7 compliance frameworks your cloud team needs to know

70% of organizations report more than half of their infrastructure exists in the cloud. But almost just as many don’t have a defined cloud strategy. This makes them more susceptible to security and compliance risks.

If your organization lacks a clear cloud strategy or security policy, common compliance frameworks can provide a starting point to protect your cloud environments.

• 7 compliance frameworks to know in cloud security
  • ISO 27001
  • NIST Cybersecurity Framework
  • CIS Controls
  • Federal Risk and Authorization Management Program (FedRAMP)
  • International Organization for Standardization (ISO)
  • CSA Cloud Controls Matrix (CCM)
  • CSA Security, Trust, Assurance, and Risk (STAR)
• Best practices for cloud security compliance
• Putting your cloud security policy to use

ISO 27001 is an international standard for information security management systems. It provides a clear, systematic approach to managing sensitive information across a variety of cloud solutions and services, whether that’s AWS, Azure, Google Cloud, or even general ledger software.

As such, ISO 27001 lays a foundation for creating and maintaining a robust security program in the cloud. It includes requirements and best practices focusing on:

• Risk assessment

• Asset management

• Access control

• Incident response

• Continuous monitoring and review

It also supports continual monitoring, evaluation, and improvement of cloud security procedures. By applying the standard's guidance, organizations can maintain high security standards, reduce risks, and protect important data from unauthorized access or breaches.

An ISO 27001 certification signals an organization's dedication to information security and reassures customers their data is safe. To earn the certification, organizations must pass a formal audit performed by an accredited certifying body.

Created by the National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework offers easy-to-follow guidelines, standards, and practices to uncover and address your organization’s highest priority risks.

Although not tailored specifically for the cloud, the NIST Cybersecurity Framework gives you a versatile structure that can strengthen your overall security (including your cloud security). It does this through five essential functions.

1. Identify: Understand and manage cloud-related cybersecurity risks to guarantee compliance
2. Protect: Set up safety measures to guarantee the confidentiality and availability of cloud resources and data
3. Detect: Set up measures to spot cybersecurity events and irregularities
4. Respond: Draft and implement security incident response plans for issues in your cloud infrastructure
5. Recover: Restore systems and data to normal status following a security incident. Understand what happened and set up preventative measures.

The Center for Internet Security (CIS) Controls are a collection of best practices to help organizations improve their cybersecurity posture. While they're not focused on cloud security, they’re often used to enhance security and compliance in cloud settings.

The CIS Controls framework includes 18 main security controls. To determine which of these is most relevant to your cloud environment (and how to interpret and apply them), CIS provides a Cloud Companion Guide. Use this to map out your controls, decide metrics for each control, and determine the results you want.  

The Federal Risk and Authorization Management Program (FedRAMP) is a cloud security framework created by the US federal government. It aims to simplify the process of evaluating, approving, and monitoring cloud service providers (CSPs) that manage federal government data.

FedRAMP provides standardized baselines to evaluate the security of cloud service providers. Though it mainly targets government agencies, private organizations can also use the FedRAMP framework to evaluate cloud services for their own needs.

1. Preparation: CSPs undergo a readiness assessment to determine if they’re ready to pursue FedRAMP authorization.
2. Authorization: CSPs are given a thorough security review, which involves examining their cloud systems, controls, and policies. They receive a provisional authorization to operate (P-ATO) or an authorization to operate (ATO) based on the cloud service's risk level.
3. Continuous monitoring: CSPs must maintain their system with security measures such as vulnerability scans, rapid incident solutions, and security event records. The CSP will undergo regular evaluations.

In addition to the popular ISO 27001, the International Organization for Standardization created several standards covering cloud security. You needn't choose one over the other. Several can be combined to create a robust cloud security program.

ISO 27017: This standard offers guidance for implementing security controls for cloud services. It emphasizes the distinct security aspects and risks related to cloud services.

ISO 27018: This standard offers guidance on safeguarding personal information in the cloud. This focuses on privacy concerns associated with the information cloud service providers process.

ISO 17788: This standard offers an overview of cloud computing terms and definitions. It helps businesses speak the language and make well-informed choices about cloud adoption and security approaches.

ISO 17789: This standard offers guidance on cloud service-level agreements (SLAs). It presents advice for creating SLAs between cloud service providers and clients that clarify service security expectations, roles, and responsibilities.

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v4.0 includes 197 control objectives and related control requirements broken into 17 cloud security domains. It aligns with other standards, such as ISO 27001 and the NIST Cybersecurity Framework.

Similar to the CIS controls, you can use the CSA CCM as a model and make a list of the requirements specified. From there, you can determine how your organization will meet those requirements. The CSA also has an implementation guide that can be useful to understand how to navigate these controls.

The Cloud Security Alliance STAR program helps organizations evaluate CSPs to make well-informed choices.

As part of this program, a certifying body evaluates and reviews a CSP’s security methods. CSPs compliant with popular security methods earn a STAR certification. Looking for vendors with this certification can reassure you their cybersecurity methods are up to par.

Regardless of the framework(s) you use, knowing the best way to incorporate it can guide your cloud security journey. Here are some best practices to ensure your organization’s cloud security compliance.

Moving to the cloud is a big investment, but it’s not going to pay off if the team hasn’t been properly trained to use it.

Cloud engineers need cloud skills and adjacent tech skills in cybersecurity, DevOps, and data analytics. But every department needs onboarding, not just your tech teams. Non-tech roles need to know how to use cloud technology and comply with cloud security best practices. 

To upskill your teams:

• Divide the onboarding process into manageable steps with reasonable deadlines

• Assign clear roles, responsibilities, and learning expectations

• Ensure everyone has access to the resources and training they need to be successful

Don’t hesitate to talk to your cloud provider—they’ve helped other clients through this transition and can provide guidance along your journey.

Your teams need to know how to work in the cloud. But even more importantly, they need to know how to work in the cloud securely. 

To comply with your organization’s chosen cloud security framework(s), everyone working closely with the cloud should understand how to:

• Set up access controls

• Encrypt data

• Authenticate requests for data

• Safely move data to and from the cloud

• Handle protected user data

• Securely share data with authorized third parties

• Respond to security incidents

Your organization might pick one cloud security framework or use overlapping frameworks to cover specific needs and obligations. Once you’ve chosen your framework(s), implement and maintain that framework with a clear policy. Your cloud security policy should cover information such as:

• Which roles and responsibilities are involved in running the cloud securely

• Who can access which parts of the system and under what circumstances 

• What audits and risk assessments your org needs to ensure the system is current with today’s threat landscape

• How third-party vendors are included and managed as part of the cloud system 

For example, if your business uses an online cloud billing software, you’ll want to make sure it complies with ISO 27001 and other standards. When you have data moving through different systems, you need to be confident every part of it is secure.

Once you understand your organization's needs, obligations, and threats, you can use existing frameworks to establish a cloud security policy that protects your company and your customers as you grow and mature in the cloud. 

Want to lock in your cloud security knowledge? Pluralsight Skills offers a variety of cloud security courses and learning paths for everyone, from the leaders developing your policy to the team members putting it into action:

• Cloud Security Fundamentals

• AWS Cloud Security

• Google Cloud Security Essentials

• Azure Security