This post covers some aspects of information security related to cloud services.
Cloud Security Components
On this section you can find different components that are relevant to cloud security.
A Cloud Access Security Broker (CASB) scans the security between on-premise devices and the cloud.
Secure Access Service Edge (SASE) integrates the security within the network.
Cloud Security Posture Management (CSPM) checks that cloud configuration is safe enough. It is related to static security. When this component is specific to SaaS it is called SaaS Security Posture Management (SSPM).
Cloud Workload Protection (CWP) or Cloud Workload Protection Platform (CWPP) helps to monitor security in a cloud. It is related to dynamic security.
Cloud Infrastructure Entitlements Management (CIEM)
Cloud Security Information Event Management (CSIEM) collects logs from cloud, analyze data and triggers alerts or perform actions under certain circumstances. It is the same concept as a SIEM, but for the cloud.
Cloud Detection and Reponse (CDR)
Web Application and API Protection (WAAP) protects applications and the traffic through an API.
Data Loss Prevention (DLP) provides controls to prevent or avoid the loss of data within an organization.
Information Rights Management (IRM) helps to protect the legal rights on intellectual property.
Identity and Access Management (IAM) manages identity and authorization.
A Cloud-native Application Protection Platform (CNAPP) integrates many of these services.
Cloud Security Standards
List of Cloud Security Standards:
- ISO/IEC 27017
- NIST SP 800-144
- NIST SP 500-29x
NIST SP 800-53 provides a catalog of security and privacy controls. It is not directly related to cloud, but it is being adopted by some organizations in the context of cloud.
If your organization is a federal institution within the USA, FIPS publications about cloud security may be relevant.
ISO/IEC 27017
ISO/IEC 27017 is an international standard to make a safer cloud-based environment.
It is not certifiable.
NIST SP 800-144
NIST SP 800-144 “Guidelines on Security and Privacy in Public Cloud Computing”.
NIST SP 500-29x
NIST-SP 500-291 “NIST Cloud Computing Standards Roadmap”.
NIST-SP 500-292 “NIST Cloud Computing Reference Architecture”.
Cloud Security Control Frameworks
List of Cloud Security Control Frameworks:
- CSA CCM
CSA CCM
CSA Cloud Control Matrix (CSA CCM) can be checked on this external link.
Cloud Security Compliance
You can read more about cloud security compliance on this post.
Cloud Security Certifications
FedRAMP
FedRAMP is a certification that is mandatory for companies that want to work with public organizations in the USA.
Cloud Security Organizations
Organizations related to Cloud Security:
- Cloud Security Alliance (CSA)
- Cyber Risk Institute
Cloud Security Resources
Cloud Control Matrix (CCM) by Cloud Security Alliance (CSA).
CIS Benchmarks for cloud
Cloud Security Tools
You can find cloud security tools on this post.
Cloud Security Certifications for Professionals
Certified Cloud Security Professional (CCSP) by (ISC)2.