What is a cloud security framework? A complete guide
With so many apps and data residing in cloud, employing a security framework to help protect cloud infrastructure is an essential move for an organization.
A cloud security framework is a set of guidelines and controls used to help secure an organization's cloud infrastructure. It provides cloud service providers (CSPs) and their customers with security baselines, validations and certifications.
Cloud has become increasingly less of an active architectural choice and more the de facto adoption strategy for new applications. Fewer organizations are purposefully selecting on-premises or colocation deployments for new deployments; instead, most are choosing cloud deployment.
Regardless of the deployment model, securing the technology landscape of organizations is essential. But securing a cloud environment is different from other environments, so there is a need in the industry for targeted resources about securing cloud. There's been quite a bit of valuable guidance published on how to best secure cloud usage and keep it secure over time.
There is a spectrum of available guidance that practitioners can choose from when it comes to securing their cloud use. On the one hand, there is detailed technical guidance, often from cloud providers themselves. This is useful when seeking to answer a specific, often technical, question like: How do I set up encryption of blob storing in XYZ environment? This type of guidance is less useful when looking at how to secure a cloud environment holistically and architecturally. By contrast, higher level guidance tends to be more vendor-agnostic -- i.e., applicable across different cloud environments -- but less germane to specific, detailed questions.
One type of guidance is the cloud security framework. These frameworks can provide significant utility to the practitioner. First, just like generalized security frameworks help you define the holistic security posture across your technology landscape generally, cloud security frameworks do this specifically for cloud deployments. They can also have additional value. For example, a cloud security framework can help with the validation of the security measures in place and in conducting preengagement vetting.
What is a cloud security framework?
It's perhaps easiest to understand cloud frameworks through the lens of security frameworks more generally --i.e., guidance not specific to cloud. There are numerous broad security frameworks including frameworks for governance (e.g., COBIT, ITIL), architecture (e.g., SABSA, TOGAF), management standards (e.g., ISO/IEC 27001) and NIST's Cybersecurity Framework. Just like these frameworks can apply broadly to any area of technology or security program, so too do they apply to cloud.
In addition to these general frameworks, there are also multiple specialized frameworks that could potentially be relevant depending on use case and context; an example of this would be HITRUST's Common Security Framework in a healthcare context or the PCI DSS in a payment context.
These frameworks are useful for practitioners but don't target cloud specifically. They can, of course, be used to help inform an organization's cloud posture, but frameworks specific to cloud can be more useful. There are important ones to know, including the Cloud Security Alliance's (CSA), Cloud Controls Matrix (CCM), CSA's Security, Trust, Assurance and Risk (STAR) registry, the Federal Risk and Authorization Management Program (FedRAMP) and ISO/IEC 27017. Also important are Center for Internet Security (CIS) Critical Security Controls, particularly when used together with the Cloud Companion Guide. There are many others, too, with a broad spectrum of cloud applicability, but those mentioned here are frequently used, well-respected across the industry, specific to cloud and equally useful to CSPs and their customers.
Cloud security frameworks provide information to the broader industry about security measures that are applicable to cloud environments. Like any security framework, these include a set of controls with specific guidance about controls (including intent and rigor), control management, validation and other information related to securing a cloud use case.
Types of cloud security frameworks
Each framework has its own focus and goals; they are each unique. However, it's useful to think about them through the lens of a taxonomy. Doing so can help clarify which is potentially most useful for what purpose. At a high level then, the various frameworks can be separated into the following categories:
- Generic framework. These frameworks are generic and attempt to provide broad guidance about control selection, scope, posture, and the like for cloud environments.
- Tie-ins to existing broader frameworks. These include guidance specific to cloud that exists as part of a broader ecosystem that is not cloud-focused. One example is the CIS Cloud Companion Guide, which ties specific cloud controls to the non-cloud-specific CIS Critical Controls.
- Control-specific guidance. There is also guidance more specific than a generic framework, including some that targets a specific control or control family. An example would be the NIST Special Publication (SP) 800-210 "General Access Control Guidance for Cloud Systems," which is specific to cloud but also focuses on one control family and topic -- in this case, access control -- as opposed to cloud more generically.
- Certification framework. Some of the guidance available supports certification efforts, directly or indirectly. For example, CSA's CCM is instrumental to its STAR program registry. Likewise, FedRAMP is a certification vehicle to allow U.S. federal agencies to make use of cloud services.
There is some overlap between these categories. For example, ISO/IEC 27017:2015 (Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services) checks several of the boxes associated with the above categories. On the one hand, it's a generic framework applicable to most cloud deployments. It also exists inside a broader ecosystem (ISO/IEC 27001 and 27002.) In addition, it's a potential target for certification. As such, it hits three of the different categories and acts as a reminder that it's important to employ a grain of salt when looking at the above taxonomy: it's a helpful way to think about frameworks but keep front of mind both the nuance and overlap.
How are cloud security frameworks useful?
Using a framework as a set of controls and practices for consideration can be beneficial to both CSPs and cloud customers for several reasons. First, a normative list of controls and countermeasures helps guide practitioners to specific measures that they can evaluate and use in their own environments. Second, a list provides a frame of reference within which to discuss security practices and specific security countermeasures; this provides a foundation for security-relevant negotiations such as that between cloud consumers and providers on matters like respective responsibilities in a shared-responsibility model.
In addition, there is a near-infinite array of possible countermeasures an organization might employ to secure its environment. Having an agreed-upon list of generally accepted controls helps CSPs decide how to invest their time and budget, and it gives customers guidance on what they should look for as standard security mechanisms in evaluating a CSP.
Specifically, frameworks can serve as a baseline for evaluation: They provide a structure for cloud customers to evaluate providers or compare security practices between providers. They also can help service providers demonstrate their security practices, either to assist with preengagement vetting for their customers or as part of their sales narrative. The more specific and prescriptive the controls laid out in the framework, the more conducive they are to serving in this evaluation capacity.
If used strategically, frameworks reduce work and provide value for both the customer and CSP. As a basis for an evaluation checklist, they reduce work for the potential customer. Frameworks also reduce work for the CSP by reducing the number of disparate, one-off evaluation questionnaires customers might present to providers. Even if a customer insists on using their own questionnaire, frameworks can still streamline the work involved in customer vetting by enabling providers to organize responses, prepare narratives and gather evidence against a known set of criteria instead of individually for each customer they might encounter.
How to choose a cloud security framework
Adopting a cloud security framework is a relatively straightforward process, but it does vary a bit depending on whether you are a customer or CSP. For customers, selecting one will depend largely on the company's broader program and business context. For example, a U.S. federal government agency or contractor will almost certainly want to investigate FedRAMP first. FedRAMP offers a set of validation criteria based on standard security measures and streamlines the onboarding of CSPs for government use. A large multinational organization with a security program already built on ISO/IEC 27001 that incorporates controls from ISO/IEC 27002 might find ISO/IEC 27017 a better fit, because the controls will be familiar and it will align directly with the existing security program.
CSPs should employ a set of frameworks, both cloud and security ones, that are known and accepted within the markets they service. As mentioned, one of the reasons to consider these particular frameworks is their supporting assurance programs. In the case of FedRAMP, a CSP can become a FedRAMP authorized service provider. CSPs can be certified for the ISO/IEC standard, or with any of the ISO management system standards. CSA has its Consensus Assessment Initiative Questionnaire, built on CCM and its STAR registry, which certifies validation of adherence. The framework CSPs should favor is the one that is likely to be most recognized among its customers.
Regardless of which is chosen, cloud security frameworks can aid cloud security efforts. Frameworks provide a lingua franca for discussion of specific controls and a benchmark for evaluation and certification; they create a backbone for organization of internal security efforts. Learning about the framework options available is time well spent.
Best practices
As you evaluate and decide which framework (or combination of frameworks) is right for you, keep the following best practices in mind:
- Tailor the framework to the business. Pay particular attention to the framework(s) that tie into the broader business context. As noted above, if you're a U.S. Federal agency, a structure like FedRAMP is probably preferable.
- Tailor the framework to the security program. Also, consider the broader security program when evaluating frameworks. If your security program is built around ISO/IEC 27001/27002, then ISO/IEC 27017 might be a more natural fit than something like the CIS controls.
- Go slow but be consistent. Remember this is a marathon, not a sprint; keep the pace manageable. Depending on context and your organization, there can be significant work involved in using frameworks, especially if, for example, you're new to cloud or maturing your security program. Don't try to do everything at once. Like an exercise regimen, using a framework is easier if you start slowly and build. Don't be the person who goes to the gym on day one for three hours and is so sore the next day they never return. Instead, look to make consistent progress over time.
Future of cloud security frameworks
It's useful to consider how frameworks might change. While nobody knows for sure how or when they will, there are some likely ways they could evolve.
We might expect to see formalization and maturity over time. There was significant pressure in cloud's early days for guidance like these frameworks, given that cloud models were new and practitioners struggled to secure them. As cloud has become more ubiquitous -- now the normative deployment model -- there's an opportunity for guidance to mature in depth of coverage and to deal more comprehensively with edge cases.
Another thing we might see is the inclusion of newer technologies that are in active and frequent use but that were less normative when these frameworks were initially conceived. Consider, for example, technologies like service mesh and infrastructure as code. Both work almost seamlessly with cloud environments but might not be directly addressed by existing guidance. Expect new iterations and updates of the guidance to address these technologies. This could be through the issuance of supplemental material (e.g., technology-specific addenda) or in future refinements of the frameworks themselves.
Lastly, and perhaps most directly useful to practitioners, expect to see the professional community-building expertise and familiarity with the existing guidance, perhaps in the way of secondary source guidance -- e.g., experts writing guides and how-to tips like this one -- designed to help practitioners make use of these resources productively.
Ed Moyle is a technical writer with more than 25 years of experience in information security. He is currently the CISO at Drake Software.
