Cloud Security Standards: ISO, PCI, GDPR and Your Cloud

What Are Cloud Security Standards?

With the shift towards cloud infrastructure, compliance standards had to evolve. Cloud services and platforms are now required to maintain compliance with different federal, international, local, and state security laws, regulations and standards. 

Compliance standards such as ISO, PCI DSS, HIPAA, and GDPR, have specific requirements for cloud environments. Where mandatory government regulations are concerned, violations may result in legal penalties such as fines.   

In addition to general compliance standards, specialized standards have evolved, which can help organizations achieve a secure cloud environment. These include the Center for Internet Security (CIS) Cloud Security Benchmarks, the Cloud Security Alliance (CSA) Controls Matrix, and the Cloud Architecture Framework.

The Need for Cloud Security Standards

As organizations continue to migrate workloads to the cloud, they must ensure that cloud computing is the correct delivery environment for their applications. The main concern is security and mitigating risk. Businesses are evaluating whether sensitive data is safe in the cloud and how to adopt cloud services while remaining compliant with standards and regulations.

The cloud is, by nature, an attractive target for cyberattacks, because it is exposed to public networks by default and is a well documented environment that attackers are learning to exploit. Cloud configurations are complex, and the large number of moving parts — such as VMs, serverless functions, containers and storage buckets — each represent a threat surface.

Both cloud providers and cloud users are finding it difficult to define what they need to do to ensure a secure environment. There are many research bodies, security best practices, and regulatory requirements, but no clear standard or consensus on what constitutes a truly secure cloud environment. 

This makes it more important than ever for businesses to adopt a framework that will help them address all aspects of cloud security — including identity and access management (IAM), network security, virtualization security, Zero Trust Network Access (ZTNA), endpoint security, data privacy and content security.

Cloud Compliance: How Do Major Compliance Standards Impact the Cloud?

Here are some of the important security regulations around the world, and how they may affect cloud security.

ISO Standards

The International Organization for Standardization (ISO) 27001 created a standard to assist organizations, helping them safeguard their information using best practices. 

The ISO has created standards for many kinds of systems and technologies, such as:

• ISO/IEC 17789 (2014) – this standard outlines cloud computing activities, functional components, and roles, including the way they interact.
• ISO/IEC 19944-1 (2020) – this standard specifies how data is transported via cloud service centers and cloud service users.
• ISO/IEC Technical Specification 23167 (2020) – this standard specifies techniques and technologies employed in cloud computing, such as VMs, containers, and hypervisors.
• ISO/IEC 27018 (2019) – this document describes guidelines founded on ISO/IEC 27002, emphasising the safeguarding of personal identifiable information (PII) within the public cloud.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a series of security conditions for merchants who accept debit or credit cards. PCI DSS relates to organizations that store or process cardholder data.  

If your organization retains and handles sensitive payment card details in the cloud, it is your responsibility to provide your IT team with advanced cloud expertise to create and upkeep your cloud environment safely. If you don’t adhere to the PCI DSS Cloud Computing Guidelines, you may lose your capacity to process payment card transactions.

HIPAA

To safeguard the health-related data of individuals, the Health Insurance Portability and Accountability Act (HIPAA) features sections that directly relate to the security of information. 

HIPAA is a law that relates to organizations that deal with personally identifiable medical information. In terms of information security, the HIPAA Security Rule (HSR) is the most applicable. The HSR provides guidelines for keeping an individual’s electronic health details safe. This includes information that a covered entity uses, creates, maintains, or receives.   

If your organization employs cloud-based services (IaaS, PaaS, SaaS) to oversee and move health information, it is your task to make sure the service provider is HIPAA-compliant. You also have to implement best practices for overseeing cloud configurations.

GDPR

One of the strictest and widely applicable information privacy laws, from around the globe, is the General Data Protection Regulation (GDPR). Its central aim is to safeguard the personal information of businesses and individuals in the European Union (EU). 

One of the 11 chapters of the GDPR regulations, “Chapter 4: Controller and Processor,” features articles that affect security and IT teams dealing with public cloud environments that process and manage user data. For instance: 

• Article 25: Data protection by design and by default – notes that measures should be implemented so that by default, personal information is not made available to an undefined number of natural individuals without the person’s intervention. Microsoft Azure Active Directory permissions and policies and AWS IAM help make sure that the extent of information access is limited.
• Article 30: Records of processing activities – notes that data processors must keep records on information processing. Permitting API monitoring through Azure Monitor or AWS CloudTrail, with logs transferred to S3 storage buckets or Blobs, lets organizations meet this requirement.
• Article 32: Security of process – notes that personal information must be encrypted. Security and IT teams may implement strategies to encrypt data in transit and at rest. 

System and Organization Controls (SOC) Reporting 

The SOC reporting standard is voluntary. Organizations implement SOC certification to show a great commitment to data security, and to make sure they have the correct security strategies in place.

Each of the five SOC 2 trust categories are made up of nine sub-categories. In the Security Criteria, these include the trust principles that are pertinent to compliance and security teams who manage public cloud infrastructure: 

• CC2.0: Communication and information – deals with how organizations manage external and internal communications and data flows.
• CC5.0: Control activities – addresses how an organization’s control pursuits account for technology and risk management.
• CC6.0: Logical and physical access control – addresses how organization controls enable logical access to IT credentials and systems. Covers control of physical entry to facilities, and security standards to prevent and detect unauthorized access. 
• CC7.0: System operations – deals with how an organization controls and observes systems for possible events, anomalies, and configuration changes that could bring with them security risks. They also specify incident response measures to remediate, contain, and announce security incidents.
• CC8.0: Change management – addresses how organizations measure and determine which modifications are required in their data, infrastructure, procedures and software. This allows them to safely make necessary changes while preventing unauthorized changes.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

Tips from the expert

In my experience, here are tips that can help you better adopt and implement cloud security standards:

Centralize compliance reporting across clouds
If you use a multi-cloud strategy, standardize your compliance reporting across all platforms. Using a unified tool or framework like the Cloud Security Alliance (CSA) STAR certification will streamline audits and security management.

Prioritize region-specific standards
Different regions have unique regulatory requirements (like GDPR in Europe, CCPA in California). Ensure that your cloud security strategy accounts for these, especially if you operate globally. Prioritize multi-region compliance automation to reduce complexity.

Build compliance into your DevOps pipeline
Embed security controls and compliance checks into your CI/CD pipeline. This ensures that your deployments remain compliant with cloud security standards like ISO or PCI DSS throughout the software development lifecycle.

Leverage automated cloud compliance audits
Use cloud-native or third-party tools that can perform continuous compliance checks and generate real-time reports. This automation reduces the time spent on manual audits and helps detect issues before regulatory reviews.

Employ shared responsibility training
Educate both IT and security teams on the shared responsibility model. Misunderstanding the boundaries between cloud provider and customer responsibilities can lead to compliance gaps, especially in areas like data encryption and IAM.

Cloud-Specific Security Frameworks and Benchmarks

Here are some frameworks to help organizations maintain a high level of cloud security.

CIS Cloud Security Benchmarks

The CIS Foundations Benchmarks are a component of the cybersecurity standards overseen by the Center for Internet Security (CIS). CIS Benchmarks are vendor-agnostic, consensus-based safe configuration guidelines for the most prevalent technologies and systems. 

There are over 100 freely available CIS Benchmarks dealing with dozens of vendor product groups, including servers, operating systems, mobile devices, cloud proviers, network devices, and desktop software. The CIS Foundations Benchmarks offer help for public cloud environments at the level of the account.

The CIS Foundations Benchmarks deal with: 

• Oracle Cloud Infrastructure
• IBM Cloud
• Amazon Web Services
• Microsoft Azure
• Google Cloud Platform
• Alibaba Cloud

CIS Benchmarks provide security configuration outlines based on best practices and are approved by business, government, academia, and industry bodies. The CIS Foundations Benchmarks are meant for application and system administrators, security experts, and auditors, as well as for platform deployment, help desk, and individual DevOps personnel who wish to create, deploy, secure, or evaluate solutions within the cloud. They are available free of charge and can be downloaded as PDF documents.

CSA Controls Matrix

This group of security controls, implemented by the Cloud Security Alliance (CSA), offers a fundamental outline for security vendors, increasing the robustness of security control environments and streamlining audits. This framework also helps prospective customers assess the risk posture of potential cloud vendors. 

The Cloud Security Alliance has created a certification initiative known as STAR. The CSA STAR certification demonstrates an exceptional cloud security stance, which is respected by customers. This set of standards could be the top asset for customers assessing a vendor’s dedication to security, and is a must for every organization seeking to ensure customer trust. 

The STAR registry outlines the privacy and security controls offered by common cloud computing features, so cloud customers may evaluate their security providers to form solid purchasing choices.

Cloud Architecture Frameworks

These frameworks may be viewed as best practice guidelines for cloud architects, regularly dealing with operational security, efficiency, and cost-value analysis. Here are three frameworks that cloud architects should be aware of:

• AWS Well-Architected framework – helps Amazon Web Services architects create applications and workloads in the Amazon cloud. This framework outlines questions for evaluating cloud environments and offers customers a reliable resource for architecture analysis. Five core principles guide Amazon architects — security, operational excellence, performance efficiency, reliability, and cost optimization.
• Google cloud-architected framework – offers a foundation for enhancing and constructing Google Cloud features. This framework helps architects by dealing with four central principles — security and compliance, operational excellence, performance cost optimization, and reliability.
• Azure architecture framework – helps architects develop cloud-based features in Microsoft Azure. This guide helps optimize architecture workloads and is founded on similar principles to the Google Cloud and AWS Frameworks, such as data security, cost optimization, dependability, performance efficiency and operational excellence, which can help organizations retain system functionality and recover from incidents. 

Exabeam: Enhancing Threat Detection with Advanced Security Analytics

The Exabeam Security Operations Platform delivers a powerful combination of SIEM, behavioral analytics, automation, and network visibility to transform how organizations detect, investigate, and respond to threats. By correlating firewall logs with data from endpoints, cloud environments, identity systems, and other security sources, Exabeam provides deeper insights into evolving threats that would otherwise go undetected.

Behavior-driven analytics enable Exabeam to go beyond static rules and signatures, identifying anomalous activity that indicates credential misuse, insider threats, or lateral movement across the network. By analyzing normal user and entity behavior over time, Exabeam surfaces high-risk activities that traditional security tools may overlook.

Automated investigations streamline security operations by linking disparate data points into comprehensive threat timelines, reducing the time analysts spend piecing together incidents manually. This allows teams to quickly identify the root cause of an attack and respond with precision.

Learn more about Exabeam SIEM