Cloud Security Explainers:
Cloud Security Controls: Key Elements and 4 Control Frameworks
What Are Cloud Security Controls?
A cloud security control is a set of security controls that safeguard cloud environments from vulnerabilities and minimize the fallout of malicious attacks. Security controls are a central element in any cloud computing strategy.
A relatively broad term, cloud security control encompasses all of the best procedures, practices and guidelines that must be put in place to safeguard cloud environments. Cloud security controls help organizations evaluate, implement, and address cloud security.
As cloud computing is distinct from an on-site deployment, it is logical to assume that cloud security will also differ. It is important that organizations appreciate this difference prior to migrating to the cloud. It is also essential for organizations to put security controls in place as soon as they complete the migration – or even during the migration.
While cloud service providers have a variety of cloud security services and tools to safeguard a customer’s applications and networks, in-house administrators must put in place the right security measures. When organizations migrate sensitive information and applications to the cloud, users access data and apps remotely. As a result, administrators also need to put in place appropriate cloud-based user access controls.
Key Elements of Cloud Security Controls
The following are key capabilities cloud security controls should provide.
Centralized Visibility of Cloud Infrastructure
Different cloud providers, or even different services within the same cloud, have a variety of configurations and security best practices. Keeping track of all your cloud services and ensuring each of them is securely configured is a major challenge.
One security control that can assist with this challenge is a Cloud Workload Protection Platform (CWPP). This is a new type of security solution that integrates with cloud providers and provides visibility over an organization’s security posture. They can automatically review configurations of cloud services and applications, identify security issues, and enable IT teams to rapidly respond.
Native Integration Into Cloud Provider Security Systems
Cloud security controls must be directly integrated with cloud provider security features. For example, cloud security solutions need to have API-level integration with security systems like Amazon Inspector and GuardDuty, Azure Security Center, and Google Cloud Platform Flow Drivers.
If you use software as a service (SaaS), you may also need a cloud access security broker (CASB), which integrates and regulates access to SaaS software and helps identify specific risks related to the applications you are using.
Cloud security controls must be automated to account for the highly dynamic nature of a cloud environment and to lessen the burden on small teams. The cybersecurity skills shortage means that security analysts, especially those with cloud experience, are in short supply. Tools need to detect threats and respond autonomously to be effective.
An important aspect of automation is that security controls should be self-updating, able to change their security policies when new features or configurations are introduced in cloud systems. Any tool that requires manual tuning of security policies can create major administrative overheads for security teams.
Related content: Read our explainer on Cloud Security Solutions.
Threat Intelligence Feeds
Cloud security controls must use threat intelligence, to identify known attack patterns and provide prior knowledge about specific attackers and hacker groups. Cloud security solutions enriched with threat intelligence are better able to identify attacks, guide human responses, and in many cases respond automatically to mitigate the threat.
Related content: Read our explainer on Cloud Security Threats.
What Are Cloud Security Frameworks?
Cloud security frameworks give details to the wider industry regarding security measures that relate to cloud environments. As with any security framework, these feature a series of controls with guidance for using them, as well as validation, control management and other aspects of securing cloud deployments.
Establishing a framework’s practices and controls is advantageous to cloud customers and cloud service providers (CSPs). It provides a frame of reference for discussing security measures and practices. There is an almost-infinite variety of potential countermeasures that an organization could use to ensure their environment is protected. Creating a shared list of accepted controls helps CSPs determine how to use their budget and time. It also provides customers with guidance regarding what they should seek as standard security mechanisms in assessing a CSP.
Frameworks may also provide the benchmark for evaluation. They offer a helpful baseline for cloud customers to assess providers or compare security measures between providers. They can be used by service providers to show their security practices, as a component of their sales narrative, or to help with pre-engagement vetting. The more prescriptive and specific the controls in the framework are, the more useful they are in evaluations.
If employed strategically, frameworks minimize work for both the CSP and the customer. For the customer, the controls can provide a foundation for an evaluation checklist or series of evaluation criteria. For the service provider, they can restrict the number of contrasting, one-off appraisal questionnaires they receive from customers. Frameworks make customer vetting more efficient by letting providers prepare narratives, organize responses, and amass evidence against a known series of criteria rather than individually for every customer they could encounter.
4 Cloud Security Control Frameworks
Here are some of the leading frameworks for cloud security controls.
MITRE ATT&CK Framework
The MITRE ATT&CK framework is a globally accessible knowledge base and model for cyber adversary behavior, offering detailed and current cyber threat guidelines for organizations that want to improve their cybersecurity approach.
The MITRE ATT&CK Matrix for Enterprise features specific techniques and tactics for Linux, Windows, and macOS used by malicious actors. The updated MITRE ATT&CK Cloud Matrix framework provides information about specific techniques of attack for Azure, Microsoft 365, Google Cloud Platform (GCP), AWS, and additional cloud providers. When choosing appropriate cloud controls and security solutions, organizations should attempt to map their coverage against the appropriate MITRE ATT&CK frameworks for maximum effectiveness.
NIST Cyber Security Framework
In 2014, the National Institute of Standards and Technology (NIST) developed a voluntary framework to guide organizations to prevent, detect, and respond to cyberattacks. The assessment procedures and methods allow organizations to evaluate if their security measures operate as required, test that they are implemented correctly, and create the required outcome (adhering to the security demands of the organization). The NIST framework is updated on a continuous basis to keep up with cybersecurity developments.
The Center for Internet Security (CIS) created a list of high-priority defense actiivities that offer a starting point for organizations to stop cyberattacks. The SANS Institute, which created the CIS controls, notes that their framework works because it is based on the most prevalent attack patterns, highlighted in the leading threat reports, and screened over a wide community of government and industry experts.
Organizations may use these frameworks to create a personal security framework and IT security practices.
The CSA Cloud Controls Matrix (CCM) is based on the shared security model used in cloud computing environments. It is a cybersecurity control framework that features 16 areas addressing all central components of cloud technology. Every area is broken down into 133 objectives for controls. CCM can serve as a tool to assess cloud implementation by giving guidance as to which security measures should be put in place by which actor in the cloud supply chain.
Every control in the CCM specifies who must carry out the control (i.e., the cloud customer or CSP), and it tells which cloud model type (PaaS, IaaS, or SaaS) or cloud environment (hybrid, private, or public) the control relates to. The CCM outlines the responsibilities and roles between a cloud customer and cloud service provider by stating which control guidance relates to each entity.
Cloud Security with Exabeam
Even if an all-cloud initiative is not in motion, it’s likely your organization will be moving operations into the cloud in the near future. Before taking this step, it’s critical to assess how you will go about securing cloud operations by understanding related security and compliance issues. Fortunately, a modern security information and event management (SIEM), and/or extended detection and response (XDR) solution will let your analysts address enterprise cloud security with advanced monitoring, behavioral analytics and automation.
A modern approach automatically collects alert data from across multiple clouds, detects deviations in normal user and entity activity using behavioral analytics, and helps analysts quickly respond to attacks on cloud applications and infrastructure. A Next-Gen SIEM or XDR can help you combat increasingly targeted and complex attacks and insider threats by augmenting other cloud security solutions like Identity and Access Management (IAM) and Cloud Access Security Broker (CASB), and Secure Access Service Edge (SASE) solutions to better detect, investigate, and respond to cloud-based attacks, all while minimizing false positives.
As cloud-delivered offerings, Exabeam Fusion SIEM and Fusion XDR address cloud security in multiple ways to ensure the protection of sensitive data, applications and infrastructure. As the leader in Next-Gen SIEM and XDR Exabeam dramatically improves SOC productivity by helping teams detect, investigate and respond to cyberattacks in 51 percent less time. Here are a few of the ways Exabeam is a key player for Cloud Security:
- Collects alert data by direct ingestion from dozens of cloud security tools and popular cloud-based services across multiple enterprise clouds, in addition to hundreds of other products
- Detects new and emerging threats with behavioral analytics
- Provides machine-built timelines to improve analyst productivity and reduce response times by automating incident investigation
- Includes response playbooks using pre-built connectors and hundreds of actions to contain and mitigate threats
- Offers pre-built compliance packages (Exabeam Fusion SIEM)
- Supports detection and investigation with mappings to MITRE ATT&CK and the availability of the Exabeam Threat Intelligence Service, a daily updated stream of indicators of compromise (IoCs) such as malicious IP addresses and domains
- Augments other cloud security solutions like IAM and CASB to better detect, investigate and respond to cloud-based attacks while minimizing the detection of false positives