Cloud security standards and frameworks to consider

Cloud computing is complex. Whether companies are securing financial data or managing DevOps teams, no two cloud environments are the same. Multi-cloud environments with diverse apps and cloud providers present a major security challenge. However, businesses can meet this cybersecurity challenge by adopting the right cloud security standards.

Industry experts and regulators have developed cloud security standards and frameworks. They provide off-the-shelf advice and guidelines for securing cloud resources that are tailored to regulatory needs. So, there is no need to improvise cloud security architecture. Working from expert frameworks is a better security strategy.

This article will look at how cloud security standards and frameworks work. It will also introduce the main cloud security organizations and explain some of the most popular frameworks.

Key takeaways

• Cloud security standards are critical: following best practices for securing cloud-based resources is key, as well as tailoring these guidelines to meet regulatory requirements.
• Selecting the right standards: aligning standards with your business and compliance needs is essential.
• Key standard organizations and frameworks: bodies like NIST, ISO, and CIS provide specific frameworks to boost cloud security, covering various needs and regulations (e.g., GDPR, HIPAA).
• Compliance is a must: ignoring cloud security standards can lead to severe repercussions, including data breaches, reputational damage, and significant financial and regulatory penalties.
• Implementing cloud security best practices: understanding your responsibilities versus your cloud service provider's, managing access controls, ensuring data encryption, and staying informed about compliance and security policies are all key steps.
• Finding the right fit for your business: carefully review your cloud service provider's standards, consult with internal IT expertise, leverage guidance from technical organizations, and define your cloud security goals based on your business needs and regulatory requirements.

What are cloud security standards?

Cloud security standards are documents containing cloud security best practices. Expert organizations develop standards. They provide practical guidance from the academic, corporate, and regulatory sectors. This guidance allows readers to implement effective cloud security controls.

There are many types of cloud security standards. Some refer to security frameworks connected to important regulations. For instance, they may provide best practices to meet GDPR or HIPAA regulations. International organizations like the ISO provide others. These standards seek to raise global security levels and respond to changes in the cybersecurity landscape.

With so many competing standards, choosing the right cloud security standards is not always easy. That’s why it helps to understand the options, and it takes some time to select guidelines that apply to the cloud-based services you use.

The importance of cloud security standards

Cloud security standards are important because securing cloud assets is complex. Many businesses struggle to understand the shared responsibility model. They need guidance about security areas covered by cloud providers and areas that are the responsibility of users.

Companies must know how to migrate data and applications to the cloud safely. Digital transformations can result in security gaps. Data may be exposed during cloud implementation and when using cloud platforms. Applying the right standards minimizes the risk of security failures as companies embrace the cloud.

Security failures are a major business risk. Hackers often target poorly secured cloud assets. The threat surface grows as businesses attach new cloud containers, activate Virtual Machines, and add new SaaS apps to their workloads. Security standards help manage the surface of threats and maintain control.

Cloud security standards provide a baseline for risk assessments. Companies can use them to calculate security risks for new services. And they can ensure that cloud architecture conforms to internationally accepted standards.

The most important role of cloud security frameworks and standards is to turn confusion into clarity. Securing cloud environments is an ongoing task with multiple challenges. Any tools that make the task simpler are extremely valuable.

Consequences of being non-compliant with cloud security standards

Can you afford to ignore cloud security standards when expanding your IaaS or SaaS deployments? Most experts recommend implementing at least one set of standards to handle cloud security risks.

Security frameworks created without expert guidance may neglect critical security areas. They also generate uncertainty about whether cloud resources are as secure as possible.

The result can be non-compliance with cloud security regulations. When data breaches occur, organizations that fail to apply cloud security frameworks may suffer reputational damage and financial costs. They will also incur huge regulatory fines due to non-compliance.

Cloud security standards & frameworks

Many non-profit and governmental organizations have emerged to serve the security needs of cloud users. These bodies create frameworks that meet regulatory requirements. They also take into account the diversity of business operations in the cloud.

Security frameworks include sets of standards. Standards are recommendations regarding security best practices. When implemented correctly, they provide robust cloud security. The main challenge is matching cloud security standards to specific business goals. So, let’s run through the major standards bodies and introduce some core cloud security documents.

Introducing the main standards organizations

Each of the following bodies is a reputable, widely consulted source of security expertise. Your core business operations should dictate the framework you choose. In some cases, multiple security frameworks may be appropriate. Choose the right mix to secure critical business assets.

National Institute of Standards and Technology

NIST is a sub-group in the US Department of Commerce that disseminates standards across various technical areas. National Institute of Standards documents are made for government agencies. However, they are also written with private business in mind.

In the world of cloud security, NIST’s Special Publications (SP) range is the most important category. Crucial framework documents include:

NIST SP 500-291 (2011), the NIST Cloud Computing Standards Roadmap

NIST SP 500-291 combines the main cloud computing standards, including material from outside NIST. It also highlights areas where experts are unsure of security best practices and notes areas where security gaps remain. This is a good starting point for researching cloud security architecture.

NIST SP 500-293 (2014), U.S. Government Cloud Computing Technology Roadmap

NIST SP 500-293 complements NIST SP 500-291. It provides an introduction to best practices in constructing cloud networks. It is a solid introduction to improving your security posture in complex cloud environments.

NIST SP 800-53 Rev. 5 (2020), Security and Privacy Controls for Information Systems and Organizations

NIST SP 800-53 Rev. 5 is a broadly focused InfoSec standard that includes specific recommendations about cloud data protection.

NIST SP 800-144 (2011), Guidelines on Security and Privacy in Public Cloud Computing

NIST SP 800-144 is focused on creating security controls for public clouds. This is a good starting point for client-facing cloud deployments.

NIST SP 800-145 (2011), The NIST Definition of Cloud Computing

NIST SP 800-145 is a fundamental framing document that sets out a definition of cloud computing. It can be used to benchmark different cloud providers. Companies can also use it to war-game different security strategies. It is a useful reference point for most cloud security projects.

NIST SP-800-210 (2020), General Access Control Guidance for Cloud Systems

NIST SP-800-210 is NIST’s main access control document for cloud systems. It offers assistance with access management for SaaS, IaaS, and PaaS deployments.

NIST Standards Acceleration to Jumpstart Adoption of Cloud Computing

This NIST framework document has three areas of focus. It provides a basic introduction to companies beginning cloud deployments. Areas covered include recommended standards, contributions from third-party experts, and existing security gaps.

NIST Cloud Computing Program

NCCP is a wide-ranging document offering a suggested cloud security framework. Relevant for IaaS, Paas, and SaaS, it covers:

• Wide network access
• Resource pooling
• Flexible deployments
• On-demand self-service applications
• Measured services

NIST Cybersecurity Framework

This security framework is a go-to reference document for large infrastructure bodies. Designed for official organizations, it has wide relevance to private companies. Areas of focus extend beyond cloud computing, but certain sections are highly relevant for digital infrastructure in the cloud.

International Organization for Standardization

IOS was founded in 1947 (well before the cloud existed). However, this international organization has responded to the growth of cloud technology. The International Organization for Standardization provides security frameworks. Its publications feature input from all major countries. Its wide range of expertise makes it an essential source of cloud security standards.

Major IOS frameworks to consider include:

ISO/IEC 17789:2014, Information technology, Cloud computing, Reference architecture

ISO/IEC 17789:2014 seeks to standardize definitions of cloud computing components, roles, and activities. It is a good basis for cloud security policies, providing clear definitions of the elements in most cloud deployments.

ISO/IEC 17826:2016, Information technology - CDMI

ISO/IEC 17826:2016 uses Cloud Data Management Interfaces (CDMIs). It provides information about how to create data interfaces securely. It also includes recommendations about data privacy on cloud resources.

ISO/IEC 18384:2016, Information Technology, Reference Architecture for Service-Oriented Architecture

ISO/IEC 18384:2016 is focused on cloud-based service architecture. It includes definitions, discussions, and useful principles to secure service apps.

ISO/IEC 19086:2016, Information technology, Cloud computing, Service level agreement framework

ISO/IEC 19086:2016 deals with creating and assessing Service Level Agreements (SLAs). This allows companies to manage relationships with cloud providers and perform thorough risk management when building cloud deployments.

ISO/IEC 19941:2017, Information technology, Cloud computing, Interoperability and portability

ISO/IEC 19941:2017 helps companies bring different cloud resources together. It provides security guidance about portability and interoperability. Both are highly useful in multi-cloud deployments.

ISO/IEC 19944:2020, Cloud computing and distributed platforms, Data flow, data categories and data use

ISO/IEC 19944:2020 includes in-depth information about how data moves between cloud providers and clients. It complements ISO guidance on CDMIs and helps to build strong data protection practices in all cloud services.

ISO/IEC 22123:2021, Information technology, Cloud computing - Part 1: Vocabulary and Part 2: Concepts

ISO/IEC 22123:2021 is a two-part framework that provides over-arching guidance on creating a secure environment in the cloud. It acts as an easy-to-digest introduction to cloud security.

ISO/IEC Technical Report 22678:2019, Information technology, Cloud computing, Guidance for policy development

ISO/IEC Technical Report 22678:2019 is a valuable tool when drafting and implementing cloud security policies. This framework provides specimen templates and information about what to include.

ISO/IEC Technical Specifications 23167:2020, Information technology, Cloud computing, Common technologies and techniques

ISO/IEC Technical Specifications 23167:2020 is a technical document containing many useful definitions. Areas covered include Virtual Machines (VMs), data containers, and cloud-based micro-services.

ISO/IEC 27001:2013, Information technology, Security techniques, Information security management systems, Requirements

ISO/IEC 27001:2013 deals with the creation of information security management systems. This document is not just cloud-oriented. However, it includes valuable recommendations about building information security architecture for cloud deployments. It also includes valuable guidance about carrying out robust cloud information security audits.

IEC 27001:2013 is part of the ISO 27001 family of standards. This group deals with creating a secure Information Security Management System (ISMS). Our ISO 27001 checklist explains how it works and what companies need to do to achieve compliance.

ISO/IEC 27002: 2013, Information Technology, Security techniques

ISO/IEC 27002: 2013 is part of the 27002 family of ISO standards. This means that it supplements 27001 frameworks. In this case, the document provides supplementary information about security controls used in cloud settings. This assists companies in securing access and data. It also helps when mitigating cybersecurity threats.

ISO/IEC 27017:2015, Information technology, Security techniques

ISO/IEC 27017:2015 offers a set of practices for cloud environments. It includes best practices regarding cloud security controls. This is a solid grounding for building IAM or Zero Trust setups in the cloud.

ISO/IEC 27018:2019, Information technology, Security techniques

ISO/IEC 27018:2019 is another code of practice for cloud deployments. This document concerns the protection of personally identifiable information (PII). Users will learn best practices to ensure client and employee privacy and lock down sensitive data at all times.

PCI-DSS

PCI-DSS stands for the Payment Card Industry – Data Security Standard and was introduced by a consortium of major credit card companies in the 2000s. PCI-DSS aims to standardize digital payment processing.

Failure to comply with PCI-DSS regulations when you transmit cardholder data can be highly damaging. E-commerce firms could lose the ability to process payments via major credit cards, making online selling almost unviable.

The Payment Card Industry Security Standards Council administers the standard and offers a range of documents to guide compliance in the cloud. This includes quick reference documents and full frameworks to create prioritized compliance approaches.

NordLayer has created a quick PCI-DSS checklist to simplify compliance tasks. PCI-DSS audits are also recommended to make compliance strategies watertight.

GDPR

The European Union’s General Data Protection Regulation is one of the most important information security regulations. Any company selling to the EU or offering digital services within EU countries must comply with GDPR. Large fines and commercial bans can result from non-compliance.

GDPR covers cloud computing services, and protecting PII is the most important compliance goal. Critical articles for cloud users include:

• Article 25 – The Data protection by design and by default article tightly limits who has access to the personal information of individuals. PII must only be available to third parties with the individual's permission.
• Article 30 – This article requires records of processing activities. Companies must record all personally identifiable information processed by cloud platforms.
• Article 32 – Requires the encryption of personal information both in transit and at rest on cloud containers.
  
  

GDPR compliance is covered in this Nordlayer checklist. This includes information relevant to cloud users.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) aims to protect patient data privacy in the digital age.

Although the act was passed in 1996, the HIPAA Privacy, Security, and Breach Notification Rules have changed to reflect the rise of cloud computing. Another central part of the Act is the HIPAA Security Rule. This rule demands that health providers protect patients' electronic data.

Various cloud security standards are now available to assist companies in meeting HIPAA information security goals. Any company dealing with health insurance portability must be compliant. This includes Cloud Service Providers working with health companies or organizations.

The US Department of Health and Human Services offers guidance documents relating to HIPAA and cloud security. You can also refer to Nordlayer’s HIPAA Checklist. It covers the major areas of compliance, providing a quick introduction to security requirements.

Center for Internet Security (CIS)

The CIS is a major supplier of cloud security expertise via the CIS Foundations Benchmarks series. These benchmarks are designed for general use. They are vendor-agnostic and targeted at all commonly used hardware and cloud systems.

Benchmarks are organized according to vendor groups. Categories include mobile devices, operating systems, network hardware, CSPs, and servers. All-in-all, there are more than 100 to choose from. So, most cloud configurations will be covered.

For instance, popular cloud providers covered by CIS include Microsoft Azure, Amazon Web Services, IBM Cloud, Google Cloud, and Alibaba Cloud.

While CIS benchmarks are general, they are also informed by expertise. They feature information about security controls for cloud-based services, with clear suggestions on how to implement controls on a practical level.

CIS invites participation from academics, private security experts, and government bodies. All documents are free of charge and are delivered in PDF format via the CIS website.

System and Organization Controls (SOC) Reporting

System and Organization Controls are provided by the American Institute of Certified Public Accountants (AICPA). They are voluntary standards designed to form part of security audits. However, they can also be used as frameworks to create cloud security systems.

Meeting SOC standards shows a high degree of security commitment. SOC controls cover every major aspect of cloud security and reflect industry best practices.

The most important category of SOC documents for cloud managers is SOC 2 (Trust Services Criteria) standards. These documents are based on five principles: security, availability, confidentiality, processing integrity, and privacy. All of these principles are relevant to cloud users.

Cloud architecture frameworks from cloud service providers

Cloud providers like Microsoft Azure and AWS provide APIs and security guidance. This makes it easier for clients to navigate the shared responsibility model. Most providers include tools to build cloud security architecture. For instance, options include:

• Azure Architecture Framework. Provides guidance and tools to secure Azure cloud services. Based on the principles of data security, efficient operations, performance, reliability, and minimal costs.
• The AWS Well-Architected Framework. It makes it easier to build AWS security around the core ideas of efficient performance, operational quality, reliability, and cost minimization.
• Google Cloud Architected Framework. Provides tools to strengthen Google Cloud security, built around the principles of reliability, compliance, operational efficiency, and cost reduction.
  
  

This architecture is a necessary part of an information security management system if you use the cloud services concerned. However, taking a wider view of cloud security is still important. Companies must apply security standards beyond individual platforms to ensure optimal data security.

Best practices for cloud security

Embarking on the journey to cloud security requires a careful and methodical approach. Here's how to ensure that your data is safe and secure in the cloud:

• Evaluate safety: assessing the risk landscape is the first step. For sensitive or high-risk data, a hybrid cloud approach—combining cloud flexibility with on-premises security—is often best.
• Set policies: developing clear policies for how data is shared and managed in the cloud is crucial, similar to establishing house rules. This step involves selecting cloud services and providers that align with your security needs, ensuring everyone is on the same page.
• Vet providers: reviewing a cloud service provider's security measures ensures they meet essential standards like ISO/IEC 27017 and ISO/IEC 27018, safeguarding your data against breaches.
• Protect data in the cloud: backing up and encrypting your data in the cloud is like keeping your most valuable possessions in a secure, accessible location. Managing your own encryption keys gives you control over data access, much like having the only key to a safe.
  
  

By following these best practices for cloud security, you can navigate the cloud's complexities, ensuring your data is secured.

How to select an appropriate standard for your business

With so many cloud security frameworks and standards to pick from, finding the right information is vital. Here are some things to remember when using the resources above to build your cloud security strategy.

• Look at major CSPs like Microsoft Azure or Google Cloud. Find out what standards they use and which frameworks they feel are relevant. All good Cloud Services will include information about how to blend client and provider security responsibilities. Specifically, look for System and Organization Controls Type 2 (SOC 2) reports. These reports include detailed audit information about the controls used by each CSP.
• Consult existing expertise within your organization. Internal IT staff may already have researched cloud security issues, and the relevant information may already be available to use.
• Make use of technical organizations that work in the cloud security domain. For instance, the Distributed Management Task Force (DMTF), the European Telecommunications Standards Institute (ETSI), and the Cloud Security Alliance (CSA) are all keen to help cloud users secure data.
  
  

Above all, define your cloud security goals according to business needs. Some organizations may need strong PII protection. Others will focus on data processing and efficiency.

Each company has its own needs and requires a unique mix of security standards. Every company has its own regulatory compliance needs as well. Create a specific solution informed by the frameworks discussed in this article.