Cloud Controls Matrix: How to Secure Your Journey to the Cloud
Organisations across both the public and private sector can struggle with embracing all the advancements that cloud computing brings whilst maintaining control of their data assets in the public cloud. That’s why it is critical to have security cornerstones in place before embarking on your cloud journey.
Governance, compliance, risk management, data visibility, cybersecurity…These are all key to a successful and prosperous future with cloud computing.
This blog walks through some of the common areas of concern for senior leadership in the domain of cloud security and shows how an appropriate cloud control framework, such as the Cloud Controls Matrix from the Cloud Security Alliance (CSA), can inform and provide visibility for staff at all levels across departments.
The Rise of Cloud in the Public Vs Private Sector
Over the last 10 years, many organisations across both the public and private sectors have embarked on their journey to the cloud.
While commercial organisations have been relatively quick to embrace the rapid flexibility provided by cloud computing, the public sector has seen slower progress. Many government departments are yet to fully embrace the cloud and the benefits it can deliver, despite the UK Government introducing the ‘Cloud First’ Policy in 2013.
However, the policy has led to a number of departments looking to embrace the public cloud primarily utilising Infrastructure as a Service (IaaS) offerings from public cloud providers—allowing them to move away from traditional on-premises or data centre hosting arrangements.
We’ve already seen many well-reported benefits of this transition to cloud in the sector, including the rapid deployment of the Coronavirus Job Retention Scheme in just a matter of weeks. However, there are still fears around whether the public cloud is secure enough for sensitive government data assets.
The Importance of Security When Managing Data in the Cloud
Cloud computing gives organisations tremendous benefits in agility, resilience and economy—especially when it comes to managing their data. Organisations can move quickly, avoiding the need to purchase and provision expensive hardware.
However, with these benefits comes a number of drawbacks relating to the risk of quickly and easily losing control of where this data resides. With a couple of clicks of the mouse, data can easily move halfway across the globe. The result is a greater need for governance, risk and compliance expertise rather than relying solely on IT Operations Teams for support and oversight.
4 Cloud Security Best Practices
Fortunately, there are many tried-and-tested security best practices that you can follow to avoid any major incidents, including:
- Make sure your organisation fully understands the controls it is responsible for vs the cloud provider. This is typically defined in a shared responsibility model.
- Make use of testing approaches such as chaos engineering to build solutions that are fault tolerant, utilising architecture that copes with unplanned failures.
- Invest in cyber security to embed secure foundations for teams to be able to work smarter rather than harder—providing new challenges and development opportunities to staff, rather than focussing IT resources on mundane and repetitive tasks that can impact on staff retention.
- Follow a cloud controls framework to enable the organisation to understand its current posture and help drive focussed improvements and develop capability.
Why Do You Need a Cloud Control Framework?
A cloud control framework enables you to build on the visibility of your cloud environment—giving you the ability to make more informed decisions on appropriate policy, procedures and guidance to support implementation of proportionate security controls. This allows the organisation to protect its assets in the cloud as well as their brand’s reputation.
It is a common mistake for organisations to rely on existing policies and procedures and make minor changes and assume they will be fit for purpose in cloud computing, it is therefore important to align to an appropriate set of security controls.
How Do I Comply With Multiple Regulatory, Legislative and Good Practice Cyber Security Requirements?
There are numerous requirements, frameworks, controls sets, standards and good practices in place that relate to cybersecurity, and for UK Government Departments there are even more recommended as well as additional mandatory requirements.
We’ll cover four of these frameworks below including:
- The NIST Cybersecurity Framework
- ISO / IEC 27000 Series of Standards
- Center for Internet Security Critical Security Controls - (Previously SANS Top 20)
- The Cloud Security Alliance’s Cloud Controls Matrix (CCM)
The NIST Cybersecurity Framework
The NIST Framework for Improving Critical Infrastructure Cybersecurity—sometimes just called ‘NIST Cybersecurity Framework’—is intended to be used to protect critical infrastructure like power stations and the transport networks etc. However its principles can apply to any organisation that is looking to improve its security. This is a voluntary framework that consists of standards, guidelines and best practices to manage cybersecurity risk.
It is based on five functions of cybersecurity:
- Identify
- Protect
- Detect
- Respond
- Recover
It focuses on using business drivers to guide cybersecurity activities and consider cybersecurity risks as part of the organisation's risk management processes.
The framework is complex and broad in scope and can take thousands of hours of effort to implement along with hundreds of pages of supporting documentation, including procedures and controls etc.
See link for further details about NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
ISO / IEC 27000 Series of Standards
The foundation of the 27000 series of international standards is ISO 27001. This provides requirements for an information security management system (ISMS) that many organisations in the world have achieved, demonstrating their ongoing commitment to information security, and is verified by an independent party.
Within the 27000 series of standards are more than a dozen others that provide standards supported by implementation guidance. This series also includes the 27017 standard that gives guidelines for information security controls applicable to the provision and use of cloud services as well as additional implementation guidance.
These standards require organisations to design and implement appropriate and proportionate information security controls. The purpose of these controls is to mitigate any identified risks. The framework suggests that the organisation implements an appropriate risk management process that is cyclic in nature.
The PDCA Cycle is a business management method that focuses on the four main steps that should be continuously implemented as change is considered within the organisation.
These 27000 series standards are very comprehensive with heavy reliance upon supporting documentation to support the ISMS, however may not include sufficient details around the technicalities regarding implementation of specific technical controls.
See link for further details about ISO 27000: - https://www.iso.org/isoiec-27001-information-security.html
Center for Internet Security Critical Security Controls - (Previously SANS Top 20)
Formerly known as the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Controls. Version 8 of this control set has combined and consolidated controls by activities that has resulted in a decrease of the controls from 20 down to 18.
These 18 Controls are further divided up into CIS Safeguards with approximately 140 Safeguards in total. These Safeguards align to the 5 Security Functions of Identify, Protect, Detect, Respond and Recover as those used by NIST.
CIS now utilises Controls Implementation Groups (CIGs) to prioritise implementation. The CIS Controls Implementation Groups are self-assessed categories for enterprises. Each IG identifies a subset of the CIS Controls that the community has broadly assessed to be applicable for an enterprise with a similar risk profile and resources to strive to implement. These IGs represent a horizontal look across the CIS Controls and Safeguards tailored to different types of organisations. IG1 is defined as ‘Essential Cyber Hygiene’ to guard against the most common types of attacks.
Although these controls provide good safeguards they do not fully align to the complexities and different challenges introduced to support organisational controls within a cloud environment.
See link for further details about CIS Controls: - https://www.cisecurity.org/controls
The Cloud Security Alliance’s Cloud Controls Matrix (CCM)
The Cloud Security Alliance (CSA) is the world’s leading organisation dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
The Cloud Controls Matrix was originally created to help cloud providers secure their cloud offering. But it now details the controls and defines those that are the responsibility of the cloud provider and those that are the responsibility of the cloud consumer, and also details where these are a shared responsibility.
If an organisation is already utilising one of the frameworks mentioned in this blog, or is using another set of guidance such as the National Cyber Security Centre’s Cloud Security Guidance, it is still worthwhile considering adopting the CCM as it provides high level controls that would provide a way of addressing organisational best practice down to technical implementations common across any cloud provider.
The CCM is a cybersecurity control framework for cloud computing that outlines the control and implementation guidance, the guidelines for the auditing of the controls, as well as details of how the control maps to other control frameworks and standards.
These mapped standards and frameworks include CIS v8, PCI DSS v3 and ISO 27001:2013. This allows organisations to further develop and track evidence against their implementation of these additional controls within the CCM and allow links back to historical controls, or existing certifications.
The CCM (version 4) lists 17 domains covering all key aspects of cloud technology. We have summarised how these can be used within a typical organisation below.
It should be understood that within the 17 domains there are 197 controls; however only a summary of the domains has been provided for illustrative purposes. It is key that all these domains and controls are supported by policy, procedures and standards as well as technical measures implemented within the cloud in the form of preventative, detective and corrective controls.
Domain 1 - Audit & Assurance
This domain requires organisations to have documented policies and procedures to ensure appropriate governance is in place and that this is supported by a comprehensive document set that outlines key responsibilities for security within the organisation.
It requires independent assurance to be in place that may be undertaken by the organisation’s internal audit team and ensures that supporting evidence is available to demonstrate previous audits and any subsequent actions taken to treat identified risks.
Although this domain is non-technical in nature, it requires that the building blocks of a robust Information Security Management System are in place and relevant stakeholders from the organisation are involved at all levels with board level commitment.
Domain 2 - Application & Interface Security
This domain builds upon the policies and procedures, outlining the requirements on them with regards application security; including guidance for the planning, delivery and ongoing support of the organisation’s application security capabilities. It looks for documented baselines to be in place to ensure that security controls are part of the design.
It requires organisations to have documentation and a definition of the Software Development Lifecycle, that includes both security and compliance requirements and requires segregation of duties to be in place to mitigate risks from an insider threat.
It also looks for evidence that processes are in place to remediate any application security vulnerabilities, which are ideally addressed as early as possible through an automated process included within the development life cycle, reducing both cost of remediation and impact on delayed implementation timelines.
Domain 3 - Business Continuity Management and Operational Resilience
This domain looks to ensure that any existing practices and plans are fully aligned to the cloud as opposed to traditional on-premises Business Continuity (BC) and Disaster Recovery (DR) plans that refer to onsite backup media and restore processes, as this is no longer applicable in the cloud.
It requires the organisation to have documented policies that assign responsibilities to key individuals within the organisation, that are supported by an awareness program so all staff are informed of the part they play.
Business Impact Assessments should be conducted to identify key systems and determine criticality and plans put in place accordingly.
Domain 4 - Change Control and Configuration Management
This domain ensures that robust processes are in place around change control, which include approvals processes, which may be fully automated based on risk and predefined criteria around certain types of change.
Controls should also be in place to detect or prevent unwanted or unapproved changes that deviate from an approved baseline utilising cloud native guardrails. Controls should be in place to detect or prevent unauthorised assets being created, unauthorised networks being created or gateways or access controls being altered that deviate from a security baseline and expose data unnecessary risk.
Domain 5 - Cryptography, Encryption & Key Management
This domain looks to put in place minimum standards for encryption within the organisation that is primarily focussed around protecting data at rest and in transit. This should not only protect the data from malicious actors but should also protect the data from being accessed by the cloud provider.
Policies, procedures and guidelines should be put in place around the use and implementation of encryption technologies and key management. Procedures should be in place for the generation, exchanging, storing, using and replacing keys.
How to Safely Navigate the Observability River: Your Complete Guide to Monitoring & Observability
Everyone is looking for new ways to improve their platforms and applications, but where do you start?
We’ve got to look at the picture as a whole… It’s time to take a trip down the Observability River.
Domain 6 - Datacenter Security
Although this domain is primarily concerned with the cloud provider there is one take away for the organisation and that is to classify both physical and logical assets. This ensures the organisation maintains appropriate asset registers for physical assets that are onsite or within their data centres, but also maintains a record of cloud assets.
These registers should ensure that such assets are tagged or classified accordingly, which is key to determining and managing risks to not only the asset but the information that the assets and systems process and store.
Domain 7 - Data Security and Privacy Lifecycle Management
The adoption of cloud computing removes traditional perimeters of buildings and data centres. Therefore greater effort needs to be made to ensure that the organisation understands and puts safeguards around the data it has a business and legal requirement to protect.
This domain requires documented processes for the management of data within the organisation based on its classification. There should also be a baseline of security controls applied dependent on the classification of data.
Domain 8 - Governance, Risk and Compliance
Information is key to every organisation and without proper control of such information it would be impossible to operate a business. This is why it is necessary to implement policy, procedure and guidelines to ensure robust governance processes are put in place to identify and apply appropriate controls, that then sets the foundation for enterprise risk management.
The governance framework will vary from organisation to organisation but they all require roles, responsibilities and accountability to be established. This helps organisations to provide suitable controls to protect data from both a legislative and regulatory perspective. It also provides visibility through an inventory of controls informing senior managers and providing an important insight to risk within the organisation.
Domain 9 - Human Resources
This domain looks to ensure appropriate background checks are put in place when new employees join the organisation, and that these are supported by criteria defined in policy that may require additional checks for people with privileged access to systems, or may have access to sensitive and confidential data.
Employment contracts should be used to document expectations of employees regarding security including the warning to not divulge sensitive information with people outside of the organisation such as suppliers or clients.
Domain 10 - Identity & Access Management
As cloud computing removes physical boundaries, as well as traditional network perimeters, it is vitally important that identities and associated credentials are afforded even greater protection.
This domain looks to ensure that appropriate controls are in place with regard to requiring passwords to meet complexity requirements to prevent unauthorised access to services, but passwords should not be so complex that they need to be written down as this is counterproductive.
Additionally it is important that multi-factor options are in place for all privileged account access as a minimum, but geographical or time based restrictions should also be considered based upon the risk or regulatory requirements.
Additional protection should be put in place around access and potential for just in time access, that has to be approved prior to gaining access for a known business need.
Domain 11 - Interoperability & Portability
This domain looks to ensure that organisations have common ways of communicating with application interfaces, and that application development is carried out in a common and consistent way.
This therefore allows organisations to easily move between cloud providers if the need arises but it also provides flexibility for organisations to choose from multiple cloud providers and use services that may not be available from their current provider.
This domain also looks to ensure that data formats are consistent and use well supported formats and standards to allow for seamless transfer between providers and also allow for simple data onboarding and offboarding.
Domain 12 - Infrastructure & Virtualisation Security
Although the majority of this domain is applicable only to the cloud provider, it does cover areas such as capacity and resource planning to ensure business requirements relating to system performance, availability and capacity are fully considered and documented prior to the designing of any systems.
This domain also requires secure and encrypted communications are in place to support the migration of services to the cloud, and that they meet the best practices and protect from potential interception of attack by unauthorised actors.
Domain 13 - Logging & Monitoring
With the non-persistent nature of cloud computing it is critical that processes are put in place to collate log data into a secure location and strictly control access, and prevent anyone from altering or destroying log data. This should be supported by documented policies and procedures so that appropriate logs are collated and monitored in a timely manner.
Due to the amount of logging possible within the cloud, it is important to define a logging strategy that is supported by logging requirements to ensure all systems being deployed feed into a central repository for log data that is analysed appropriately using automation for detection and remediation where possible.
Domain 14 - Security Incident Management, E-Discovery & Cloud Forensics
Security Incident processes used for on-premises or data centre hosting are no longer sufficient with cloud computing, as it is no longer possible to gain access to physical hardware. It is therefore important that policies and procedures are in place to preserve potentially compromised services for investigation and evidence collection, but also to ensure that adversaries are prevented from gaining access and blast radiuses for compromise are controlled.
These processes and procedures should include lines of communication to those with responsibility for both investigating incidents but also those responsible for the management and communication with senior board level stakeholders, as well as external parties such as law enforcement, specialist forensic experts and regulatory authorities.
Domain 15 - Supply Chain Management, Transparency and Accountability
Understanding and documenting the Shared Responsibility Model is fundamental when working with cloud computing, as the consuming organisation needs to fully understand what they are responsible for and ensure that responsibilities are assigned appropriately.
If organisations are consuming Infrastructure as a Service (IaaS) then this is quite simple and lines are clearly defined between the provider and the consuming organisation. However if organisations are procuring IaaS and are then building applications to sell to consumers as a Software as a Service, it is key that all parties' responsibilities are understood and defined within contracts and service level agreements.
Domain 16 - Threat & Vulnerability Management
The basis of this domain is around identifying vulnerabilities and responding quickly to mitigate the vulnerability.
There are two main approaches when dealing with vulnerabilities in a typical cloud server deployment. The first is by applying the appropriate patches to prevent the vulnerability being leveraged. The other approach is to make your server infrastructure immutable, and once a vulnerability has been identified you simply remove the server and deploy a new version that is up to date and patched accordingly.
This second approach was not possible prior to cloud computing but the ability to define infrastructure as code allows for near instant deployment of the latest version, and also provides flexibility to increase server capacity to respond to increased demands.
Domain 17 - Universal Endpoint Management
Endpoints are the weak point that provides attackers with an entry into the organisations systems, by exploiting vulnerabilities on the device or by enticing staff to click on a malicious link. Therefore the endpoint is important to protect as it allows direct access to cloud infrastructure and controls need to be in place to mitigate endpoints being compromised giving malicious actors access to the cloud.
Additional thought is needed when the organisation permits access to its data and systems by personally owned mobile phones and laptops, as it may be necessary to gain some control over these devices to protect the organisation; this is usually addressed in a Bring Your Own Device (BYOD) Policy.
In Summary
On a journey to the cloud, it is important that the appropriate level of security is applied to allow the team to innovate, but also to ensure that appropriate guardrails are in place to enforce mandatory requirements and to detect and alert on deviations away from good practice, for awareness and education.
All of which are backed up by appropriate levels of documentation and evidence to satisfy internal stakeholders as well as external legislative and regulatory interested parties, that undergo continual review and improvement and are able to develop along with organisational and business change.
As highlighted at the beginning of this blog there are numerous frameworks aimed at improving an organisation’s security, many of which address cloud-focused considerations to varying degrees. While any improvement in security practices is to be encouraged, and any choice of framework will bring about improvement in one form or another, the CSA’s Cloud Control Matrix is best suited to any organisation wishing to fully harness the benefits of modern cloud deployments.
