A Complete Guide to Cloud Security Frameworks
With so many applications and data residing in the cloud, using a security framework to help protect your cloud infrastructure is a necessity for organizations.
The Cloud Security Framework is a set of guidelines and controls to help protect an organization's cloud infrastructure. It provides security benchmarks, validation, and certification for cloud computing service providers and their customers.
Cloud computing has become less of an active architectural choice and more of a de facto adoption strategy for new applications. Fewer and fewer organizations are purposefully choosing on-premises or hosted deployments for new deployments; instead, most are choosing cloud deployments.
Regardless of the deployment model, securing an organization's technical environment is essential. However, securing a cloud environment is different from other environments, so the industry needs targeted resources on securing cloud platforms. There is considerable valuable guidance published on how to best protect cloud usage and keep it secure over the long term.
When it comes to securing cloud computing usage, practitioners can choose from a range of available guidance. At one end, there is detailed technical guidance, often from the cloud providers themselves. This is useful when seeking to answer a specific, often technical question, such as, how do I set up encryption for blob storage in XYZ environment? This type of guidance is less useful when looking at how to secure a cloud environment holistically and architecturally. In contrast, higher-level guidance tends to be vendor-agnostic—that is, applicable to different cloud environments—but has little to do with specific, detailed questions.
One type of guidance is cloud security frameworks. These frameworks can provide significant utility to practitioners. First, just as general security frameworks can generally help you define your overall security posture across the technology landscape, cloud security frameworks do this specifically for cloud deployments. They also have added value. For example, cloud security frameworks can help validate existing security measures and conduct pre-engagement reviews.
What is a cloud security framework?
It may be easiest to understand cloud frameworks through the lens of more general security frameworks—that is, guidance that is not specific to the cloud. There are many broad security frameworks, including governance frameworks (e.g., COBIT and ITIL), architectural frameworks (e.g., SABSA, TOGAF), management standards (e.g., ISO/IEC 27001), and NIST's Cybersecurity Framework. Just as these frameworks can be broadly applied to any technology area or security program, they also apply to the cloud.
Various general network security frameworks exist.
In addition to these general frameworks, there exist multiple specialized frameworks that may be relevant to use cases and scenarios; an example of this is the HITRUST Generic Security Framework in a healthcare scenario or PCI DSS in a payment scenario.
These frameworks are useful to practitioners but are not specific to cloud computing. They can certainly be used to help inform an organization’s cloud posture, but cloud-specific frameworks may be more useful. There are a few important ones to know about, including the Cloud Security Alliance (CSA), the Cloud Controls Matrix (CCM), the Cloud Security Alliance’s Security, Trust, Assurance, and Risk (STAR) Registry, the Federal Risk and Authorization Management Program (FedRAMP), and ISO/IEC 27017. Also important are the Center for Internet Security (CIS) Critical Security Controls, especially when used in conjunction with the Cloud Companion Guide. There are many others with broad cloud applicability, but the ones mentioned here are frequently used, well respected throughout the industry, specific to cloud computing, and equally useful to CSPs and their customers.
Cloud Security Frameworks provide information to the broader industry about security measures applicable to cloud environments. As with any security framework, these frameworks include a set of controls with specific guidance on controls (including intent and strictness), control management, validation, and other information relevant to protecting cloud use cases.
Types of Cloud Security Frameworks
Each framework has its own focus and goals; they are all unique. However, it is useful to think of them in terms of a taxonomy. Doing so can help clarify which ones might be most useful for what purposes. At a high level, the various frameworks can be grouped into the following categories:
• Generic frameworks. These frameworks are generic and attempt to provide broad guidance on control selection, scope, state, etc. for cloud environments.
• Ties into existing broader frameworks. This includes cloud-specific guidance that exists as part of a broader ecosystem rather than being cloud-centric. An example is the CIS Cloud Companion Guide, which ties specific cloud controls together with non-cloud-specific CIS key controls.
• Control-specific guidance. There is also guidance that is more specific than the general framework, including some that is targeted to a particular control or control family. An example is NIST Special Publication (SP) 800-210, “Guidelines for Generic Access Controls for Cloud Systems,” which is specific to cloud but also focuses on a control family and topic—in this case, access control rather than the more general cloud.
• Certification frameworks. Some available guidance directly or indirectly supports certification efforts. For example, CSA’s CCM is useful for its STAR program registration. Similarly, FedRAMP is an certification tool that allows US federal agencies to use cloud services.
There is some overlap between these categories. For example, ISO/IEC 27017:2015 (Information technology – Security techniques – Specification of practice for information security controls for cloud services based on ISO/IEC 27002) checks several boxes related to the above categories. On the one hand, it is a general framework applicable to most cloud deployments. It also exists in the broader ecosystem (ISO/IEC 27001 and 27002). In addition, it is a potential target for certification.
How is a cloud security framework useful?
Using a framework as a set of controls and practices is beneficial to both cloud service providers and cloud customers for several reasons. First, a canonical list of controls and countermeasures helps guide practitioners to specific measures they can evaluate and use in their own environments. Second, the list provides a reference framework in which to discuss security practices and specific security countermeasures; this provides a basis for security-related negotiations, such as those between cloud consumers and providers regarding their respective responsibilities in a shared responsibility model.
Furthermore, there are an almost infinite number of possible countermeasures that organizations can employ to protect their environments. Having a list of generally accepted controls can help cloud providers decide how to invest their time and budget, and provide guidance to customers on what standard security mechanisms they should look for when evaluating cloud providers.
Specifically, frameworks can serve as baselines for evaluation: they provide a structure for cloud customers to evaluate providers or compare security practices between providers. They can also help service providers demonstrate their security practices, either to help their customers with pre-contract reviews or as part of their sales narrative. The more specific and prescriptive the controls specified in the framework, the better it is for this evaluation capacity.
If used strategically, frameworks can reduce effort and provide value to both customers and cloud providers. As the basis for an evaluation checklist, they reduce work for potential customers. Frameworks also reduce work for cloud providers by reducing the number of different, one-off evaluation questionnaires that customers may submit to providers. Even if customers insist on using their own questionnaires, frameworks can still simplify the work involved in customer reviews, enabling providers to organize responses, prepare narratives, and gather evidence based on a known set of criteria, rather than individually for each customer they may encounter.
How to choose a cloud security framework
Adopting a cloud security framework is a relatively simple process, but it does differ depending on whether you are a customer or a cloud service provider. For customers, which company to choose will depend largely on the company's broader project and business context. For example, a U.S. federal government agency or contractor will almost certainly investigate FedRAMP first. FedRAMP provides a set of validation criteria based on standard security measures and simplifies the registration of CSPs for government use. A large multinational organization whose security program is already built on ISO/IEC 27001 and combined with controls from ISO/IEC 27002 may find ISO/IEC 27017 to be a better fit as the controls will be familiar and it will align directly with existing security programs.
Cloud computing service providers (CSPs) should adopt a set of frameworks, both cloud and security, that are known and accepted in the markets they serve. As mentioned above, one of the reasons to consider these specific frameworks is the assurance programs they support. For FedRAMP, a CSP can become a FedRAMP Authorized Service Provider. A CSP can be certified to ISO/IEC standards or any ISO management system standard. CSA has its Consensus Assessment Initiative Questionnaire, built on the CCM and its STAR Registry, which demonstrates the effectiveness of compliance. The framework that a CSP should support is the one that is likely to have the most recognition among its customers.
Whichever you choose, a cloud security framework can aid cloud security efforts. Frameworks provide a common language for discussing specific controls, as well as a baseline for assessment and certification; they create a backbone for security efforts within an organization. Learning the available framework options is worth the time.
Best Practices
When evaluating and deciding which framework (or combination of frameworks) is right for you, keep the following best practices in mind:
1. Tailor the framework to your business. Pay special attention to frameworks that tie into your broader business scenarios. As mentioned above, if you are a U.S. federal agency, a structure like FedRAMP may be preferable.
2. Tailor the framework to your security program. Also, consider your broader security program when evaluating the framework. If your security program is built around ISO/IEC 27001/27002, then ISO/IEC 27017 may be a better fit for you than, for example, CIS controls.
3. But be consistent. Remember this is a marathon, not a sprint; keep a manageable pace. Depending on the scenario and your organization, using a framework can involve a lot of work, especially if you are new to cloud computing or your security program is maturing. Don't try to do it all at once. Just like an exercise regimen, it's easier to use a framework if you start slowly and build up a framework. Don't be the person who goes to the gym for three hours on the first day and is so sore the next day that he can't get back. Instead, seek continuous improvement over time.
The future of cloud security frameworks
It’s useful to think about how frameworks might change. While no one knows exactly how or when they will emerge, they’ll probably evolve in a number of ways.
Over time, one might expect to see formalization and maturity. In the early days of cloud, there was a lot of pressure for guidance like these frameworks because cloud models were new and it was difficult for practitioners to secure them. As cloud becomes more common — and is now the canonical deployment model — there is an opportunity for guidance to mature in depth of coverage and to more fully handle edge cases.
Another thing we may see is the inclusion of new technologies that were actively and frequently used when these frameworks were first conceived, but that are less prescriptive. For example, technologies such as service meshes and infrastructure as code. Both can work almost seamlessly with cloud environments, but the existing guidance may not directly address this. Expect new iterations and updates to the guidance to address these technologies. This could be achieved through the issuance of supplementary materials (e.g., technology-specific addenda) or future improvements to the frameworks themselves.
Finally, and perhaps most directly useful to practitioners, expect to see professional community-building expertise and familiarity with existing guidance, perhaps in the form of secondary source guidance—e.g., expert-written guides and how-to tips like this one—designed to help practitioners use these resources effectively.