existed). But this international organization has responded to the growth of cloud technology. The International Organization for Standardization provides security frameworks. Its publications feature input from all major countries. Its wide range of expertise makes it an essential source of cloud security standards.
Major IOS frameworks to consider include:
ISO/IEC 17789:2014, Information technology, Cloud computing, Reference architecture
ISO/IEC 17789:2014 seeks to standardize definitions of cloud computing components, roles, and activities. It is a good basis for cloud security policies, providing clear definitions of the elements in most cloud deployments.
ISO/IEC 17826:2016, Information technology - CDMI
ISO/IEC 17826:2016 deals with the use of Cloud Data Management Interfaces (CDMIs). It provides information about how to securely create data interfaces. It also includes recommendations about data privacy on cloud resources.
ISO/IEC 18384:2016, Information Technology, Reference Architecture for Service Oriented Architecture
ISO/IEC 18384:2016 is focused on cloud-based service architecture. It includes definitions, discussions, and useful principles to secure service apps.
ISO/IEC 19086:2016, Information technology, Cloud computing, Service level agreement framework
ISO/IEC 19086:2016 deals with creating and assessing Service Level Agreements (SLAs). This allows companies to manage relationships with cloud providers and carry out thorough risk management when building cloud deployments.
ISO/IEC 19941:2017, Information technology, Cloud computing, Interoperability and portability
ISO/IEC 19941:2017 helps companies bring different cloud resources together. It provides security guidance about portability and interoperability. Both are highly useful in multi-cloud deployments.
ISO/IEC 19944:2020, Cloud computing and distributed platforms, Data flow, data categories and data use
ISO/IEC 19944:2020 includes in-depth information about the way data moves between cloud providers and clients. It complements ISO guidance on CDMIs and helps to build strong data protection practices in all cloud services.
ISO/IEC 22123:2021, Information technology, Cloud computing - Part 1: Vocabulary and Part 2: Concepts
ISO/IEC 22123:2021 is a two-part framework that provides over-arching guidance on creating a secure environment in the cloud. It acts as an easy to digest introduction to cloud security.
ISO/IEC Technical Report 22678:2019, Information technology, Cloud computing, Guidance for policy development
ISO/IEC Technical Report 22678:2019 is a valuable tool when drafting and implementing cloud security policies. This framework provides specimen templates and information about what to include.
ISO/IEC Technical Specifications 23167:2020, Information technology, Cloud computing, Common technologies and techniques
ISO/IEC Technical Specifications 23167:2020 is a technical document containing many useful definitions. Areas covered include Virtual Machines (VMs), data containers, and cloud-based micro-services.
ISO/IEC 27001:2013, Information technology, Security techniques, Information security management systems, Requirements
ISO/IEC 27001:2013 deals with the creation of information security management systems. This document is not just cloud-oriented. However it does include valuable recommendations about building information security architecture for cloud deployments. It also includes valuable guidance about carrying out robust cloud information security audits.
IEC 27001:2013 is part of the ISO 27001 family of standards. This group deals with the creation of a secure Information Security Management System (ISMS). Our ISO 27001 checklist explains how it works, and what companies need to do to achieve compliance.
ISO/IEC 27002: 2013, Information Technology, Security techniques
ISO/IEC 27002: 2013 is part of the 27002 family of ISO standards. This means that it supplements 27001 frameworks. In this case, the document provides supplementary information about security controls used in cloud settings. This assists companies in securing access and data. It also helps when mitigating cybersecurity threats.
ISO/IEC 27017:2015, Information technology, Security techniques
ISO/IEC 27017:2015 offers a set of practices for cloud environments. It includes best practices regarding cloud security controls. This is a solid grounding for building IAM or Zero Trust setups in the cloud.
ISO/IEC 27018:2019, Information technology, Security techniques
ISO/IEC 27018:2019 is another code of practices for cloud deployments. This document concerns the protection of personally identifiable information (PII). Users will learn best practices to ensure client and employee privacy, and lock down sensitive data at all times.
PCI-DSS
PCI-DSS stands for the Payment Card Industry – Data Security Standard and was introduced by a consortium of major credit card companies in the 2000s. PCI-DSS aims to standardize digital payment processing.
Failure to comply with PCI-DSS regulations when you transmit cardholder data can be highly damaging. Ecommerce firms could lose the ability to process payments via major credit cards, making online selling almost unviable.
The Payment Card Industry Security Standards Council administers the standard, and offers a range of documents to guide compliance in the cloud. This includes quick reference documents and full frameworks to create prioritized compliance approaches.
NordLayer has created a quick PCI-DSS checklist to make the compliance task simple. PCI-DSS audits are also recommended to make compliance strategies watertight.
GDPR
The European Union's General Data Protection Regulation is one of the most important information security regulations. Any company selling to the EU or offering digital services within EU countries must comply with GDPR. Large fines and commercial bans can result from non-compliance.
GDPR covers cloud computing services and the protection of PII is the most important compliance goal. Critical articles for cloud users include:
- Article 25 – The Data protection by design and by default article tightly limits who has access to the personal information of individuals. PII must only be available to third parties with the permission of the individual.
- Article 30 – This article requires records of processing activities. Companies must record all personally identifiable information processed by cloud platforms.
- Article 32 – Requires the encryption of personal information both in transit and at rest on cloud containers.
GDPR compliance is covered in this NordLayer checklist. This includes information relevant to cloud users.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) aims to protect patient data privacy in the digital age.
Although the act was passed in 1996, the HIPAA Privacy, Security, and Breach Notification Rules have changed to reflect the rise of cloud computing. Another central part of the Act is the HIPAA Security Rule. This rule demands that health providers protect patients' electronic data.
Various cloud security standards are now available to assist companies in meeting HIPAA information security goals. Any company dealing with health insurance portability must be compliant. This includes Cloud Service Providers working with health companies or organizations.
The US Department of Health and Human Services offers guidance documents relating to HIPAA and cloud security. You can also refer to NordLayer's HIPAA Checklist. It covers the major areas of compliance, providing a quick introduction to security requirements.
Center for Internet Security (CIS)
The CIS is a major supplier of cloud security expertise via the CIS Foundations Benchmarks series. These benchmarks are designed for general use. They are vendor-agnostic and targeted at all commonly used hardware and cloud systems.
Benchmarks are organized according to vendor groups. Categories include mobile devices, operating systems, network hardware, CSPs and servers. All-in-all, there are more than 100 to choose from. So most cloud configurations will be covered.
For instance, popular cloud providers covered by CIS include Microsoft Entra ID, Amazon Web Services, IBM Cloud, Google Cloud, and the Alibaba Cloud.
While CIS benchmarks are general, they are also informed by expertise. They feature information about security controls for cloud based services, with clear suggestions about how to implement controls on a practical level.
CIS invites participation from academics, private security experts, and government bodies. All documents are free of charge and are delivered in PDF format via the CIS website.
System and Organization Controls (SOC) Reporting
System and Organization Controls are provided by the American Institute of Certified Public Accountants (AICPA). They are voluntary standards designed to form part of security audits. But they can also be used as frameworks to create cloud security systems.
Meeting SOC standards shows a high degree of security commitment. SOC controls cover every major aspect of cloud security and reflect industry best practices.
The most important category of SOC documents for cloud managers are SOC 2 (Trust Services Criteria) standards. These documents are based around five principles: security, availability, confidentiality, processing integrity, and privacy. All of these principles are relevant to cloud users.
Cloud architecture frameworks from cloud service providers
Cloud providers like Microsoft Entra ID and AWS provide APIs and security guidance. This makes it easier for clients to navigate the shared responsibility model. Most providers include tools to build cloud security architecture. For instance, options include:
- Microsoft Entra ID Architecture Framework. Provides guidance and tools to secure Microsoft Entra ID cloud services. Based around the principles of data security, efficient operations, performance, reliability, and minimal costs.
- The AWS Well-Architected Framework. Makes it easier to build AWS security around the core ideas of efficient performance, operational quality, reliability, and cost minimization.
- Google Cloud Architected Framework. Provides tools to strengthen Google Cloud security, built around the principles of reliability, compliance, operational efficiency, and cost reduction.
This architecture is a necessary part of an information security management system if you use the cloud services concerned. But it is still important to take a wider view of cloud security. Companies must apply security standards beyond individual platforms to ensure optimal data security.
How to select an appropriate standard for your business
With so many cloud security frameworks and standards to pick from, finding the right information is vital. Here are some things to keep in mind when using the resources above to build your cloud security strategy.
- Look at major CSPs like Microsoft Entra ID or Google Cloud. Find out what standards they use, and which frameworks they feel are relevant. All good Cloud Services will include information about how to blend client and provider security responsibilities. Specifically, look for System and Organization Controls Type 2 (SOC 2) reports. These reports include detailed audit information about the controls used by each CSP.
- Consult existing expertise within your organization. Internal IT staff may already have researched cloud security issues, and the relevant information may already be available to use.
- Make use of technical organizations that work in the cloud security domain. For instance, the Distributed Management Task Force (DMTF), the European Telecommunications Standards Institute (ETSI), and the Cloud Security Alliance (CSA) are all keen to help cloud users secure data.
Above all, define your cloud security goals according to business needs. Some organizations may need strong PII protection. Others will focus on data processing and efficiency.
Each company has its own needs and requires a unique mix of security standards. Every company has its own regulatory compliance needs as well. Create a specific solution informed by the frameworks discussed in this article.