USING CLOUD

SERVICES SECURELY
HARNESSING CORE CONTROLS
Using Cloud Services Securely
Harnessing core controls
OCTOBER 2019

PUBLISHED BY
Information Security Forum
+44 (0)20 3875 6868
[email protected]
securityforum.org

PROJECT TEAM
Benoit Heynderickx – Lead
Paul Holland – Author

REVIEW AND QUALITY ASSURANCE

Emma Bickerstaffe
Jason Creasey
Eleanor Thrower

DESIGN
Abigail Palmer

WARNING
This document is confidential and is intended for the attention of, and use by, either organisations that are
Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF directly.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF
on [email protected]. Any storage or use of this document by organisations which are not Members of
the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security
Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising
from its use.

CLASSIFICATION
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
CONTENTS
1. EXTEND SECURITY, CREATE OPPORTUNITIES 5

2. HOW THIS REPORT HELPS 6

3. KEY FEATURES OF CLOUD SERVICES 8

4. OVERCOMING CLOUD SECURITY CHALLENGES 14

5. CLOUD SECURITY GOVERNANCE 18

6. CORE CLOUD SECURITY CONTROLS 25

A | NETWORK SECURITY 28
B | ACCESS MANAGEMENT 38
C | DATA PROTECTION 48
D | SECURE CONFIGURATION 58
E | SECURITY MONITORING 68

7. CLOUD SECURITY PRODUCTS AND SERVICES 78

8. MAXIMISE POTENTIAL, TAKE RESPONSIBILITY 84

APPENDICES
A: GLOSSARY 85
B: CSP CLOUD SECURITY CERTIFICATIONS 86
C: CLOUD SECURITY CONTROLS APPLICABILITY 87
D: CLOUD-RELATED THREAT EVENTS 89
E: CLOUD CONTROLS MAPPING TO THE CLOUD-RELATED THREAT EVENTS 90

ACKNOWLEDGEMENTS 91
 1 2 3 4 5 6 7 8

ORGANISATION

CLOUD SECURITY
GOVERNANCE

CORE CLOUD
SECURITY CONTROLS

ACCESS PaaS DATA

MANAGEMENT PROTECTION

IaaS SaaS

NETWORK SECURE
SECURITY CONFIGURATION
SECURITY
MONITORING

CLOUD SECURITY PRODUCTS

AND SERVICES

4 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

1 EXTEND SECURITY,
CREATE OPPORTUNITIES
Cloud computing has become a pervasive force, bringing economies of scale and
breakthrough technological advances to modern organisations, but it is more than just a
trend. Cloud computing has evolved at an incredible speed and, in many organisations,
is now entwined with the complex technological landscape that supports critical daily
operations.
This ever-expanding cloud environment gives rise to new types of risk. Business and security
leaders already face many challenges in protecting their existing IT environment. They must
now also find ways to securely use multiple cloud services, supported applications and
underlying technical infrastructure.

THE NEED TO USE CLOUD SERVICES SECURELY

The surge in business processes supported by cloud services has been well evidenced across the ISF
Membership: nearly 80% of surveyed ISF Members using cloud services store confidential data in the cloud
environment. But when using cloud services, organisations are still unsure whether to entrust cloud service
providers (CSPs) with their data. CSPs generally provide a certain level of security as substantiated by multiple
surveys, but cloud-related security incidents do occur – one fifth of ISF Members reported having experienced
cloud-related data breaches within the past 12 months.

In the ISF Member Survey

one-fifth reported and 78% are storing
having experienced a confidential data in their
cloud-related data breach cloud environment.
over the past 12 months

CSPs cannot be solely responsible for the security of their customers’ critical information assets. Cloud security
relies equally on the customer’s ability to implement the right level of information security controls. Yet the
cloud environment is complex and diverse, which hinders a consistent approach to deploying and maintaining
core security controls. It is vital that organisations are aware of and fulfill their share of the responsibility for
securing cloud services to successfully address the cyber threats that increasingly target the cloud environment.

“Through 2022, at least 95% of cloud security failures will be the customer’s fault.”
– Gartner1

INTRODUCING THE ISF APPROACH

The ISF Approach to Using Cloud Services Securely (the ISF Approach) provides a solid set of core cloud security
controls, which are supported by a layer of governance and the latest cloud security products and services. The
ISF Approach empowers organisations to deploy the right set of security controls and to focus their efforts on
the most valuable action that will reduce the likelihood and impact of cloud-related threat events. Whether
using one or multiple cloud services, organisations can adopt the ISF Approach to harness core controls and
make the most of the opportunities provided by cloud computing.

1 “Is the Cloud Secure?”, Gartner, 27 March 2018, https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/

Information Security Forum Using Cloud Services Securely: Harnessing core controls 5
 1 2 3 4 5 6 7 8

2 HOW THIS REPORT HELPS

This report presents a comprehensive approach to securing cloud services for organisations
that are considering using, or already actively use, one or multiple CSPs.
It does this by:
‒ exploring the key features of cloud services (Section 3)
‒ highlighting the main cloud security challenges (Section 4)
‒ outlining the main elements of cloud security governance (Section 5)
‒ presenting the core security controls that are applicable to cloud services (Section 6)
‒ exploring emerging trends in cloud security products and services (Section 7).

READERSHIP
This report is primarily directed at individuals who are responsible for securing cloud services in their
organisation, such as cloud security architects, cloud development managers and cloud engineers.

This report will also be of interest to individuals in executive management who have a governance and
oversight role for cloud security (e.g. Chief Information Security Officer (CISO), Chief Information Officer (CIO),
Chief Risk Officer (CRO) and Data Protection Officer (DPO)).

TERMS
The following terms are used throughout the report:
‒ Cloud services: computing services offered by a cloud service provider, including business applications,
document storage solutions, databases and virtual servers.
‒ Cloud environment: the combination of multiple cloud services that the organisation typically makes use of.
‒ Cloud customer: an organisation that is using cloud services.
‒ Cloud service provider (CSP): a vendor that provides cloud services, which can be purchased on demand by a
cloud customer.

Additional terms used throughout the report are referenced in the glossary in Appendix A.

METHODOLOGY
This report is informed by ISF research into leading organisations’ efforts to use cloud services securely.
The research is founded on:
‒ thought leadership from the ISF Global Team
‒ interviews with ISF Members and other industry experts
‒ ISF Members' contributions on ISF Live
‒ solution development workshops held with ISF Members in Paris, London, Helsinki, Munich, Amsterdam
and Dublin.
‒ a survey completed by ISF Members (data presented from this survey has been aggregated and anonymised)
‒ an interactive session with the ISF Advisory Council
‒ a review of the main cloud security standards and guidelines.

6 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

There are many cloud-related security standards and guidelines. Those reviewed for this report include:
‒ CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0
‒ CSA Cloud Controls Matrix v3.0.1
‒ CIS Controls Cloud Companion Guide v7
‒ ISO/IEC 27017:2015, Code of practice for information security controls based on ISO/IEC 27002 for cloud services
‒ NIST SP 500-299, Cloud Computing Security Reference Architecture
‒ NIST SP 800-145, The NIST Definition of Cloud Computing.

RECOMMENDED ISF REPORTS AND TOOLS

The following reports complement the ISF Approach to Using Cloud Services Securely:

The Standard Data Privacy in the Cloud: Establishing a

of Good Practice for Enabling business agility Business-Focused Security
Information Security 2018 by managing risk Assurance Programme:
(the Standard) Confidence in controls

Securing the Supply Chain: Information Risk Securing Cloud

Preventing your suppliers' Assessment Computing: Addressing
vulnerabilities from Methodology 2 (IRAM2) the seven deadly sins
becoming your own

Supply Chain Assurance Application Security: Protecting the Crown

Framework: Contracting in Bringing order to chaos Jewels: How to secure
confidence mission-critical
information assets

Building a Successful Data Leakage Demystifying Artificial

SOC: Detect earlier, Prevention Intelligence in
respond faster Information Security

Since this research focuses on how the cloud customer can secure the use of their cloud services, security aspects
of areas such as system acquisition, application development and resilience have not been covered in-depth in
this report.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 7
 1 2 3 4 5 6 7 8

3 KEY FEATURES OF
CLOUD SERVICES
Organisations have rapidly adopted cloud services, attracted by the ease of procurement,
relatively low set-up cost and the opportunity to replace legacy technology that no longer
meets business needs. Yet, managing security is no simple task due to the unique and varied
features intrinsic to using multiple cloud services.

CLOUD SERVICES TODAY – A WIDESPREAD RELIANCE

Cloud services cover a vast range of offerings such as business applications, document storage solutions,
databases and virtual servers, which can all be purchased on-demand from a selection of CSPs through a public
network, most commonly the internet.

Moving to cloud-first ISF Member Survey

Has your organisation
Organisations are moving to the cloud not only to reduce costs, but to take advantage adopted a 'cloud-first'
of innovative cloud services offered by the major CSPs, with new lines of products and policy?
services released regularly. Some recent innovations released by the major CSPs include
7%
AWS Lambda, Azure Bot and Google AI Hub. 52%

As organisations move to cloud computing to enhance their business operations, they tend
to favour the acquisition of cloud services over the expansion of conventional, on-premises
IT data centres. Often described as a cloud-first policy, this approach has been adopted by
41%
over half of surveyed ISF Members. For many organisations, this means that almost their
entire IT Infrastructure will eventually be hosted in the cloud environment. Yes No
Don’t Know

From cloud-first to ‘all-in’ cloud

While some established businesses tend to acquire new cloud services in addition to their
existing IT data centres, newly formed businesses have the opportunity to move to a full or ‘all-
in’ cloud approach. Rather than building a data centre from scratch, organisations can acquire
a suite of cloud services that supports their entire end-to-end business operations without the
need to acquire any on-premises IT services.

The rise of the multi-cloud environment ISF Member Survey

As organisations acquire new cloud services, they typically choose these from a selection How many cloud
of multiple CSPs and therefore need to deal with a multi-cloud environment, which is providers does your
organisation use?
characterised by the use of two or more CSPs. Most ISF Members have a multi-cloud
12%
environment with almost a fifth of ISF Members purchasing cloud services from over 50
different CSPs.

Organisations favour a multi-cloud environment because it allows them to pick and choose
their preferred cloud services across different CSPs (e.g. AWS, Microsoft Azure, Google
88%
Cloud, Salesforce). However, each individual CSP adopts its own jargon, its own specific
technologies and approaches to security management. The cloud customer therefore Single CSP
Two or more CSPs
needs to acquire a wide range of skills and knowledge to use different cloud services from
multiple CSPs securely.

Any organisation that contemplates using two or more CSPs (e.g. to retain vendor independence, for commercial
reasons or for strategic contingency) needs to ensure that strict internal standards are established for deploying
cloud services. The organisation should explicitly define architectural, operational and technological constraints such
that they can be assured that solutions developed for one CSP can easily be redeployed to a competitor service.

8 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

Organisations require a range of different users to securely access cloud services from within the organisation’s
network perimeter through secure network connections (e.g. via a gateway). However, organisations also
need their cloud services to be accessed from outside the internal perimeter by business partners and users
travelling off-site or working remotely, all connecting through a selection of secure network connections
as dictated by the organisation (e.g. via a virtual private network (VPN)). Figure 1 illustrates an example of
a typical multi-cloud environment, involving multiple CSPs and their corresponding cloud services, being
accessed by a wide range of individuals.

Figure 1: Typical multi-cloud environment

ON-PREMISES CLOUD ENVIRONMENT

OneDrive
External
Office 365 Service customers
System Now
admin Salesforce
sales cloud

GATEWAY
SAP cloud Google Business
platform Cloud partners
Business IBM Cloud Google
Compute
users Cloud
Storage

AWS EC2
AWS S3 Microsoft
System
developers Microsoft Azure Files Remote
Azure Compute business users
VPN

Different categories of users need to access cloud services, including:

‒ system administrators who configure individual cloud services
‒ system developers who build business applications as requested by their internal users, customers or
business partners
‒ business users who work with their business applications such as payroll, document storage or customer
relationship management (CRM)
‒ external customers and business partners who interact with the organisation via collaboration platforms,
which are specialised cloud services such as social networks, document sharing or project management
‒ remote business users who connect to cloud services from a variety of locations including airports, hotels or
from home.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 9
 1 2 3 4 5 6 7 8

MAIN FEATURES OF THE CLOUD

To help organisations navigate through such a heterogeneous cloud environment and to facilitate their journey
in securely using cloud services, some of the key features unique to cloud computing are outlined below. It is
important to understand these features since they will affect an organisation’s ability to implement security
controls and maintain visibility over its cloud environment.

The key features of cloud computing explained below are:

‒ cloud deployment types
‒ cloud service models
‒ CSP cloud management consoles.

Cloud deployment types

Organisations can adopt different cloud deployment types, with the main ones being:
‒ Public cloud: cloud services available to purchase by the general public over a public network, typically the
internet (the most common type of cloud deployment).
‒ Private cloud: comprised of one or more cloud services deployed for the exclusive use of a single
organisation; typically managed by an external provider of IT services and often accessed over a
restricted network.
‒ Hybrid cloud: a combination of both private and public cloud.

A private or hybrid cloud will be more tailored to the individual needs of an organisation thereby requiring
further detailed analysis when it comes to the choice of security controls. When using a private cloud, the
organisation has more influence in defining the configuration of the underlying cloud infrastructure such as
the choice of location of the data centre, the type of operating system and the underlying hardware devices,
whereas in a public cloud, the organisation must rely upon some of the default configuration given by the CSP.

This report provides a comprehensive approach to securing cloud services that are used in a public cloud
environment. The ISF Approach can still be leveraged for the private and hybrid cloud but the implementation
of some of the controls will need to be calibrated according to the different levels of configuration used in the
private cloud.

Cloud service models

Organisations can acquire and use a combination of three main cloud service models:
Infrastructure as a Service (IaaS): covers the physical hosting of the servers and all necessary
computing resources as well as backend services, such as hardware and networking capabilities.
IaaS Organisations typically use IaaS to build applications, providing a lot of flexibility in their choice
of operating systems and the necessary development tools.

Platform as a Service (PaaS): adds more services such as an operating system, software-defined
networking and middleware in addition to the IaaS services provided. This allows organisations
PaaS to deploy their preferred business applications without the need to be concerned about the
backend services.

Software as a Service (SaaS): delivers fully functioning business applications that include the
underlying infrastructure, networking and middleware, which can often be customised to meet
SaaS organisational needs, sometimes altering some of the built-in application logic.

70%
60% 92%
In the ISF Member Survey...
...reported high or
...reported high or medium usage of PaaS. ...reported high or
medium usage of IaaS. medium usage of SaaS.

10 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

The ISF Approach focuses on the controls that should be implemented by the cloud customer to manage
security in relation to each cloud service model (i.e. IaaS, PaaS and SaaS). While SaaS is typically adopted as a
stand-alone application, both IaaS and PaaS are development platforms used to create new applications and
services. This means that in IaaS for instance, there is a greater need to apply security controls to protect the
operating system and the network, whereas in SaaS, most of the cloud customer’s controls relate to access
management and data protection.

FaaS (Function as a Service)

FaaS (also referred to as ‘serverless’) is a recent addition to the list of cloud service models, providing a development
platform that enables the organisation to build applications without having any interaction with the backend services.
While it can be assimilated to a PaaS model, FaaS has been promoted by CSPs as a way of achieving a serverless
architecture, which organisations have adopted to develop applications in an extremely fast and agile manner.
Examples of FaaS include AWS Lambda and Fauna DB.

Figure 2 illustrates the different CSPs most used by surveyed ISF Members for each cloud service model, noting
the common services associated with each model.

Figure 2: Cloud service models and top three CSPs used by surveyed ISF Members

SaaS
Application services Top 3 SaaS CSPs
1. Office 365/OneDrive
2. ServiceNow
3. Salesforce

PaaS
Platform/Middleware Top 3 PaaS CSPs
1. Google Cloud
Software-defined networks
2. IBM Cloud
Operating system 3. Oracle Cloud

IaaS
Backend services: Top 3 IaaS CSPs
hardware, network, virtualisation 1. Microsoft Azure
2. AWS
Physical infrastructure
3. VMWare

Some CSPs do not adhere strictly to the distinction between these three cloud service models but may deliver
services that straddle more than one model. For instance, Microsoft Azure is typically treated as IaaS but can
also deliver PaaS services, providing the cloud customer with added services such as an operating system and a
platform in addition to the default IaaS offering.

Cloud resource pooling

Another well-known cloud feature is resource pooling, which enables organisations to quickly scale up or down the
computing resources acquired from the CSP without the need to wait for a server or an application to be built from
scratch. The provision and management of resource pooling lies fully within the CSP's remit, so is not covered in the
ISF Approach.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 11
 1 2 3 4 5 6 7 8

CSP cloud management consoles

Regardless of the cloud service model, cloud customers can configure and manage a cloud service through
a cloud management console accessed via a portal provided by the CSP. This console typically offers the
following functionalities:
‒ Cloud service configuration: allows the customer to select between various configuration options that can
be grouped into two categories:
• Operational configuration: to add, remove or launch new cloud services; increase the size of the database
and enable logging and monitoring.
• Security configuration: to define and enforce identity and access management (IAM); add new encryption
policies and enable data leakage prevention.

‒ Dashboard view: provides the customer with an overview of all cloud services actively in use at any point in
time. It can provide status reports, such as number of active instances, servers or applications deployed and
running. Security reports are also posted to share information regarding areas such as access management,
compliance status and security incidents.
‒ Access to a marketplace: enables the customer to purchase additional products and services, including new
security services offered by vendors other than the CSP.

With new services and products continuously devised to help secure the use of cloud services, as well as multiple
cloud management consoles – each with their own functionalities and unique characteristics – organisations are
faced with a steep learning curve that requires mastery of a wide range of skills. According to an (ISC)2 sponsored
survey, knowledge about the specific cloud management consoles is the foremost skill in demand.2

Figure 3 shows an example of a typical cloud management console offered by the major CSPs. There are as
many different cloud management consoles as there are CSPs, with each console used to configure and secure
their respective cloud services.

Figure 3: Typical portal for a cloud management console

CLOUD SERVICES CONFIGURATION ADD-ONS

Operational OPERATIONAL DASHBOARD Marketplace

Launch new services 493
Online training
Server/Instance
Pre-built images Tutorials
Database Usage Reliability Responsiveness Availability

Application services Help section

Security SECURITY DASHBOARD Documentation

Identity & access management
Encryption policy 7+ 3+
policy 81% Security
violations alerts
Define network segregation
Security events monitoring Policy & compliance Resource security Threat protection
hygiene
DLP

The level of operational and security configuration available within each cloud management console will vary
significantly across the different CSPs, as will the style and format. It can take time and effort for organisations
to become accustomed to the various configurations necessary to secure their cloud environment. Added to
the burden of managing several cloud management consoles, organisations also need to deal with the various
vendor products that have been developed to optimise the security of cloud services (for further information,
see Section 7).

2 “Cloud Security Report (ISC)2”, Cybersecurity Insiders, 2019, https://www.cybersecurity-insiders.com/portfolio/2019-cloud-security-report-isc2/

12 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

Cloud management console for the multi-cloud environment

The cloud management consoles offered as default by the major CSPs typically cover only their respective offerings.
When organisations operate in a multi-cloud environment, there is a need for a cloud management console that can
be used across multiple CSPs. With growing demand for centralised cloud management, a new type of product called
the ‘cloud management platform’ has recently surfaced, aiming to combine the functionalities of multiple cloud
management consoles. This is a promising, but still emerging type of product.
Examples of hybrid cloud management consoles include Flexera (RightScale) and VMWare (CloudHealth).3

SUMMARY
Organisations operating in the cloud environment find themselves dealing with a complex mesh of IaaS, PaaS
and SaaS in private and public clouds, which are managed through a collection of cloud management consoles
by one or several system administrators. Amplifying the complexity, cloud services can also interact with one
another – for instance, a business application such as payroll may interface with a CRM system, both of which
are hosted in the cloud environment. All told, the cloud environment can only be described as intricate and
heterogeneous as exemplified in Figure 4.

Figure 4: An example of an organisation’s heterogeneous cloud environment

PRIVATE CLOUD

Enterprise cloud
System admin Organisation
HYBRID CLOUD

Cloud
management
PUBLIC CLOUD

console

IaaS SaaS PaaS

Application 3 Application 4 Application 1 Application 2

“It is all too easy to misconfigure cloud services.” – ISF Member

3 “Magic Quadrant for Cloud Management Platforms”, Gartner, 7 January 2019, https://www.gartner.com/en/documents/3897466/magic-quadrant-for-cloud-management-platforms

Information Security Forum Using Cloud Services Securely: Harnessing core controls 13
 1 2 3 4 5 6 7 8

4 OVERCOMING CLOUD
SECURITY CHALLENGES
While CSPs provide a certain level of security for their cloud services, organisations need
to be aware of their security obligations and deploy the necessary security controls.
This requires organisations to understand and address the many security challenges
presented by the complex and heterogeneous aspects of the cloud environment.

CHALLENGES IN SECURING THE USE OF CLOUD SERVICES

During the workshops, ISF Members identified several obstacles to operating securely in the cloud
environment. The main challenges include:
‒ identifying and maintaining the appropriate security controls
‒ balancing the shared responsibility for security between the CSP and the cloud customer
‒ meeting regulatory requirements to protect sensitive data in the cloud environment.

The rapid explosion of cloud usage has accentuated these challenges and, in some instances, left organisations
insufficiently prepared to tackle the security concerns associated with using cloud services.

Identifying and maintaining the appropriate security controls ISF Member Survey

The unique features of cloud services and the realities of operating in a multi-cloud
environment can create misperceptions or uncertainty as to what is required to secure the 69%
use of cloud services. Many organisations struggle with identifying the relevant security
controls and implementing them consistently across the entire cloud environment. ...rated as high or very
high their challenges
in implementing
Even when the organisation has selected the appropriate security controls, there are and maintaining an
several factors that can impede the ease of implementation. As explained in Section 3, adequate level of
organisations typically need to use multiple could management consoles, as well as various security controls across
their cloud environment.
products and services to manage security, which introduces a high level of complexity and
precludes a centralised view of all the security controls that have been implemented. This
can create difficulties in terms of reviewing the effectiveness of these controls, and also
can blur visibility of anomalies within the multi-cloud environment. Moreover, if security
controls cannot be deployed consistently, some important omissions can easily be made,
resulting in significant security incidents that are often the fault of the organisation due to
poor implementation of security controls.

Misconfiguration leading to a serious cloud-related data breach – Capital One

On 29th July 2019, the financial services giant, Capital One, confirmed it had experienced a data breach where an
outside individual had gained unauthorised access and obtained certain types of personal information about Capital
One's customers. The breach affected over 100 million individuals in the United States and Canada, and involved data
stored in a public cloud, AWS. According to multiple news sources and an official AWS spokesperson, AWS had not
been compromised in any way – instead, the breach was caused by a firewall misconfigured by the cloud customer.
This incident highlighted a serious failing in the configuration of a specific security control by the customer, which
allowed an attacker to easily access and exfiltrate sensitive information stored in a public cloud.

“It’s cloud chaos. Organisations have acquired a multitude of cloud vendors and have
not been able to put the right level of governance and controls in place.” – ISF Member

14 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

Balancing the shared responsibility for security between the CSP and the cloud customer
Securing the use of cloud services is a shared responsibility between the CSP and the cloud customer. The
security obligations incumbent on the CSP are to protect the multi-tenant cloud environment, including
the backend services and physical infrastructure, as well as to prevent the commingling of data between
different customers.

While the CSP maintains much of the underlying cloud infrastructure, the cloud customer is responsible for
securing its data and user management. Whether the customer’s responsibility extends to performing security
configurations for applications, operating systems and networking will depend on the cloud service model
selected as shown in Figure 5.

Figure 5: The shared responsibility for security according to the cloud service model

CLOUD CUSTOMER RESPONSIBILITIES

IaaS PaaS SaaS

Data and user management Data and user management Data and user management

Application services Application services

Application services
Platform/Middleware
Platform/Middleware Platform/Middleware
Software-defined networks
Software-defined networks Software-defined networks
Operating system
Operating system Operating system

Backend services: Backend services: Backend services:

hardware, network, virtualisation hardware, network, virtualisation hardware, network, virtualisation

Physical infrastructure Physical infrastructure Physical infrastructure

CSP RESPONSIBILITIES

This shared responsibility for security can create confusion and lead to over-reliance on the CSP to mitigate
threats and prevent security incidents. It is essential that the cloud customer does not depend wholly
on the CSP to deploy the appropriate security measures, but clearly understands how responsibility for
security is shared with each CSP in order to identify and deploy the requisite security controls to protect the
cloud environment.

The key question is how the CSP’s controls and those implemented by the cloud customer fit together so that there
is no daylight between them. A common failing is a misunderstanding on the part of the customer about how
the CSP’s controls actually work and what security responsibilities fall to each party. This potential schism will be
addressed throughout the report, particularly in Section 6 which outlines the customer’s responsibilities for each
control topic.

The issue of shared responsibilities between the CSP and the cloud customer was explored during the ISF
solution development workshops. While there is general consensus among ISF Members that shared levels
of responsibility need to be clearly defined in order to deploy the right level of security controls, one ISF
Member highlighted that an overwhelming majority of CISOs and CIOs still struggle to understand this split of
responsibilities, suggesting unfamiliarity with the intricacies of the many cloud features.

“The shared responsibility model is well understood by security and cloud experts but
not by the decision makers – even CIOs don’t necessarily understand the difference
between IaaS and SaaS.” – ISF Member

Information Security Forum Using Cloud Services Securely: Harnessing core controls 15
 1 2 3 4 5 6 7 8

Meeting regulatory requirements to protect sensitive data in the ISF Member Survey
cloud environment
An organisation using an on-premises IT data centre will know exactly where its critical and 74%
sensitive data resides and can exert full control over the movement of its data. This helps
considerably when implementing security controls, whereas in the cloud environment, data ...rated as high or very
high their challenge
moves in and out of an organisation’s perimeter more freely. This can obscure where critical in meeting regulatory
and sensitive data is located, and how it can be protected, which can hinder an organisation’s requirements when
ability to effectively enforce the requisite security controls across all of its cloud services in moving their data to the
cloud environment.
line with compliance requirements.

While it is the cloud customer’s responsibility to ensure the security of its data in the cloud
environment (e.g. by encrypting data and applying access restrictions), the customer’s
control over its data is intrinsically limited since the data is stored by an external party – the
CSP – in an off-site location, often in a different country. Moreover, the CSPs will often
leverage several data centres in geographically distinct locations to ensure the organisation’s
data is stored on more than one server for reasons of resilience. This creates additional
complexity in terms of managing data across borders, understanding where it is located at a
given moment in time, determining the applicable legal jurisdiction and ensuring compliance
with relevant laws and regulations – an obligation that rests fully with the cloud customer,
not the CSP.

“Physical storage locations are moving further away from the traditional
organisational perimeter and so are the controls.” – ISF Member

THE ISF APPROACH TO USING CLOUD SERVICES SECURELY

To help ISF Members mitigate the challenges described in this section, the ISF has developed a practical
approach to using cloud services securely (as shown in Figure 6). Following the ISF Approach will enable
organisations to successfully identify, implement and maintain the right set of security controls that are
integral to operating securely in the cloud environment.

The ISF Approach is divided into three parts. The table below explains how organisations can leverage each
part to address the key concerns associated with cloud usage.

MAIN CHALLENGES IN USING

CAN BE ADDRESSED BY
CLOUD SERVICES SECURELY

‒ Developing an effective governance framework for cloud security (see Section 5).
Identifying and maintaining the ‒ Harnessing the core cloud security controls (see Section 6).
appropriate security controls ‒ Deploying security products and services to support successful implementation of
the core cloud security controls (see Section 7).

Balancing the shared

‒ Assessing the core cloud security controls which outline the cloud customer’s
responsibility for security
responsibilities and the level of applicability of each control to the cloud service
between the CSP and the cloud
models (i.e. IaaS, PaaS and SaaS) (see Section 6).
customer

‒ Ensuring the CSP adheres to relevant standards through close scrutiny of security
clauses in cloud service contracts and reviewing whether legal and regulatory
Meeting regulatory requirements
obligations are met as part of the organisation’s security assurance programme
to protect sensitive data in the (see Section 5).
cloud environment
‒ Implementing the core cloud security controls for data protection and access
management (see Section 6).

“A well-configured cloud can be better secured than an on-premises data centre.”

– ISF Member

16 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

Figure 6: The ISF Approach to Using Cloud Services Securely

CLOUD SECURITY
GOVERNANCE
SECTION 5

GOVERNANCE

CORE CLOUD
SECURITY CONTROLS

ACCESS PaaS DATA

MANAGEMENT PROTECTION

IaaS SaaS
SECTION 6
CONTROLS

NETWORK SECURE
SECURITY CONFIGURATION
SECURITY
MONITORING
SECTION 7
PRODUCTS

CLOUD SECURITY
PRODUCTS AND SERVICES

Information Security Forum Using Cloud Services Securely: Harnessing core controls 17
 1 2 3 4 5 6 7 8

5 CLOUD SECURITY GOVERNANCE

Cloud computing has become a topic of interest for organisations' executive management,
particularly when moving to a cloud-first policy. While senior executives are becoming more
supportive of their organisation transitioning to the cloud, they remain concerned about
cloud security incidents and increased regulatory pressures. A well-designed cloud security
governance framework will provide reassurance and greater visibility that the optimal level
of security controls has been deployed to mitigate the risks associated with using cloud
services.

“The board is increasingly interested in cloud security matters.” – ISF Member

AN OVERVIEW OF CLOUD SECURITY GOVERNANCE

To facilitate effective management of security in the cloud environment, a governance framework should
be adopted that specifically addresses the unique features of cloud computing and performance of relevant
security controls. The breadth of cloud services, combined with its lasting impact on the business, requires
extensive cooperation between executive management and those responsible for implementing and
securing the use of cloud services. A robust governance framework is integral to achieving this level of
collaboration, and will help organisations take a systematic, structured and considered approach to using cloud
services securely.

This section explains the six fundamental elements of cloud security governance that a steering group should
oversee as presented in Figure 7.

Figure 7: Six key elements of cloud security governance, overseen by a cloud security steering group

CLOUD SECURITY GOVERNANCE

Cloud security policy

Register of cloud services
Information risk assessments
Cloud security
steering group Security clauses in cloud contracts
Security assurance
Roles and responsibilities

“Ensure the approach to cloud security is not piecemeal; build policy and governance first.”
– ISF Member

Cloud security steering group

A steering group (also known as a cloud security advisory board) should be established to coordinate all the
necessary activities involved in deploying the right set of controls across the entire cloud environment. This
group should include business leaders, a legal adviser, the data protection officer, as well as cloud specialists
and other relevant representatives from the IT and information security functions. It should be chaired by a
senior executive, such as the CISO or CIO, who takes direction from the executive management.

18 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

Some ISF Members do not establish a stand-alone steering group dedicated to the topic of cloud security, but
instead include this issue on the agenda of an existing steering group with a broader remit.

The cloud security steering group should meet regularly to perform the following functions:
‒ coordinate a structured and consistent approach to using cloud services securely (e.g. carrying out the six key
elements of cloud security governance as shown in Figure 7 on page 18)
‒ translate the cloud security strategy promulgated by executive management into actionable items for the
teams responsible for securing the use of cloud services (e.g. overseeing the deployment of a set of core
cloud security controls)
‒ report to executive management on all important cloud security matters (e.g. advising on any significant
deviations from cloud security policy – exception management)
‒ support cloud security decisions in a fast and effective manner (e.g. making investment decisions on cloud
security products and services).

A cloud-first strategy will precipitate a gradual increase of cloud services and should be supported by effective cloud
security governance that ensures the build-up of cloud services is achieved in a controlled and secure manner.

Cloud security policy ISF Member Survey

The cloud security policy is a comprehensive document that articulates requirements
for the authorised use of cloud services in accordance with the direction provided by
executive management. It should align with the organisation’s objectives for using cloud
50%
services and specify the: ...find it highly challenging
to develop a cloud
‒ type of information that can be shared with cloud services (e.g. it may be prohibited security policy.
to store information classified as confidential in the cloud environment)
‒ list of sanctioned CSPs (e.g. names of preferred CSPs and how to on-board new ones)
‒ vetted mechanisms for accessing cloud services (e.g. VPN for employees
working remotely)
‒ mechanisms for users to report cloud specific incidents (e.g. cloud services downtime) For an overview of
‒ relevant information security requirements that need to be incorporated in cloud how to approach the
specific contracts. development of a cloud
security policy, see
General security practices such as user awareness, business continuity and change SC2.1 of the Standard.
management should be encapsulated in the organisation’s wider information security
policy unless there is a valid reason to include these in the cloud security policy.

The relevant sections of the cloud security policy (e.g. sanctioned CSPs and approved
data types) should be published and communicated to all employees and external
individuals (e.g. consultants, contractors and employees of external parties) with access
to the organisation’s use of cloud services. The policy should be regularly reviewed and
updated to take account of changing circumstances, with any significant changes to be
approved by the cloud security steering group.

Unsanctioned use of cloud services

From document storage, data transfer and personal email to PDF converters, there are myriad cloud services freely
accessible to any individual over a web browser. ISF Members have expressed their concerns over the growing number
of unsanctioned cloud services, also referred to as ‘shadow IT’, sometimes reporting hundreds in use within their
organisation. There are many ways of reducing the use of unsanctioned cloud services, which includes enforcing the
cloud security policy, using discovery techniques to detect unsanctioned services and technical blocking of unwanted
cloud services (subject to business approval).
More details about how to reduce the proliferation of unsanctioned cloud services can be found in the ISF report
Securing cloud computing: Addressing the seven deadly sins.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 19
 1 2 3 4 5 6 7 8

Register of cloud services

The use of cloud services should be identified and recorded in a register (or equivalent). There are three
main sources of information that can be used to help maintain a comprehensive, up-to-date register of
cloud services:
‒ A supplier register, which is held by the procurement team and should specify the details of all CSPs that the
organisation regularly interacts with, as well as a copy of all cloud service contracts.
‒ One or more Configuration Management Databases (CMDB), which are typically maintained by the IT
department and should contain detailed information related to cloud services and their relevant CSPs.
‒ Cloud access security brokers (CASBs), which are used to identify all cloud services adopted by the
organisation.

Maintaining a CMDB for the cloud environment

The CMDB should document the relevant configuration items (CIs) such as the name and type of cloud devices
(including virtual servers), together with the version of operating systems and databases in use. A well-designed CMDB
should be populated automatically through built-in discovery capabilities to identify and record CIs using the most
current information. The CMDB should also specify the relationship between the relevant CIs, cloud services and the
overall CSPs. Most importantly, the CMDB should keep a record of who owns, manages and supports the relevant CIs.

Informed by these sources of information, the register of cloud services should ideally be maintained as a
stand-alone register and include the following details:
‒ Name of the CSP.
‒ Brief description of the individual cloud service, including the criticality of the business processes it supports.
‒ Main cloud features used (e.g. private or public cloud; IaaS, PaaS or SaaS; and type of cloud
management console).
‒ Scale of usage of the cloud service (e.g. average daily usage in terms of number of users accessing the service
and volume of data processed).
‒ Sensitivity of the data that can be handled within the cloud service as determined by the business owner
(e.g. confidential, internal or public).
‒ Roles and contact details of individuals responsible for supporting the cloud service within the:
• Organisation (e.g. business owners and individuals responsible for administering and securing the
cloud service)
• CSP (e.g. commercial and technical advisors).

Once created, the register of cloud services should be leveraged to ensure that all cloud services used by the
organisation are adequately protected. The register can also be referenced to help determine the appropriate
core cloud security controls and review their implementation status.

Information risk assessments

ISF Member Survey
Given the high number of cloud services, the critical business processes they support, and
the sensitive information handled within the cloud environment, it is essential that thorough
information risk assessments of cloud services are performed on a regular basis. 41%
Prior to any risk assessment of cloud services, risk assessors need to understand where the ...find it highly
balance lies in terms of the division of responsibility for security between cloud customer challenging to
perform information
and CSP. For instance, if the scope of an information risk assessment is a SaaS application, the risk assessments of
coverage of backend services and physical hosting offered by the CSP should be evaluated, cloud services.
typically with reference to the CSP’s certifications and accreditation or by conducting a detailed
vendor security evaluation (e.g. through the ISF Supplier Security Evaluation (SSE) tool or the
ISF Security Healthcheck). The risk assessment should also evaluate the implementation of the
security controls managed by the cloud customer.

20 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

The six phases of Information Risk Assessment Methodology 2 (IRAM2) can be adapted to help perform an
information risk assessment of cloud services (e.g. when assessing the storage of confidential information in a
SaaS application), as shown in the table below.

IRAM2 PHASE APPLICATION TO CLOUD SERVICES ILLUSTRATIVE EXAMPLE

Determine which cloud service(s) are in scope Confidential information stored in a particular
and the stakeholders involved. Most importantly, cloud service such as a SaaS. In this instance,
A | Scoping determine the respective areas of responsibility the customer is responsible for managing and
of the CSP and the cloud customer for securing securing all confidential data stored in the
the cloud service. cloud service.

B | Business Assess the potential business impact should A potential breach of sensitive information
impact the cloud service be compromised (e.g. data (e.g. personal data or intellectual property)
assessment breach, system downtime). would have a high business impact.

Establish and prioritise cloud threat events Adversarial and accidental cloud threat events
relevant to the environment being assessed are identified.
C | Threat profiling (e.g. exploit insecure interfaces and APIs;
misuse of cloud services and malfunction of See Appendix D for a full list of cloud-related
cloud services). threat events.

Assess the strength of core cloud security Control weaknesses detected in administrator
controls deployed by the cloud customer. access configured by the cloud customer.
D | Vulnerability
assessment Review the CSP’s control environment Configuration issues in the level of access
(e.g. by leveraging the SSE tool or the assigned to users, resulting in excessive
Security Healthcheck). access permissions.

Moderate to high risks are identified that

Evaluate the risk(s) considering the likelihood need to be mitigated by the organisation.
E | Risk evaluation of any vulnerabilities being exploited and the
resulting impact. Residual risks associated with the CSP are
deemed to be low.

Determine the relevant stakeholders both Mitigating controls to be determined by

within the organisation (e.g. business users, IT reinforcing the core controls around access
operations) and with the CSP for addressing management and data encryption.
F | Risk treatment
and mitigating the identified risks. Agree on The organisation is responsible for the risk
a risk treatment strategy (e.g. mitigate, avoid, treatment and the CSP is required to give the
transfer or accept). necessary level of support.

The information risk assessment of cloud services should be performed on an annual basis and significant risks
(e.g. those rated as high or moderate) should be added to a risk register that is regularly reviewed by the cloud
security steering group.

Examples of the scope for an information risk assessment related to cloud services include:
‒ a business-critical application running in a SaaS implementation such as a payroll system
‒ an IaaS used by the organisation for developing customer-based applications
‒ sensitive data held in various cloud services and regularly used by the organisation.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 21
 1 2 3 4 5 6 7 8

ISF Member Survey

Security clauses in cloud contracts
Contractual arrangements with CSPs are pivotal for achieving a good level of security across
the organisation’s cloud environment. The usage of each cloud service should be supported 42%
by a contract, which needs to be carefully reviewed by an information security specialist and ...rated specifying
a legal practitioner to ensure it accurately specifies the security requirements expected of information security
both the CSP and the cloud customer. This review should be informed by an analysis of how requirements in cloud
services contracts as a
the CSP’s and organisation’s respective controls can interface to secure the use of the given high level of challenge.
cloud service.

For more information on how to engage effectively with CSPs in terms of contract negotiation, including the
level of security requirements that should be asked of the provider, see the ISF report Supply Chain Assurance
Framework: Contracting in confidence.

The 2018 Standard provides guidance on cloud service contracts in Topic SC2.2, specifying some of the key
requirements that should be embedded within the security clauses. While every cloud service contract will
differ, at a minimum it should require the CSP to:
‒ protect the organisation’s information (e.g. restrict the sharing of information with other organisations using
the same CSP)
‒ disclose any significant security event that may affect the organisation’s reputation or disrupt business
operations (e.g. potential security incident, data breach or system downtime)
‒ adhere to relevant laws and regulations (e.g. process and store data in approved locations, inform the
customer of any cross-border arrangements)
‒ provide advance notification of any major changes (e.g. service upgrade, scheduled downtime or change of
underlying technologies)
‒ allow the organisation to recover information at termination of the contract (e.g. stipulate the format,
mechanism and content of information to be returned when the service is terminated)
‒ evidence safe destruction of the organisation’s information when required (e.g. define how the information
will be removed from the CSP’s hardware)
‒ notify the customer of any significant changes to the cloud service, including the use of sub-contractors (e.g.
use of other vendors to host the data centre)
‒ give the right to audit (e.g. allow the organisation to audit the CSP’s internal policies and controls that relate
to the services within scope of the contract)
‒ support the investigation of, and response to cloud security incidents (e.g. e-discovery requests or
forensic investigations).

When reviewing cloud contracts to ensure they meet the business and security requirements of the
organisation, focus should be placed on liability clauses that cover the implications of information security
incidents. These clauses represent one of the most important aspects of contracts to be agreed upon when
engaging with a CSP.

ISF Members have expressed some concerns regarding their CSP’s ability to satisfy their security obligations, as
specified within the contract, due to cost, complexity, time and/or technical capability. When there is a clear
deadlock such that the CSP refuses to meet the specified security requirement, the only alternative is to terminate
the contract and move the cloud data and processes to another CSP or back to an on-premises IT solution.

22 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

Security assurance
To gain assurance over the secure use of their cloud services, organisations should conduct security assurance
activities to assess the effectiveness of security controls implemented across their cloud environment (see
Section 6 for guidance on core cloud security controls).

Organisations should also perform a supplier evaluation of the CSP’s implementation of backend controls as
part of regular supply chain assurance activities. Testing the effectiveness of the CSP’s controls can sometimes
be achieved through regular audits of the CSP but this is often impractical and may not be authorised by the
CSP. Instead, the effectiveness of controls is often determined with reference to relevant documentation that
CSPs will release on request, including reports on their security posture and certifications (see Appendix B for
some of the more prevalent certifications pertaining to cloud computing).

For practical guidance on performing For good practice around evaluating

effective security assurance activities see the suppliers’ security see the ISF report
ISF report Establishing a Business‑focused Securing the Supply Chain: Preventing
Security Assurance Programme: your suppliers’ vulnerabilities from
Confidence in controls. becoming your own.

As part of security assurance activities over a CSP, it is important to review their provision for internal support
operations. For instance, several ISF Members reported that although the CSPs provide accurate information
about their data centre location, information about their operational staff was not always easy to obtain. For
example, a cloud infrastructure could be located in Europe, whereas system operators of the CSP might be based
in a separate location (e.g. North America or East Asia). Such a scenario would add complexities to the data
processing location requirements and the cloud customer would need to add specific clauses in the contract that
clearly stipulate the required geographical location of the CSP’s support operators.

A key part of security assurance is to demonstrate compliance with legal and regulatory obligations. In the
context of using cloud services, this extends to ensuring relevant requirements can be met by an organisation’s
chosen CSPs. With increased regulation of data protection and privacy, organisations now need to take into
account many different laws and regulations when performing security assurance, ranging from generally
applicable laws, such as the EU General Data Protection Regulation (GDPR), to more industry-specific standards,
such as the Payment Card Industry Data Security Standard (PCI-DSS). It may also be necessary to consider
additional compliance requirements mandated by other sources, such as the US Federal Risk and Authorisation
Management Programme (FedRamp), which aims to achieve a consistent approach to cloud security
government-wide.

Roles and responsibilities

While information security teams act as enablers for defining and deploying an effective approach in line with
executive management’s direction for securing cloud services, the implementation of the controls should be
performed by cloud security practitioners (e.g. cloud security architects, cloud development managers, cloud
engineers). Their responsibilities may include the following:
‒ Deploying secure network connectivity when using cloud services.
‒ Performing secure user access management of cloud services in use.
‒ Protecting sensitive data stored in cloud services.
‒ Configuring and administering security in cloud services.
‒ Monitoring security-related events and logs.

These activities will typically be realised using the various cloud management consoles and cloud security
products and services. Relevant individuals will need to be trained how to use each cloud management console
correctly and securely.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 23
 1 2 3 4 5 6 7 8

Typical competency requirements of a cloud security practitioner include:

‒ cloud security certification: CCSK (Certificate of cloud security knowledge), CCSP (Certified cloud security
professional) and/or CSP vendor specific certification (e.g. AWS certified security specialist)
‒ working knowledge at administrator level of one or more of the major CSPs (e.g. AWS, Azure, Google)
‒ understanding the fundamentals of a cloud management console of one or more CSPs
‒ general information security expertise, especially around access management and data encryption
‒ knowledge of cloud security services and products, including vendor products such as CASBs, and security
services offered by the CSPs (e.g. AWS SecurityHub and Azure security centre).

As cloud innovation has progressed, it has become evident that successfully managing security in the cloud
environment requires specialist skills and expertise that span computer programming, database management
and the fundamentals of information security. Individuals are expected to have knowledge about a wide range
of topics, including the multi-cloud environment, virtualisation concepts, serverless architecture and security
assurance.

Those who specialise in cloud security or hold relevant certifications are in high demand, creating an acute
cloud skills gap such that many organisations lack the breadth of expertise desired. Nevertheless, as the
following section on the core cloud security controls demonstrates, good practice for securing the use of
cloud services is derived and often akin to security arrangements that apply on-premises. Organisations can
therefore take some comfort that existing skills and knowledge are transferable to managing security in the
cloud environment.

24 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

6 CORE CLOUD
SECURITY CONTROLS
As part of the ISF Approach, a set of 45 core security controls has been ISF Member Survey
developed to address ISF Member concerns about weak or insufficient
cloud security controls, which in turn can have detrimental implications for 58%
business operations. These controls are based on information security good
...have identified
practice and are tailored specifically to help organisations operate securely creating an effective
in a heterogeneous, multi-cloud environment. cloud security control
framework as their
top priority.
This section provides an overview of the 45 security controls, offering practical guidance
on how an organisation – as the cloud customer – can improve its security posture in the
cloud environment. These core controls do not encompass the full spectrum of all security
arrangements relevant to the cloud environment, but by focusing on these controls, an
organisation will create a solid foundation that will stand it in good stead for the long-
term security of its cloud services. The core cloud security controls are grouped into five
overarching control areas, each of which is split into three topics as shown in Figure 8.

Figure 8: Core cloud security control areas and corresponding topics

A.1 CLOUD CONNECTIONS

A | NETWORK
A.2 NETWORK SEGMENTATION
SECURITY
A.3 FIREWALL CONFIGURATION

B.1 IDENTITY AND ACCESS MANAGEMENT (IAM)

B | ACCESS
B.2 SECURE SIGN-ON PROCESS
MANAGEMENT
B.3 ADMINISTRATOR ACCESS

C.1 DATA MANAGEMENT

C | DATA C.2 DATA ENCRYPTION
PROTECTION
C.3 DATA LEAKAGE PREVENTION (DLP)

D.1 BUILD STANDARDISATION

D | SECURE
D.2 APPLICATION PROGRAMMING INTERFACE (API)
CONFIGURATION
D.3 VIRTUALISATION AND CONTAINERISATION

E.1 VULNERABILITY MANAGEMENT

E | SECURITY
E.2 SECURITY EVENT MANAGEMENT
MONITORING
E.3 SECURITY INCIDENT MANAGEMENT

Information Security Forum Using Cloud Services Securely: Harnessing core controls 25
 1 2 3 4 5 6 7 8

A | NETWORK SECURITY 1 2 3 4 5 6 7 8

STRUCTURE OF THE CONTROL TOPICS

Each control
A.1 CLOUD topic is comprised of two, three or four core security controls, which are presented according to
CONNECTIONS

the layout
HTTPS, virtual private in Figure
networks 9. area networks (WANs) are connectivity approaches that can
How organisations connect to their cloud services is an important decision and vital to business continuity.
(VPNs) and wide
be used on their own or together. They are capable of enhancing an organisation’s ability to access the cloud
environment securely by encrypting data in transit and restricting network access.

There are three core security controls to consider:

Figure
A.1.1 Apply9: Example
A | NETWORK SECURITY
HTTPS (SSL/TLS) of core security control
1 2topic
3 4 5 6 7 8

A.1.2 Configure a virtual private network (VPN)

A.1.3 Implement a wide area network (WAN) solution

A.1 CLOUD CONNECTIONS

Figure 11: Cloud connection options
How organisations connect to their cloud services is an important decision and vital to business continuity.
HTTPS, virtual private networks (VPNs) and wide area networks (WANs) are connectivity approaches that can
be used on their own or together. They are capable of enhancing an organisation’s ability to access the cloud
environment securely by encrypting data in transit and restricting network access.

There are three core security controls to consider:

IaaS PaaS SaaS
A.1.1 Apply HTTPS (SSL/TLS)

A.1.2 Configure a virtual private network (VPN) Control topic

A.1.3 Implement a wide area network (WAN) solution Title of the current control topic and a summary of the security
FigureWAN
11: Cloud connection options controls within the topic.
VPN

HTTPS IaaS PaaS SaaS

OBJECTIVE Objective
To prevent unauthorised connections and protect data in transit.
WAN
Purpose of applying the security controls within the control topic.
BENEFITS
‒ Provides appropriate levels of protection over data connections to the cloud environment.
VPN strong availability approaches for connecting to a cloud environment when using
‒ Delivers
Benefits
multiple approaches. Reasons for implementing the security controls.
‒ Restricts which IP addresses can connect to the cloud environment and what ports can be used.
HTTPS
‒ Guarantees the bandwidth connection to a cloud environment when utilising WAN.

CLOUD CUSTOMER RESPONSIBILITIES

Cloud customer responsibilities
IaaS and PaaS: the cloud customer should typically deploy HTTPS, VPN and WAN connectivity, but will Level of responsibility incumbent on the cloud customer for
1 2 OBJECTIVE
3 need
4 to work
5 closely
6 7with8the CSP to achieve a successful implementation. A | NETWORK SECURITY
To prevent unauthorised connections and protect data in transit.
SaaS: the cloud customer needs to enable HTTPS for connections to the cloud. There will often be a need
securing the use of each cloud service model in relation to the
to liaise with the CSP to implement the SSL certificate. Smaller SaaS providers may not provide the option
BENEFITS
for VPN or WAN connections, but these should be considered if they are available.
control topic.
‒ Provides appropriate levels of protection over data connections to the cloud environment.
‒CONTROL
Delivers strongIMPLEMENTATION
availability approaches for connecting to a cloud environment when using
multiple
HTTPS, VPNapproaches.
and WAN all help to secure communications to an organisation’s cloud services, but provide
‒differing
Restrictslevels
whichofIPsecurity.
addresses can is
HTTPS connect to used
typically the cloud
as theenvironment and with
default method whatWANportsconnection
can be used. being
Information Security Forum Using Cloud Services Securely: Harnessing core controls 29
‒the most secure
Guarantees the –bandwidth
albeit more expensiveto– aapproach.
connection As part of determining
cloud environment when utilisingthe most suitable approach
WAN.
to cloud connectivity, the cost of the solution should be weighed against an organisation’s business and
security requirements.
CLOUD CUSTOMER RESPONSIBILITIES
IaaS and PaaS: the cloud customer should typically deploy HTTPS, VPN and WAN connectivity, but will
need to work closely with the CSP to achieve a successful implementation.

77%
SaaS: the cloud customer needs to enable HTTPS for connections to the cloud. There will often be a need
90%
to liaise with the CSP to implement the SSL certificate. Smaller SaaS providers may not provide the option66%
In the
forISF
VPNMember Survey...
or WAN connections, but these should be considered if they are available.
...using PaaS have secured
...using IaaS have secured their connection to the cloud ...using SaaS have secured
their connection to the via VPN or WAN. their connection to the cloud
cloud via VPN or WAN. via VPN or WAN.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 29
Many ISF Member organisations have chosen to implement more than one control for the same cloud connections
– using only one could create a single point of failure, which could lock an organisation out of their cloud services.

A.1.1 Apply HTTPS (SSL/TLS)

Control implementation
HTTPS creates a secure channel for communications over an insecure network (i.e. the internet) and
provides protection against adversarial threats seeking to compromise cloud services (e.g. by conducting a Guidance on the security controls that can be implemented to
man‑in‑the‑middle attack). Providing a satisfactory level of encryption as well as a valid and trusted security
certificate, HTTPS delivers a solid baseline level of protection. This is the simplest connectivity approach to achieve the objective of the control topic, with shaded markers
implement, requiring only a trusted certificate (from a legitimate certificate authority) to be installed on the
relevant cloud devices. indicating the level of applicability of each security control
to the cloud services models. See Appendix C for a complete
HTTP should never be used to connect to a cloud service as the protocol does not contain any security measures
to protect data connections to the cloud. overview of how each security control applies to the three
cloud service models.
A.1.2 Configure a virtual private network (VPN)
VPNs primarily use the IPSec protocol to create a secure tunnel for data to traverse an insecure network. A VPN
can be configured as a site‑to‑site VPN (e.g. office network to cloud environment) or client‑to‑network VPN
(e.g. host to cloud environment). IPSec operates at the IP layer of communications and protects the data within
a secured tunnel.

VPN is a slightly more complex approach than HTTPS. It requires a greater effort to configure than HTTPS and
relies on the configuration changes being made by the organisation and the CSP in parallel.

A.1.3 Implement a wide area network (WAN) solution

WAN connections allow for a dedicated private connection (e.g. Amazon DirectConnect or Azure ExpressRoute)
between an organisation’s own network and the CSP’s network. This ensures that an organisation’s data is not
transmitted across the public internet and therefore is not visible to an external party.
A | NETWORK SECURITY 1 2
A WAN solution is potentially the most secure of the three approaches, with a dedicated bandwidth direct to
3 4 5 6 7 8
an organisation’s cloud environment. It is similar to multiprotocol label switching (MPLS) in that it is a virtual
private network not accessible via the internet. However, it is also the most complex to implement since both
the customer and CSP will require additional infrastructure to establish a dedicated network connection.

CONSIDERATIONS FOR SUCCESS

‒ Evaluate the financial implications of connectivity options as they typically increase (often significantly) from Considerations for success
HTTPS through to VPN and WAN.
‒ Include changes to internal infrastructure in change management processes as they may affect connections Hints and tips for successfully implementing the security controls.
to the CSP’s cloud infrastructure.
30 Using‒Cloud
Require CSPs
Services to provide
Securely: advance
Harnessing notice of changes they make to their cloud infrastructure as these
core controls may Security Forum
Information
impact the secure connection without warning.
Related ISF Standard references
Related ISF Standard references
Related Topics in the 2018 Standard
NC1.4 External Network Connections

Cloud-related threat events

Adversarial Accidental
Cloud-related threat events
‒ Exfiltrate sensitive data from cloud services N/A Threat events related to cloud services that are mitigated by
‒ Exploit cloud design or configuration weaknesses
‒ Exploit insecure interfaces and APIs implementing the topic's security controls. For a full list of
‒ Session hijacking of cloud services
‒ Unauthorised access to cloud service
cloud‑related threat events, see Appendix D. For a mapping of
authentication credentials
‒ Unauthorised monitoring of communications
these threat events to each security control, see Appendix E.

26 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

IMPLEMENTATION OF SECURITY CONTROLS

When implementing security controls within the cloud environment, there are a number of items to consider
for a cloud security programme to be successful. Some general hints and tips that are important across all of
the controls are listed below, with further considerations set out in each control topic.

Overarching considerations for success

‒ Understand the business and technical requirements for security within the relevant cloud service.
‒ Consider security in all decisions, starting with how the cloud service affects the existing cloud environment
architecture and infrastructure, and then take account of the various users and how they will connect.
‒ Understand the cloud customer responsibilities relevant to each cloud service considering the cloud service model
and the cloud deployment type used by the cloud customer.
‒ Link cloud policies, procedures and design to existing internal security principles.
‒ Where possible, leverage existing experience, knowledge, skills and tools to implement security controls.
‒ Backup the configurations of cloud devices (to allow for restore or roll back of changes).

By following the ISF Approach, an organisation will be well-positioned to protect its data, applications,
systems and infrastructure hosted within cloud services. As highlighted by the SANS 2019 Cloud Security
Survey (see Figure 10),4 organisations continue to experience a variety of security incidents within their cloud
environments. Implementing the core cloud security controls will help ISF Members to address some of
the vulnerabilities that lead to these security incidents and thereby support the mitigation of risks that are
inherent to using cloud services.

Figure 10: Causes of cloud-related security incidents identified by the SANS 2019 Cloud Security Survey

Account or credential hijacking 49%

Misconfiguration of cloud services and/or resources 42%

Privileged user abuse 38%

Unauthorised (rogue) application components

31%
or compute instances

Insecure API or interface compromise 29%

Shadow IT 29%

Sensitive data exfiltration directly from cloud apps 24%

Exploit against CSP vulnerability or APIs 20%

Misconfiguration or vulnerability of hypervisors

18%
and/or other virtualisation attacks

0 10 20 30 40 50

“With cloud computing, a lot of the traditional security principles still apply. How you
implement and maintain them changes significantly.” – ISF Member

4 D. Shackleford, “SANS 2109 Cloud Security Survey”, SANS, 30 April 2019, https://www.sans.org/reading-room/whitepapers/analyst/membership/38940

Information Security Forum Using Cloud Services Securely: Harnessing core controls 27
 1 2 3 4 5 6 7 8

A | NETWORK SECURITY

In order to support the business effectively, many different devices need to securely
connect to a range of cloud services. Network security involves deploying secure network
connections, providing the required level of network segmentation and securely configuring
the right blend of firewalls to secure the cloud environment.
Most network security controls deployed on-premises should be extended to the cloud environment. Secure
connections can be made through a gateway using HTTPS, VPN and/or WAN, depending on requirements. To
enable critical components to be isolated from potential attack, the network should be segmented using virtual
local area networks (VLANs) and/or software-defined networks (SDNs). A variety of different firewalls should
also be deployed, restricting network traffic to and from cloud services.

The core network security controls are presented in the table below with their level of applicability to each of
the cloud service models.

LEVEL OF APPLICABILITY TO SERVICE MODEL

A | NETWORK SECURITY
IaaS PaaS SaaS

A.1 CLOUD CONNECTIONS

A.1.1 Apply HTTPS (SSL/TLS)

A.1.2 Configure a virtual private network (VPN)

A.1.3 Implement a wide area network (WAN) solution

A.2 NETWORK SEGMENTATION

A.2.1 Implement virtual local area networks (VLANs)

A.2.2 Use software-defined networking (SDN)

A.2.3 Configure firewalls to manage networks

A.3 FIREWALL CONFIGURATION

A.3.1 Leverage the inbuilt firewalls supplied by CSP

A.3.2 Implement virtual firewalls

A.3.3 Deploy web application firewalls (WAFs)

High Medium Low None

28 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 A | NETWORK SECURITY 1 2 3 4 5 6 7 8

A.1 CLOUD CONNECTIONS

How organisations connect to their cloud services is an important decision and vital to business continuity.
HTTPS, virtual private networks (VPNs) and wide area networks (WANs) are connectivity approaches that can
be used on their own or together. They are capable of enhancing an organisation’s ability to access the cloud
environment securely by encrypting data in transit and restricting network access.

There are three core security controls to consider:

A.1.1 Apply HTTPS (SSL/TLS)

A.1.2 Configure a virtual private network (VPN)

A.1.3 Implement a wide area network (WAN) solution

Figure 11: Cloud connection options

IaaS PaaS SaaS

WAN

VPN

HTTPS

OBJECTIVE
To prevent unauthorised connections and protect data in transit.

BENEFITS
‒ Provides appropriate levels of protection over data connections to the cloud environment.
‒ Delivers strong availability approaches for connecting to a cloud environment when using
multiple approaches.
‒ Restricts which IP addresses can connect to the cloud environment and what ports can be used.
‒ Guarantees the bandwidth connection to a cloud environment when utilising WAN.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS and PaaS: the cloud customer should typically deploy HTTPS, VPN and WAN connectivity, but will
need to work closely with the CSP to achieve a successful implementation.

SaaS: the cloud customer needs to enable HTTPS for connections to the cloud. There will often be a need
to liaise with the CSP to implement the SSL certificate. Smaller SaaS providers may not provide the option
for VPN or WAN connections, but these should be considered if they are available.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 29
 1 2 3 4 5 6 7 8 A | NETWORK SECURITY

CONTROL IMPLEMENTATION
HTTPS, VPN and WAN all help to secure communications to an organisation’s cloud services, but provide
differing levels of security. HTTPS is typically used as the default method with WAN connection being
the most secure – albeit more expensive – approach. As part of determining the most suitable approach
to cloud connectivity, the cost of the solution should be weighed against an organisation’s business and
security requirements.

77%
90% 66%
In the ISF Member Survey...
...using PaaS have secured
...using IaaS have secured their connection to the cloud ...using SaaS have secured
their connection to the via VPN or WAN. their connection to the cloud
cloud via VPN or WAN. via VPN or WAN.

Many ISF Member organisations have chosen to implement more than one control for the same cloud connections
– using only one could create a single point of failure, which could lock an organisation out of their cloud services.

A.1.1 Apply HTTPS (SSL/TLS)

HTTPS creates a secure channel for communications over an insecure network (i.e. the internet) and
provides protection against adversarial threats seeking to compromise cloud services (e.g. by conducting a
man‑in‑the‑middle attack). Providing a satisfactory level of encryption as well as a valid and trusted security
certificate, HTTPS delivers a solid baseline level of protection. This is the simplest connectivity approach to
implement, requiring only a trusted certificate (from a legitimate certificate authority) to be installed on the
relevant cloud devices.

HTTP should never be used to connect to a cloud service as the protocol does not contain any security measures
to protect data connections to the cloud.

A.1.2 Configure a virtual private network (VPN)

VPNs primarily use the IPSec protocol to create a secure tunnel for data to traverse an insecure network. A VPN
can be configured as a site-to-site VPN (e.g. office network to cloud environment) or client-to-network VPN
(e.g. host to cloud environment). IPSec operates at the IP layer of communications and protects the data within
a secured tunnel.

VPN is a slightly more complex approach than HTTPS. It requires a greater effort to configure than HTTPS and
relies on the configuration changes being made by the organisation and the CSP in parallel.

A.1.3 Implement a wide area network (WAN) solution

WAN connections allow for a dedicated private connection (e.g. Amazon DirectConnect or Azure ExpressRoute)
between an organisation’s own network and the CSP’s network. This ensures that an organisation’s data is not
transmitted across the public internet and therefore is not visible to an external party.

A WAN solution is potentially the most secure of the three approaches, with a dedicated bandwidth direct to
an organisation’s cloud environment. It is similar to multiprotocol label switching (MPLS) in that it is a virtual
private network not accessible via the internet. However, it is also the most complex to implement since both
the customer and CSP will require additional infrastructure to establish a dedicated network connection.

30 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 A | NETWORK SECURITY 1 2 3 4 5 6 7 8

CONSIDERATIONS FOR SUCCESS

‒ Evaluate the financial implications of connectivity options as they typically increase (often significantly) from
HTTPS through to VPN and WAN.
‒ Include changes to internal infrastructure in change management processes as they may affect connections
to the CSP’s cloud infrastructure.
‒ Require CSPs to provide advance notice of changes they make to their cloud infrastructure as these may
impact the secure connection without warning.

Related ISF Standard references

NC1.4 External Network Connections

Cloud-related threat events

Adversarial Accidental
‒ Exfiltrate sensitive data from cloud services N/A
‒ Exploit cloud design or configuration weaknesses
‒ Exploit insecure interfaces and APIs
‒ Session hijacking of cloud services
‒ Unauthorised access to cloud service
authentication credentials
‒ Unauthorised monitoring of communications

Information Security Forum Using Cloud Services Securely: Harnessing core controls 31
 1 2 3 4 5 6 7 8 A | NETWORK SECURITY

A.2 NETWORK SEGMENTATION

Organisations should limit and monitor the type and amount of network traffic that traverses their cloud
environment. This flow of traffic should be restricted to only what is necessary, by segmenting the network,
using virtual LANs (VLANs), software-defined networks (SDNs) and/or firewalls.

There are three security core controls to consider:

A.2.1 Implement virtual local area networks (VLANs)

A.2.2 Use software-defined networking (SDN)

A.2.3 Configure firewalls to manage networks

Figure 12: Segmenting the cloud environment

IaaS

PaaS

ISF Member Survey

OBJECTIVE
To isolate types of network traffic (e.g. malicious, non-production, testing and production),
limiting the impact and spread of a potential security incident. 89%
...have implemented
BENEFITS some form of network
segmentation in their
‒ Enables fast change and deployment of networking and security rules to network devices. cloud environment.
‒ Provides visibility of network traffic flowing through the cloud environment.
‒ Restricts lateral movement of threat events across the cloud environment.
‒ Supports quicker and more focused containment of a cloud security incident.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS: the cloud customer is primarily responsible for network segmentation and can select which security
controls best suit their needs. The CSP manages and controls the underlying infrastructure but the cloud
customer can add their own segmentation above this.

PaaS: the cloud customer will sometimes have access to the virtual networking layer, allowing the cloud
customer to configure a level of network segmentation. VLANs would rarely be used within a PaaS set-up
as this level of access normally remains with the CSP.

SaaS: the cloud customer is never responsible for network segmentation. This is usually managed by
the CSP.

32 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 A | NETWORK SECURITY 1 2 3 4 5 6 7 8

CONTROL IMPLEMENTATION
Network segmentation is reasonably common within on-premises infrastructure even at a basic level, with
non-production, production and DMZ networks. The security controls below allow an organisation to make
their segmentation as simple or as complex as befits their requirements for the cloud environment.

A.2.1 Implement virtual local area networks (VLANs)

VLANs can be used to separate zones within the cloud environment. By separating different network subnets
and restricting traffic between them using access control lists (ACLs), the flow of traffic can be monitored and
managed. Notably, VLANs operate at the virtual switch level which is not available within a SaaS environment
and often does not exist within a PaaS environment either.

VLANs are not as widely used within the cloud environment in comparison to internal networks, and are generally
only implemented for IaaS.

A.2.2 Use software-defined networking (SDN)

SDN is a relatively new method for network management that enables an organisation to create and manage
network configuration programmatically and centrally via an SDN controller leveraging API technology
(see control topic D.2). SDN architecture provides an organisation with the ability to manage the network for
the whole cloud environment in a consistent manner.

SDN reduces the complexity of statically defined networks by separating the network management functions
from the underlying infrastructure. This helps to speed deployment, automate many network functions and
simplify deployment of network resources. This in turn eases the administrative effort usually associated with
setting up and maintaining both the security and quality of service expected of networking. Implementing
SDNs should therefore reduce the number of mistakes that are otherwise made in manual configuration so
that fewer network vulnerabilities are introduced into the cloud environment.

SDN Architecture
SDN architecture is based on a layered approach comprised of:
‒ an application layer, which can host load balancers, firewalls, web application firewalls (WAFs) and
business applications
‒ a control layer, which hosts the SDN controller and network services
‒ an infrastructure layer, which hosts the virtual switches.
Traffic between these layers is controlled by APIs.

A.2.3 Configure firewalls to manage networks

Firewalls (both standard and WAF) have core networking and routing capabilities, which can be leveraged to assist
or perform network segmentation. To segregate the network, firewalls can be configured to use separate network
interfaces (with rules that prohibit specific traffic), or multiple virtual firewall instances can be created for each
network zone.

A standard firewall can manage and monitor all network protocols and offers more granular control than using
a WAF but will take more effort to configure. By comparison, a WAF can only deal with web traffic protocols
although it does bring the added benefit of being able to block web application attacks, such as an SQL injection.

Network configuration should be regularly reviewed as changes (which can be made easily and at any time) can
affect the overall security of the cloud environment. Peer reviews of network configuration are recommended
where possible to ensure that mistakes and vulnerabilities do not start to appear within the network code or
configuration settings.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 33
 1 2 3 4 5 6 7 8 A | NETWORK SECURITY

CONSIDERATIONS FOR SUCCESS

‒ Design network segmentation to adhere to the organisation's existing security-related architectural designs
and principles.
‒ Leverage centralised management of the network where possible, so that the same network policy can be
distributed to multiple switches or network devices.
‒ Implement segmentation in a manner that provides a suitable level of protection for the data within the
cloud environment.

Related ISF Standard references

SY1.1 Computer and Network Installations
NC1.1 Network Device Configuration
NC1.4 External Network Connections

Cloud-related threat events

Adversarial Accidental
‒ Conduct denial of service attack ‒ Undesirable effect of change
‒ Exfiltrate sensitive data from cloud services ‒ User error (negligence or accidental)
‒ Exploit cloud design or configuration weaknesses
‒ Introduce malware to cloud services
‒ Unauthorised network scanning or probing

34 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 A | NETWORK SECURITY 1 2 3 4 5 6 7 8

A.3 FIREWALL CONFIGURATION

Firewalls are still the mainstay for network security, but with a move to cloud services, organisations must
adapt their approach to perimeter security in order to extend it into the cloud environment. Cloud-based
firewalls that are well configured can help protect an organisation’s network as well as its applications, servers
and infrastructure within the cloud environment.

There are three core security controls to consider:

A.3.1 Leverage the inbuilt firewalls supplied by CSP

A.3.2 Implement virtual firewalls

A.3.3 Deploy web application firewalls (WAFs)

Figure 13: Cloud firewall options

FW FW FW

IaaS PaaS SaaS

EXTERNAL

INTERNAL FW FW FW

System
admin

OBJECTIVE
To prevent unauthorised or malicious traffic from gaining access to or leaving the cloud environment.

BENEFITS
‒ Restricts network traffic flowing in and out of the cloud environment.
‒ Provides visibility of network traffic within the cloud environment.
‒ Prevents anomalous traffic from reaching cloud applications, servers and infrastructure.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS: the cloud customer is usually responsible for the firewall configuration leveraged within the
cloud environment. The CSP will sometimes have a firewall in place around the whole of their
cloud infrastructure which can be left open, allowing the cloud customer to implement their own
firewall options.

PaaS: the cloud customer may be able to enable their own virtual firewalls and control access themselves;
the customer can use a management interface for their firewalling instance with access granted by the
CSP or provide details to the CSP on what access is required.

SaaS: the cloud customer can typically only specify details of network access requirements to the CSP.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 35
 1 2 3 4 5 6 7 8 A | NETWORK SECURITY

CONTROL IMPLEMENTATION
Cloud-based firewall technology works in a similar way to typical on-premises architecture. The main difference
is that cloud-based firewalls are deployed as software appliances and do not run on traditional hardware
devices. Organisations may choose to use the firewalls offered by the CSP or purchase their preferred firewall
from a security vendor.

A.3.1 Leverage the inbuilt firewalls supplied by CSP

Major CSPs have a default firewall option available as part of their cloud service offering. ISF Member Survey
For a SaaS application, typically only a basic firewall will be offered to enable customers to
allow web traffic (HTTPS). Conversely, as part of PaaS and IaaS, the CSP will usually grant
customers more granular control via the cloud management console with a choice of ports 92%
and IP addresses to allow or deny. This functionality is similar to the traditional firewall policy
...have implemented
management functions that are used on‑premises. some form of firewall in
their cloud.

For organisations using only one CSP, leveraging the CSP’s inbuilt firewalls can make it easier
to configure and manage rules across the cloud environment.

A.3.2 Implement virtual firewalls

Virtual firewalls are software-based firewalls that typically replace the standard, appliance-based
hardware firewalls deployed within a data centre or office location. These can be implemented via the
cloud management console or using a vendor product. An organisation can benefit from implementing a
virtual firewall solution as this can be extended across multiple cloud services. This allows an organisation
to standardise their firewall configuration, manage the firewall rules and collect all the logs in one
central location.

CSP firewalls can have limited functionality compared to a full virtual firewall, therefore an organisation should
understand the different firewall offerings and their technical limitations before deciding which approach best
aligns with their cloud security policy and architectural design.

A.3.3 Deploy web application firewalls (WAFs)

A WAF monitors data requests to cloud services, looking for anomalies in the requests that may indicate
suspicious or malicious web traffic. WAFs can be configured to allow, deny or alert for specific requests.

Compared to other firewall approaches, using a WAF in the cloud environment can provide the following
additional advantages:
‒ inspects web traffic and data flows
‒ stops malicious requests (e.g. SQL injection or cross-site scripting) reaching an application
‒ improves security event logging, providing an increased level of detail to assist a security operation centre
(SOC) in detecting potential threats
‒ supports network segmentation if using multiple WAF installations.

Responsibility for determining what network traffic is allowed to flow in and across the cloud environment rests
with the cloud customer, not the CSP.

36 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 A | NETWORK SECURITY 1 2 3 4 5 6 7 8

CONSIDERATIONS FOR SUCCESS

‒ Deploy firewalls that scale quickly and simply to allow for the flexibility that cloud services provide to
an organisation.
‒ Create a default firewall policy to allow all new cloud-based firewalls to start with a base level of security.
‒ Review what type of network access is required for the cloud environment and use this information to select
and configure firewalls.

The more complex the firewall configuration, the harder the management and monitoring of firewalls becomes.
‒

Related ISF Standard references

SY1.1 Computer and Network Installations
NC1.4 External Network Connections
NC1.5 Firewalls

Cloud-related threat events

Adversarial Accidental
‒ Exfiltrate sensitive data from cloud services N/A
‒ Exploit cloud design or configuration weaknesses
‒ Introduce malware to cloud services
‒ Unauthorised monitoring of communications
‒ Unauthorised network scanning or probing

Information Security Forum Using Cloud Services Securely: Harnessing core controls 37
 1 2 3 4 5 6 7 8

B | ACCESS MANAGEMENT

Individuals should be able to access a wide range of cloud services in a fast, reliable and
secure manner, with their differing requirements and roles also taken into account. Access
management involves defining and managing the right level of access and authorisation,
supported by a secure sign-on process and strong controls over system administrators.
Organisations need to deploy effective and consistent user authentication and access control mechanisms
across their cloud environment. This can be achieved using an identity and access management system such
as identity as a service (IDaaS) and augmenting it with secure sign-on processes such as single sign-on (SSO)
and multi-factor authentication (MFA). Given that administrators have powerful privileges allowing them to
configure, create and remove important cloud devices, administrator access should be managed tightly. The
core access management controls are presented in the table below with their level of applicability to each of
the cloud service models.

LEVEL OF APPLICABILITY TO SERVICE MODEL

B | ACCESS MANAGEMENT IaaS SaaS

PaaS

B.1 IDENTITY AND ACCESS MANAGEMENT (IAM)

B.1.1 Leverage existing on-premises IAM solution

B.1.2 Deploy an identity as a service (IDaaS) product
B.1.3 Build a hybrid IAM solution

B.2 SECURE SIGN-ON PROCESS

B.2.1 Use single sign-on (SSO)

B.2.2 Deploy multi-factor authentication (MFA)

B.3 ADMINISTRATOR ACCESS

B.3.1 Apply least privilege principle

B.3.2 Maintain an inventory of cloud administrators
B.3.3 Consider deploying a privileged access management tool
B.3.4 Review administrator activities

High Medium Low None

Segregation of duties
An important area within access management is segregation of duties. Although not specifically covered within this
report, organisations should not ignore it. With a move to the cloud, an organisation often faces the challenge of a
dramatic increase in the number of administrative accounts.
Administrators are at a greater risk of ‘toxic combinations’ (e.g. create a development server, install an application
and then promote to a live server without the input of anyone else), so it is vital that the ‘least privilege’ principle
is applied and the effect of the level of access is fully understood. The cloud customer needs to be confident that
they understand what each user (and especially administrators) can do within the cloud environment, ensuring that
there is no conflict that could allow them to perform multiple tasks that could assist in creating vulnerabilities or
causing a breach.

38 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 B | ACCESS MANAGEMENT 1 2 3 4 5 6 7 8

B.1 IDENTITY AND ACCESS MANAGEMENT (IAM)

Organisations should implement identity and access management (IAM) to provide effective and consistent
user provisioning and access management throughout their cloud environment. An organisation’s user
credentials are often considered a primary target for attackers and therefore should be treated as sensitive
information.

There are three core security controls to consider:

B.1.1 Leverage existing on-premises IAM solution

B.1.2 Deploy an identity as a service (IDaaS) product

B.1.3 Build a hybrid IAM solution

Figure 14: User access to the cloud environment

INTERNAL EXTERNAL

Business
partners

Business
users

IAM

System
developers
IaaS PaaS SaaS

External
customers

ISF Member Survey

OBJECTIVE
To restrict cloud service access to authorised users and protect sensitive information.
75%
BENEFITS ...are using IAM
solutions to connect
‒ Links user identities from on-premises services to cloud services. to cloud services.
‒ Replicates changes in either access management policies or systems.
‒ Enables management of user access privileges to be performed by relevant
business representatives.
‒ Tracks who has access to information and services within cloud services.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS, PaaS and SaaS: the cloud customer is responsible for all areas of user access management, which
includes business users, system developers, system administrators and approved external parties. Even
within a SaaS service, where the access management solution is usually provided by the CSP, it is still the
responsibility of the cloud customer to determine which users should have access and what they have
access to.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 39
 1 2 3 4 5 6 7 8 B | ACCESS MANAGEMENT

CONTROL IMPLEMENTATION
The simplest approach to accessing a cloud service is to rely on the CSP’s own authentication mechanisms,
which means the CSP holds the users’ credentials. While this approach can be practical for an organisation
using a single CSP and with only a small number of users accessing cloud services, it is not recommended
for those organisations with a multi-cloud environment, since it entails a duplication of effort and
account credentials.

IAM solutions use one or more identity stores (e.g. Active Directory) to maintain a central repository of users
that needs to be kept up-to-date and consistent with the organisation’s access control policies (e.g. password
strength, length and re-use). For this reason, organisations should use federated access when implementing
IAM for cloud services.

B.1.1 Leverage existing on-premises IAM solution

IAM can be implemented via an existing on-premises solution, enabling authentication to multiple business
applications as well as cloud services. This can be achieved by connecting the identity store (e.g. Active
Directory) to the cloud environment and establishing a connection through an access management standard
(e.g. SAML, OAuth or OpenID).

This involves creating a trust relationship between the on-premises identity store and the CSP identity store
to enable synchronisation of user identities. This allows existing identities (users, groups and roles) to access
cloud devices when an organisation allocates the relevant permissions to an identity.

The two most common options when creating a trust relationship are:
‒ A one-way trust: identities are shared with the cloud identity service whenever a user attempts to authenticate,
giving the organisation more control in terms of sharing identities. This is a ‘read-only’ view given by the
organisation to the cloud identity service. In some instances, a copy of the identity database is provided to
the cloud identity service and changes to the originating system are pushed to the cloud service copy as they
are made.
‒ A two-way trust: identities are shared between the organisation and the cloud identity service, which means
changes can be made via either system and then synchronised to the other service, giving more flexibility but
less control over identities.

B.1.2 Deploy an identity as a service (IDaaS) product

It is possible to purchase and migrate to a cloud-based identity store, referred to as an IDaaS, where identities
are created and managed. Authentication and authorisation take place within the cloud environment without
any need to involve the on-premises infrastructure. IDaaS creates one identity store that can easily share the
user identities between both on-premises systems and the cloud services. An organisation can run IDaaS in
parallel to or as a replacement for an on-premises IAM solution.

Whenever a user attempts to login – whether to an on-premises system or to a cloud service – it will query the
cloud-based identity store. All user access control is managed entirely in the cloud.

With IDaaS, users:

‒ sign onto CSP services or applications using corporate credentials
‒ are authenticated via SAML2, LDAP or password vaulting through a trusted identity provider
‒ are granted access to specified applications or resources.

40 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 B | ACCESS MANAGEMENT 1 2 3 4 5 6 7 8

B.1.3 Build a hybrid IAM solution

Both on-premises IAM and cloud-based IDaaS have their own advantages and ISF Member Survey
disadvantages. One way to mitigate some of the issues is to build a hybrid IAM solution
with the users being stored in multiple but linked identity stores, both on‑premises and in
an IDaaS. 55%
...have implemented
This enables users to have a common identity across on-premises and cloud-based services.
cloud-based IAM
Not all identity credentials or attributes are shared with the CSP in this model. The hybrid systems including IDaaS
solution has the added benefit that if one identity store is offline then users can still or hybrid IAM.
authenticate to the remaining identity store.

CONSIDERATIONS FOR SUCCESS

‒ Review and plan for a full IDaaS solution as the increasing adoption of a cloud-first policy (with little or no on-
premises services) is likely to make this a requirement in the future. Protect the identity store (which should
include maintaining an off-site backup and incorporating it into business continuity plans) as it is a vital part
of the cloud customer’s infrastructure.
‒ Assess the risk of sharing user identity credentials with CSPs, particularly for external solutions such as the
hybrid or IDaaS approach.

Related ISF Standard references

TS1.4 Identity and Access Management

Cloud-related threat events

Adversarial Accidental
‒ Exfiltrate sensitive data from cloud services N/A
‒ Exploit insecure interfaces and APIs
‒ Exploit vulnerable authorisation mechanisms
‒ Unauthorised access to cloud service authentication
credentials

Information Security Forum Using Cloud Services Securely: Harnessing core controls 41
 1 2 3 4 5 6 7 8 B | ACCESS MANAGEMENT

B.2 SECURE SIGN-ON PROCESS

Logging into each cloud service on an individual basis increases the risk of unauthorised access as it requires
users to manage multiple accounts and passwords. To mitigate this risk, organisations should consider
adopting single sign-on functionality. Access to cloud services can be further secured through multi-factor
authentication, particularly in scenarios where accounts have access to the CSP cloud management console
and other administrative tools.

There are two core security controls to consider:

B.2.1 Use single sign-on (SSO)

B.2.2 Deploy multi-factor authentication (MFA)

Figure 15: Additional solutions for secure access management

INTERNAL EXTERNAL

Business
partners

MFA

Business
users
SSO

IAM

System
developers IaaS PaaS SaaS
External
customers

OBJECTIVE
To provide access to cloud services in a secure, fast and efficient manner.

BENEFITS
‒ Enables authorised users to access multiple cloud services and applications via single sign-on, limiting the
number of passwords required.
‒ Reduces the administrative burden of creating multiple accounts across different systems.
‒ Limits the potential for making errors in the provisioning process.
‒ Helps to prevent an attacker compromising a user account to gain access to corporate information and systems.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS: the cloud customer controls the access management tools and is responsible for deciding how users
access systems. The customer may choose to connect to the cloud environment in the same way as their
own internal systems, which may mean enhancements are not always a requirement (i.e. when using a WAN
connection). The cloud customer will need to liaise with the CSP but usually only with regard to accessing
the cloud management console.

PaaS: the cloud customer is responsible for enhancing the access control systems offered by the CSP,
although there is often a requirement to liaise with the CSP to ensure the customer’s tools integrate
effectively with those of the CSP.

SaaS: the cloud customer is responsible for applying enhancements to secure the access control systems
but will need to work closely with the CSP to implement the CSP tools on offer and integrate them with the
customer’s existing solutions.

42 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 B | ACCESS MANAGEMENT 1 2 3 4 5 6 7 8

CONTROL IMPLEMENTATION
Identity access management solutions used for cloud services provide a good foundation for managing the
sign-on process but have their limitations. To improve the user’s experience and offer a more secure sign-
on process, these basic access control methods can be built on by using single sign-on (SSO) and a strong
authentication method such as multi-factor authentication (MFA). SSO and MFA complement each other as a
paired implementation and should be adopted in tandem.

B.2.1 Use single sign-on (SSO)

The requirement for users to access multiple systems on multiple occasions as part of their ISF Member Survey
daily tasks has increased with the adoption of cloud services. Logging on multiple times
with multiple accounts can lead to an increase in errors or poor security practices, such as
choosing simple passwords. 97%
...are using single
SSO helps to remove some of those risks and concerns. Once a user has authenticated via
sign-on in their
SSO, the service shares the authentication credentials with the various cloud applications, cloud environment.
eliminating the need for the user to re-enter their log-in details to access each application.

Implementation of SSO or extending an existing on-premises SSO solution to cloud

services uses protocols and standards like Kerberos and SAML 2.0. These replace the use of
usernames and passwords with a security token.

SAML – Security Assertion Mark-up Language

SAML 2.0 is the current version of one of the most common standards for enabling single sign-on. It enables exchanges
of both authentication and authorisation data between two entities over the internet.

B.2.2 Deploy multi-factor authentication (MFA)

Standard access management solutions deliver a basic authentication mechanism, typically ISF Member Survey
UserID and password. MFA provides an additional level of protection during the sign-on
process, making it harder for attackers to gain unauthorised access to an account.
95%
MFA (which often complements a password-based approach) typically works with the logic of:
...are using multifactor
‒ something you know, such as a secondary password or PIN authentication in their
‒ something you have, such as a physical token (typically providing a one-time password cloud environment.

(OTP)) or a soft token (e.g. an SMS message with an OTP/pin or a device-based

authenticator tool)
‒ something you are, typically some form of biometrics (e.g. fingerprint or iris recognition).

MFA should be applied whenever possible and always when it relates to privileged access
(e.g. a cloud administrator) or access to confidential data within the cloud environment.
Many CSPs offer a range of sophisticated access control mechanisms, including biometrics
and cryptographic tokens, which can be used as part of MFA to create a resilient and secure
sign-on process.

A geolocation-based factor can also be added as a form of authentication to take into account the physical
location of the user. An organisation may want to restrict certain locations from being able to authenticate or
block an attempted logon from an unrealistic location given where the user last logged off. This should only be
treated as a third or fourth factor authentication.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 43
 1 2 3 4 5 6 7 8 B | ACCESS MANAGEMENT

CONSIDERATIONS FOR SUCCESS

‒ Understand the benefits and consequences of secure sign-on processes (e.g. SSO and MFA) and where
possible, combine these solutions to enhance security and improve the user experience.
‒ Consult with users to understand their requirements and aid selection of the appropriate solution.
‒ Replace or supplement password-based access control mechanisms with other forms of authentication (e.g.
tokens or biometrics).

Related ISF Standard references

SA1.3 Access control mechanisms
SA1.4 Access control mechanisms – Password
SA1.5 Access control mechanisms – Token
SA1.6 Access control mechanisms – Biometric
SA1.7 Sign-on Process

Cloud-related threat events

Adversarial Accidental
‒ Compromise business partners to gain access to N/A
cloud services
‒ Exfiltrate sensitive data from cloud services
‒ Exploit insecure interfaces and APIs
‒ Exploit vulnerable authorisation mechanisms

44 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 B | ACCESS MANAGEMENT 1 2 3 4 5 6 7 8

B.3 ADMINISTRATOR ACCESS

Organisations need to tightly control and secure the administrator accounts used to support the operation of
cloud services. These accounts can create and manage virtually all aspects of a cloud service, and can even
delete the whole set-up and configuration.

There are four core security controls to consider:

B.3.1 Apply least privilege principle

B.3.2 Maintain an inventory of cloud administrators

B.3.3 Consider deploying a privileged access management tool

B.3.4 Review administrator activities

Figure 16: Managing and monitoring cloud administrators

INTERNAL EXTERNAL INTERNAL

Cloud
management System
console admin

System
System admin
admin IaaS PaaS SaaS

OBJECTIVE
To provide authorised cloud service administrators with access privileges, which are sufficient to enable them
to perform their duties but do not permit them to exceed their authority.

BENEFITS
‒ Detects unusual or unauthorised activity from an administrative account by monitoring and reviewing usage
of the account via alerts and logs.
‒ Reduces the chances of an attacker being able to use and leverage an administrator’s privileged levels of access.
‒ Makes administrators aware of their responsibilities, the level of access they have and the consequences of
poor security hygiene.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS and PaaS: the cloud customer will likely have many administrator accounts, both to perform routine
administrative tasks traditionally associated with on-premises systems and to manage cloud services
using the cloud management console. The methods and tools to manage access to these accounts will
be the responsibility of the cloud customer but cooperation with the CSP will be necessary to connect
directly to the cloud management console.

SaaS: the cloud customer will need to ensure that any administrative access is tightly controlled as the
administrator can often launch and terminate services, manage user access and perform application
configuration.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 45
 1 2 3 4 5 6 7 8 B | ACCESS MANAGEMENT

CONTROL IMPLEMENTATION
Privileged accounts that administer and manage cloud services are vital for these services to operate
effectively but also have access to many important parts of the cloud environment. It is therefore crucial to
properly protect administrative access, which can be achieved by adopting a stringent process for creating and
overseeing administrator accounts. For instance, before a user can be added as an administrator, a justification
should be submitted and approval granted by designated individuals. A register of cloud service administrator
accounts should also be maintained.

Other recommended practices for securing administrative access include restricting the use of administrator
accounts to narrowly defined circumstances and requiring all administrators to sign onto their accounts using
MFA and an alternative authentication method. The use of administrator accounts for cloud services should be
reviewed regularly (e.g. weekly), as well as when suspicious or malicious security events occur.

With the expanding number of cloud services that organisations are using, each with their own, unique
management console, more administrative functions are needed. Additional attention is therefore required to
control these cloud administrator accounts since it increases the footprint that an attacker can attempt to subvert
and utilise.

B.3.1 Apply least privilege principle

Each cloud service has an administrator account, which is often referred to as the ‘Administrator’ or ‘Root’
account. It is considered as important as Domain Admin for Windows and Root for Unix systems since it is the
primary entry point for configuring and maintaining cloud services. Each of these administrator accounts needs
to be severely restricted with the least number of users necessary granted high privileged access to the cloud
management console.

The Root account typically can perform any activity which involves billing, such as the start or termination of a
cloud service, as well as being the primary account for system configuration and user access control. The exact list
of actions that such an account can perform should be documented and approved by the business stakeholders
responsible for each cloud service.

Each cloud administrator should assign several of the lesser administrative responsibilities to different roles
and administrators, applying the ‘least privilege’ principle. They should only be given the access that their job
role requires and nothing more (also referred to as role-based access control).

Segregation of duties cannot always be enforced in a cloud environment. System administrators have different
levels of responsibilities based upon their areas of expertise, such as infrastructure, networking and application
development. In the cloud management console, all activities are grouped within the same entry point and it is not
always possible to find staff with these combined skills especially when dealing with multiple cloud management
consoles.

B.3.2 Maintain an inventory of cloud administrators

An inventory of users with administrative privileges should be maintained, kept up-to-date and reviewed by
senior stakeholders. The inventory should at a minimum include:
‒ the details of individual cloud service administrators, the privileges granted to them and the exact nature of
their role (all accounts need to be attributed to an individual)
‒ verification that the administrative access request was approved, with reference to the level of access
granted, the date it was agreed, last review date (and by whom) and due date for the next review.

It is particularly important that there are regular checks on this inventory, which should be performed at least
monthly. The account approver should check and verify that the access is correct, altering or revoking access as
necessary (e.g. if a staff member assumes an administrator’s role or leaves the organisation).

46 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 B | ACCESS MANAGEMENT 1 2 3 4 5 6 7 8

A standard cloud user may sometimes require administrative privileges to perform a specific task. Temporary access
should be granted on an ‘as required’ basis and removed once the task has been completed. These instances need to
be approved and recorded as a temporary exemption with the same information detailed above.

B.3.3 Consider deploying a privileged access management tool

Some CSPs and specialist security providers offer tools to manage privileged access rights in cloud services,
normally known as privileged access management (PAM) but sometimes also referred to as privileged identity
management (PIM). These tools may also help with password management.

As an example, a PAM tool can grant a user access to administrative privileges without the user having
that access linked to their standard account and without a need to know the password for that access.
Administrative users are assigned roles and when they require use of that privilege, it is assigned to their
account for the duration of the task and then removed (sometime referred to as ‘just-in-time’ access).

Some privileged access tools can:

‒ provide just-in-time privileged access to specified devices and resources
‒ assign time-bound access to devices and resources using start and end dates
‒ require approval to activate privileged access
‒ enforce multi-factor authentication
‒ provide notifications to specified individuals when privileged roles are activated
‒ record activities performed when an administrator account is used.

B.3.4 Review administrator activities

Cloud administrator accounts should be closely monitored as they have powerful access to more data and
systems than a standard user and are therefore at greater risk of being targeted by an attacker. Consequently,
cloud management system logs should be configured to record all administrator activities and be reviewed
regularly or forwarded to a security information event management (SIEM) tool to be reviewed as part of the
activities of a SOC (see control topic E.2). Key administrator actions that must be logged include successful
login, multiple logins and failed attempts.

CONSIDERATIONS FOR SUCCESS

‒ Understand the CSP's operational and security features, capabilities and defined roles.
‒ Adhere to the principle of least privilege as an organisation’s cloud environment can require multiple
different types of cloud administrators.
‒ Minimise the number of cloud administrators.
‒ Provide specialised administrator awareness training.

Related ISF Standard references

SA1.1 Access control

Cloud-related threat events

Adversarial Accidental
‒ Compromise business partners to gain access to cloud services ‒ Mishandling of critical or sensitive information by
‒ Exfiltrate sensitive data from cloud services authorised users
‒ Exploit vulnerable authorisation mechanisms ‒ User error (negligence or accidental)
‒ Unauthorised access to cloud service authentication credentials
‒ Introduce malware to cloud services

Information Security Forum Using Cloud Services Securely: Harnessing core controls 47
 1 2 3 4 5 6 7 8

C | DATA PROTECTION

Organisations store, process and transmit mission-critical and sensitive data in the cloud
environment. It is therefore essential to identify the types of data traversing the cloud
environment that require protection at each stage of the information lifecycle in accordance
with security requirements.
To protect data within the cloud environment, an organisation should determine what types of data will be
processed, in which geographic location it will be located (during each stage of the information lifecycle) and
what level of protection it will require. Data needs to be encrypted in the cloud, supported by robust key
management services, while sensitive data should be prevented from unauthorised disclosure by enforcing a
data leakage prevention (DLP) programme for cloud services. The core data protection controls are presented
in the table below with their level of applicability to each of the cloud service models.

LEVEL OF APPLICABILITY TO SERVICE MODEL

C | DATA PROTECTION IaaS SaaS

PaaS

C.1. DATA MANAGEMENT

C.1.1 Use data location services

C.1.2 Perform data backups regularly

C.1.3 Protect data in line with its classification

C.2 DATA ENCRYPTION

C.2.1 Use the CSP default encryption solution

C.2.1 Configure customer-managed key encryption

C.2.3 Implement customer-supplied key encryption

C.3 DATA LEAKAGE PREVENTION (DLP)

C.3.1 Extend on-premises DLP programme to cloud services

C.3.2 Configure DLP functionality in cloud services

C.3.3 Use DLP functionality of a cloud access security broker (CASB)

High Medium Low None

Data protection considerations

For the cloud customer to effectively protect their data within the cloud environment, it is important to:
‒ assess any legal, regulatory or contractual requirements for data protection and privacy
‒ evaluate data protection requirements at each stage of the information lifecycle (creation, processing, transmission,
storage and deletion)
‒ review the results of information risk assessments to determine whether information should not be stored in cloud
services or encrypted when handled in the cloud environment
‒ leverage the information classification scheme to determine the varying levels of confidentiality of information (e.g.
confidential, internal and public) that will be handled by the cloud services
‒ clearly label information with its classification and handle it accordingly.

48 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 C | DATA PROTECTION 1 2 3 4 5 6 7 8

C.1 DATA MANAGEMENT

Organisations need to protect their data within the cloud environment against corruption, loss and
unauthorised disclosure. Policies, processes and tools that apply to data management within the on-premises
environment should be extended to, and adapted for cloud services where possible.

There are three core security controls to consider:

C.1.1 Use data location services

C.1.2 Perform data backups regularly

C.1.3 Protect data in line with its classification

Figure 17: Safeguarding data in the cloud environment

IaaS
SEC
RET
PaaS

Backups
SaaS

OBJECTIVE
To manage and protect data that is stored, processed and transmitted to, from and within the cloud environment.

BENEFITS
‒ Instils confidence for the business that they have control over their data in the cloud environment.
‒ Aids the understanding of what data types are residing in the cloud environment.
‒ Reduces the risk of fines for storing data in inappropriate locations.
‒ Provides assurance to regulators that data is understood and adequately protected.

69% 67%
In the ISF 90% 68%
Member Survey...
...handle payment ...hold strategic
...have PII data in their card data. ...store intellectual business plans.
cloud environment. property.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS, PaaS and SaaS: the cloud customer needs to ensure the security of their own data. The cloud
customer therefore is completely responsible for data protection, but will need to liaise with the CSP to
implement some of the security controls within data management.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 49
 1 2 3 4 5 6 7 8 C | DATA PROTECTION

CONTROL IMPLEMENTATION
Managing data is as important within the cloud environment as it is with on-premises data. While the cloud
environment does offer some additional benefits such as flexibility in terms of data location, standard
approaches such as classifying and restoring data still need to be addressed. All of the following controls should
therefore be considered and implemented where possible.

C.1.1 Use data location services

A consequence of adopting cloud services is that organisations lack full control over their data. CSPs can
move data within the backend infrastructure simply, quickly and seamlessly, often without the customer’s
knowledge. Nevertheless, there are still some choices available to cloud customers in terms of where their data
is stored.

Many CSPs offer the ability to select where to store an organisation’s data (through the cloud contract or in
some cases, via the cloud management console). The data can be stored in multiple locations in different
geographic regions to satisfy an organisation’s business or security requirement. Whether selecting one or
more cloud storage locations, organisations need to take into account relevant data protection laws and
regulations to ensure compliance requirements are met.

C.1.2 Perform data backups regularly

To ensure data and systems can be restored within a critical timescale, backups should be performed of data
stored in the cloud environment. Data backups should be tested periodically to ensure they are effective.

Keeping a duplicate copy of cloud-stored data in a secondary location will help satisfy legal and regulatory
requirements as well as support business continuity plans. If an organisation’s systems fail, connectivity to the
CSP is disrupted or there is an outage with the CSP, the organisation can failover to the secondary location and
continue to operate.

There are several options available for performing backups, including:

‒ offline backup
‒ online backup offered as a service by a CSP or security vendor
‒ backup to public cloud storage.

Some CSPs are also offering tiered backup solutions with cheaper storage costs for longer retrieval periods
when restoring backed up data. While replicating data between data centres of the same CSP provides a form
of online backup, organisations will gain more assurance if backup arrangements do not rely on a single CSP as
it will enable data to still be restored in unforeseen circumstances (e.g. if a CSP goes out of business).

In many instances, data can be replicated to a secondary location such that the cloud servers and applications sit
dormant until required (e.g. powered down virtual devices), so only the storage costs need to be paid. As well as
saving money, this reduces the IT footprint, giving an attacker less devices to discover and potentially attack.

C.1.3 Protect data in line with its classification

All data handled in the cloud environment should be appropriately protected at each stage of the information
lifecycle. Data should be labelled (e.g. confidential, internal or public) and protected in line with its assigned
level of classification.

Labelling data will help with enforcing an effective data retention policy, which should be applied to control the
amount of data stored in the cloud environment. By requiring the removal of data from cloud services after
a certain period, there is less data available for an attacker to access or exfiltrate. This has the added non-
security benefit of reducing cloud storage costs since data is not stored indefinitely.

50 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 C | DATA PROTECTION 1 2 3 4 5 6 7 8

The data retention policy should take account of:

‒ legal, regulatory and contractual obligations (e.g. minimum and maximum statutory length of time that
employment records and financial information must be retained)
‒ technical requirements (e.g. electronically marking information, encrypting sensitive information and restricting
access after a specified date).

CONSIDERATIONS FOR SUCCESS

‒ Identify and understand what data the organisation is storing in cloud services.
‒ Classify data in order that an organisation can apply appropriate protections.
‒ Agree with the relevant business owners what data the organisation can store within the cloud environment.
‒ Review contracts in detail (security clauses and statements, data storage, data processing and removal) to
understand what level of control the cloud customer will hold over their data.

Related ISF Standard references

IM1.1 Information Classification and Handling
IM2.1 Document Management
SY2.3 Backup

Cloud-related threat events

Adversarial Accidental
‒ Exfiltrate sensitive data from cloud services ‒ Mishandling of critical or sensitive information by
‒ Introduce malware to cloud services authorised users
‒ User error (negligence or accidental)

Information Security Forum Using Cloud Services Securely: Harnessing core controls 51
 1 2 3 4 5 6 7 8 C | DATA PROTECTION

C.2 DATA ENCRYPTION

Encryption is a common method used by organisations to safeguard sensitive data, such as personally
identifiable information and intellectual property. It renders data unreadable except for those authorised to
access it.

There are three core security controls to consider:

C.2.1 Use the CSP default encryption solution

C.2.2 Configure customer-managed key encryption

C.2.3 Implement customer-supplied key encryption

Figure 18: Data encryption and key management options

Cloud
customer Cloud
customer CSP

IaaS

PaaS

SaaS

OBJECTIVE ISF Member Survey

To protect the confidentiality of sensitive information handled by cloud services, preserve
the integrity of critical information, and confirm the identity of the originator of transactions 59%
or communications.
...have mostly or fully
implemented encryption
BENEFITS of data at rest.
‒ Ensures encrypted data is not readable without the decryption key.
‒ Provides compliance with many regulations that require sensitive data to be encrypted.
‒ Provides a scalable and highly available tool (when using a CSP encryption solution).
‒ Enables an organisation to encrypt only the necessary data using modern encryption
techniques, such as transparent database encryption (TDE) and hardware storage
module (HSM).

CLOUD CUSTOMER RESPONSIBILITIES

IaaS and PaaS: the cloud customer is responsible for their data and therefore will need to encrypt data
themselves. They will need to liaise with the CSP to ensure the encryption options are appropriate for the
cloud environment before implementation.

SaaS: the cloud customer will seldom have control over what data is encrypted and how encryption is
performed by the CSP, but should still review and understand what encryption options are available and
whether encryption is applied to their data.

An important element to encryption is how best to manage the encryption and decryption keys. The CSP can often
assist in key management but this decision will be influenced by the organisation’s circumstances, noting that:
‒ Loss of keys or poor key management will put sensitive data at risk.
‒ Any access to the encryption keys should also be restricted to system administrators using MFA (see control B.2.2).

52 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 C | DATA PROTECTION 1 2 3 4 5 6 7 8

CONTROL IMPLEMENTATION
Approaches to encryption will vary depending on the cloud service model, the type of CSP and cloud devices in
use, but implementation typically covers encryption at rest, encryption in transit and key management. Some
CSPs offer encryption of data by default and offer more detailed implementation approaches which provide an
organisation with greater choice and features.

A typical encryption system is comprised of the following three components:

‒ data, which is the information being encrypted
‒ encryption engine, which performs the mathematical process of encryption
‒ key manager, which handles the keys for the encryption.

Encryption of data is vital. It can be performed in a variety of ways for both data at rest and in transit (to or from
cloud services) either at the:
‒ server-side (in the cloud), where the cloud service encrypts client data before saving it on disks in their data
centres and then decrypts it when the client downloads it, managing the whole process
‒ client-side (on-premises), where data is encrypted on-premises and uploaded to the cloud service, so the client
manages the encryption process, keys, and related tools.

C.2.1 Use the CSP default encryption solution

Most CSPs for PaaS and IaaS offer the ability to encrypt all data stored within the cloud environment by default.
If this is selected then it is an automatic process that occurs when creating the data or when transferring the
data to the cloud. The CSP is responsible for creating, managing and storing the keys – the cloud customer does
not usually need to do anything in this scenario. This is a useful default approach as it enables encryption in a
quick and simple way, but is not appropriate for those organisations in highly regulated industries, given that
sensitive cryptographic keys are managed by the CSP, not the organisation.

C.2.2 Configure customer-managed key encryption

An organisation can use the CSP’s encryption mechanisms but manage their own keys within the cloud
environment. This allows the organisation to choose how they create the keys, how they rotate them and how
the keys are destroyed when no longer required. It gives an organisation a degree of control over the keys and
the convenience of not implementing an end-to-end encryption and key management solution.

In this scenario, an organisation can:

‒ manage the encryption policies that assert what and how data is encrypted
‒ determine how the keys are used
‒ audit the usage of keys.

This approach would be enough to satisfy most regulatory requirements as it is common for regulations to
stipulate that encryption keys must be managed by the organisation that owns the data.

C.2.3 Implement customer-supplied key encryption

Many providers of PaaS and IaaS allow the cloud customer to provide their own encryption keys, such that
the customer will store the keys within their own key management solution and grant access to the cloud
environment via API requests. The CSP will only read the keys and never write them to storage or save the keys.

This is sometimes the only approach available to organisations in heavily regulated industries due to regulatory
requirements for organisations to generate, manage and store their own encryption keys.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 53
 1 2 3 4 5 6 7 8 C | DATA PROTECTION

CONSIDERATIONS FOR SUCCESS

‒ Understand what data needs to be encrypted and the minimum standard required.
‒ Store encryption keys separately from the encrypted data (potentially via a vendor).
‒ Backup encryption keys and validate restoration of keys.
‒ Refresh or update keys periodically.
‒ Understand which of the CSP’s processes and personnel may have access to the keys.
‒ Design data encryption solutions to be flexible, scalable and easy to implement – there should be no
noticeable reduction in performance

Many organisations see encryption as a way of meeting certain regulatory requirements. Although encryption
will assist with compliance, it is not a replacement for a comprehensive security portfolio of tools, processes and
procedures designed to satisfy legal and regulatory obligations.
.

Related ISF Standard references

TS2.1 Cryptographic Solutions
TS2.2 Cryptographic Key Management

Cloud-related threat events

Adversarial Accidental
‒ Exfiltrate sensitive data from cloud services ‒ Mishandling of critical or sensitive information by
‒ Unauthorised access to cloud service authentication authorised users
credentials
‒ Unauthorised monitoring of communications

54 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 C | DATA PROTECTION 1 2 3 4 5 6 7 8

C.3 DATA LEAKAGE PREVENTION (DLP)

There are multiple channels through which sensitive data can leave an organisation, including via cloud
services. Given that organisations allow a range of different types of data, including sensitive information, to be
handled in the cloud environment, a successful DLP programme should extend to cloud services to help reduce
the risk of disclosing data to unauthorised entities.

There are three core security controls to consider:

C.3.1 Extend on-premises DLP programme to cloud services

C.3.2 Configure DLP functionality in cloud services

C.3.3 Use DLP functionality of a cloud access security broker (CASB)

Figure 19: Data leakage from the cloud environment

IaaS

PaaS

SaaS

ISF Member Survey

OBJECTIVE
To detect and prevent the unauthorised disclosure of data from an organisation’s cloud 25%
environment, whether through theft, intentional misuse, human error or negligent
behaviour. ...have data classified
as highly confidential
within their cloud
BENEFITS environment.
‒ Detects anomalous behaviour by users or systems using data in the cloud environment
that may indicate potential data leaks.
‒ Prevents the unauthorised uploading, sharing or storage of sensitive data in the cloud
environment. 65%
‒ Provides visibility of the usage and movement of sensitive data in the cloud environment.
...have experienced a
data loss incident linked
CLOUD CUSTOMER RESPONSIBILITIES to their cloud.

IaaS and PaaS: the cloud customer is responsible for protecting their data and should
have the access necessary to deploy a DLP tool. The CSP will have little involvement
with DLP implementation.

SaaS: the cloud customer is responsible for protecting their data but with a SaaS
application may have limited options regarding how they can manage and control
that data through a DLP programme. The CSP may have options for DLP but the cloud
customer will need to liaise with them to find the best solution.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 55
 1 2 3 4 5 6 7 8 C | DATA PROTECTION

CONTROL IMPLEMENTATION
An organisation may already have a DLP programme or at least a DLP tool, in which case, the same technical
DLP policies used to monitor and control the flow of sensitive data can be applied to the cloud environment.
Whether it will be necessary to recreate these policies will depend on the implementation approach selected.
An organisation without a DLP programme will need to first understand the different types of sensitive data
it handles and in collaboration with business stakeholders, prioritise what data requires protection before
implementing DLP for cloud services.

For guidance on how to establish and optimise a DLP deployment, see the ISF briefing paper, Data Leakage
Prevention, which outlines the ten key attributes of a successful DLP programme.

C.3.1 Extend on-premises DLP programme to cloud services

If the organisation already has a DLP programme, existing DLP tools can typically be configured to extend DLP
capabilities to monitor cloud services. This can be achieved by either installing local DLP agents on devices
within the cloud environment or adding cloud devices to the existing DLP configuration.

The most common method of extending an on-premises DLP programme to cloud services is to use the
configuration options available from a Cloud Access Security Broker (CASB) (see Section 7 for more details). The
advantage of using a CASB is that an organisation can create and manage DLP policies across all data leakage
channels, including cloud services, from the same central DLP console already used on-premises.

C.3.2 Configure DLP functionality in cloud services

An organisation can use a cloud-based DLP solution, which can be procured directly from the CSP or from a
DLP security vendor. DLP functionality offered by a CSP is usually restricted to that CSP’s environment, whereas
security vendors may offer a DLP solution that applies across more than one CSP.

By implementing this solution, the initial installation of the tool will be relatively straightforward, but DLP
policies will need to be created within the new tool. This can be labour intensive and lead to errors or
omissions, particularly when recreating existing policies.

C.3.3 Use DLP functionality of a cloud access security broker (CASB)

The cloud customer can use a CASB to fully implement DLP in the cloud. The CASB provides the capability to
monitor the traffic that flows between cloud services and the internet. A CASB typically has default DLP policies
that can be used out of the box to achieve a basic level of protection, but to provide optimal protection,
organisations should customise predefined policies or create new DLP policies to meet their specific needs.

The CASB can integrate with many cloud technologies (e.g. proxies, APIs and firewalls) to monitor multiple egress
methods through which data could potentially leave the cloud environment. The CASB DLP solution will not
provide coverage of data leaking through on-premises systems without connecting to an on-premises DLP tool.

56 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 C | DATA PROTECTION 1 2 3 4 5 6 7 8

CONSIDERATIONS FOR SUCCESS

‒ Align the use of DLP for cloud services with existing tools and processes, integrating them where possible.
‒ Integrate DLP with data classification tools to enhance the value of a DLP programme.
‒ Review and test cloud-based DLP policies regularly to:
• align with changing business requirements and account for new threats
• improve the way the cloud environment is monitored
• move from logging policy violations to notifying users of violations and blocking the unauthorised transfer
or flow of sensitive data.

It is important to understand how the organisation deals with violations of DLP policy, whether it is to log, notify or
block. This requires engagement with the business – if incorrect actions are applied in response to violations, it can
create extra workloads for analysts to review or stop legitimate data transfers from occurring.

Related ISF Standard references

IM1.1 Information Classification and Handling
NC1.4 External Network Connections
TS1.6 Data Leakage Prevention

Cloud-related threat events

Adversarial Accidental
‒ Exfiltrate sensitive data from cloud services ‒ Mishandling of critical and sensitive information by
‒ Unauthorised monitoring of communications authorised users
‒ User error (negligence or accidental)

Information Security Forum Using Cloud Services Securely: Harnessing core controls 57
 1 2 3 4 5 6 7 8

D | SECURE CONFIGURATION

Cloud devices are the core of the cloud environment and need to be protected effectively,
especially since they are often targeted by adversarial threats. Organisations can configure
cloud devices securely by using standardisation, Application Programming Interfaces (APIs)
and virtualisation technologies.
When configuring the cloud environment, organisations should implement up-to-date software, patches and
secure code, which can be achieved by using standard builds and adopting an infrastructure as code (IaC)
approach. As organisations adopt APIs, which can be an effective way of extending the functionality of cloud
services, an API management tool or API gateway should also be deployed to manage the security of APIs.
Whilst the underlying cloud infrastructure is virtualised by default, the organisation can add its own layers of
virtualisation, supported by virtual machines (VMs) or containers to isolate critical applications.

The core secure configuration controls are presented in the table below with their level of applicability to each
of the cloud service models.

LEVEL OF APPLICABILITY TO SERVICE MODEL

D | SECURE CONFIGURATION
IaaS PaaS SaaS

D.1 BUILD STANDARDISATION

D.1.1 Employ a manual build process

D.1.2 Adopt an infrastructure as code (IaC) approach

D.1.3 Apply ‘gold standard’ images

D.2 APPLICATION PROGRAMMING INTERFACE (API)

D.2.1 Configure web APIs securely

D.2.2 Deploy an API management tool

D.2.3 Use an API gateway

D.3 VIRTUALISATION AND CONTAINERISATION

D.3.1 Secure virtual machines (VMs)

D.3.2 Configure containers securely

High Medium Low None

58 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 D | SECURE CONFIGURATION 1 2 3 4 5 6 7 8

D.1 BUILD STANDARDISATION

Build standardisation is about creating a methodology that enables an organisation to create all of their cloud
devices in a secure and repeatable manner. An organisation can use device images or automated builds to
enable standardised and quicker deployments.

There are three core security controls to consider:

D.1.1 Employ a manual build process

D.1.2 Adopt an infrastructure as code (IaC) approach

D.1.3 Apply ‘gold standard’ images

Figure 20: Standardised approach to building cloud devices

System
developer/admin

IaaS

FW
PaaS

FW FW FW

OBJECTIVE
To deploy cloud devices in a consistent manner, including security tools and controls, which in turn will assist in
reducing vulnerabilities.

BENEFITS
‒ Helps developers to consistently build secure environments by providing guidance on the technical
infrastructure that should underpin an application developed in the cloud.
‒ Reduces the number of technical security vulnerabilities introduced into the cloud environment.
‒ Reduces errors that can contribute to vulnerabilities in the cloud environment by simplifying the build process.
‒ Aids quicker deployments that include more stringent security measures.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS: the cloud customer is responsible for building the majority of cloud devices and therefore it is at the
customer’s discretion to choose its preferred standardisation approach. The CSP will rarely be involved at
this level.

PaaS: the cloud customer will in some instances be able to use a standard image to build some devices or
services, but may have to rely on other methods to standardise their build process depending on the type
of PaaS chosen, and the access granted by the CSP.

SaaS: the cloud customer is not responsible for building devices or services when utilising a SaaS
application; this is all within the remit of the CSP.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 59
 1 2 3 4 5 6 7 8 D | SECURE CONFIGURATION

CONTROL IMPLEMENTATION
Implementing a standard build approach requires an organisation to have in place clearly defined processes,
which provide guidance to ensure the build of cloud devices remains consistent. It is important for an
organisation to adhere to standard builds – deviation can cause unexpected vulnerabilities to be introduced
into the cloud environment that may go undiscovered.

D.1.1 Employ a manual build process

A manual build process involves creating a comprehensive build process for each cloud device that will become
the standard process for new devices created within the cloud environment. For each step of the build, the
exact requirements need to be specified in detail and accurately.

The manual build process is labour-intensive and leaves significant scope for human error if the standard
process, including relevant checks, is not followed. However, the advantage of the manual process is that
it does not replicate errors in the same way as automated builds, where any error in the image or script is
compounded and can affect multiple cloud devices.

Organisations whose policy does not allow automation will favour this approach as the human element is still the
key part of the build process.

D.1.2 Adopt an infrastructure as code (IaC) approach

IaC is a development approach that enables organisations to automate the creation, provisioning and
managing of cloud devices through code. Developing technical infrastructure by writing code enables rapid and
efficient construction, whether it be a single cloud device, a set of servers that support an application, or an
entire operational environment including the SDN, firewalls, security tools and servers.

For cloud devices created by writing code, relevant patches and agents (e.g. malware protection or DLP) should
be installed automatically as part of the scripting process. Testing of each device needs to be undertaken to
ensure it performs as expected and there are no known vulnerabilities that could be exploited. Once the device
is in use, it should be reviewed following any changes in the cloud environment to check that vulnerabilities
have not been introduced.

Sometimes code will require username and password combinations, which should be hashed (or encrypted
in some form) at a minimum to prevent exploitation should a threat gain access to the code. One method for
protecting the passwords is a secrets manager or key vault.

D.1.3 Apply ‘gold standard’ images

Cloud devices can be built from ‘gold standard’ images, which are approved templates that have been created,
secured and tested to remove vulnerabilities. By consistently using ‘gold standard’ images for building cloud
devices, organisations can ensure that all newly built devices are secure from the outset.

To create an approved ‘gold standard’ template, an organisation should perform a manual build of each cloud
device and then configure each device to:
‒ the appropriate security levels (e.g. rename all administrator accounts and change default passwords)
‒ adhere to relevant standards and regulatory requirements.

Internal testing, including user acceptance testing (UAT), should be performed to ensure that the device
operates as required. The resulting ‘gold standard’ image can also be used for virtualisation (see control topic
D.3). Each image should be updated regularly with new patches, firmware and software as these are released
by relevant vendors.

Some ISF Members employ a specialist cloud security company to either create the ‘gold standard’ image or
perform a penetration test of the organisation’s own image to identify any vulnerabilities, controls or settings that
need to be addressed to increase the level of security applied to cloud devices.

60 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 D | SECURE CONFIGURATION 1 2 3 4 5 6 7 8

CONSIDERATIONS FOR SUCCESS

‒ Conduct regular checks of standardised build methods to keep them up-to-date.
‒ Use an external security expert to validate standardised build methods and provide assurance that the
methods are secure and effective.
‒ Perform peer reviews of code to help remove technical security vulnerabilities.
‒ Apply least privilege principles when granting access to developers, administrators and any service accounts
assigned as part of the build processes (see control topic B.3).

Related ISF Standard references

SD2.4 System Build
SD2.6 Security Testing
SY1.2 Server Configuration

Cloud-related threat events

Adversarial Accidental
‒ Exploit cloud design or configuration weaknesses ‒ Malfunction of cloud services
‒ Exploit insecure interfaces and APIs ‒ Misconfiguration of cloud services
‒ Introduce malware to cloud services ‒ Undesirable effect of change
‒ Introduce unauthorised code into applications ‒ User error (negligence or accidental)
or software

Information Security Forum Using Cloud Services Securely: Harnessing core controls 61
 1 2 3 4 5 6 7 8 D | SECURE CONFIGURATION

D.2 APPLICATION PROGRAMMING INTERFACE (API)

Organisations often leverage an application programming interface (API) to access external services. When
configured correctly, APIs can enable applications in the cloud environment to interact seamlessly with other
services to enhance the application’s functionality.

There are three core security controls to consider:

D.2.1 Configure web APIs securely

D.2.2 Deploy an API management tool

D.2.3 Use an API gateway

Figure 21: Using APIs with cloud services

External
services
API

IaaS

External
services PaaS
API

ISF Member Survey

OBJECTIVE
To connect applications and software securely within and beyond the cloud environment;
leveraging data and software that reside within separate applications or other software. 85%
...have implemented
BENEFITS some level of
API security.
‒ Sends encrypted data over HTTPS, provided that web-based APIs are configured to
utilise TLS.
‒ Allows for validation of the connecting service through authentication.
‒ Reduces the risk of technical security vulnerabilities being introduced by enabling
applications and other software to connect simply but securely.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS and PaaS: the cloud customer will be responsible for the majority of APIs, often in conjunction with
the external party whose service is being used. It may sometimes be necessary to engage the CSP to
assist with API configuration.

SaaS: the cloud customer will rarely be responsible for securing APIs but may need to liaise with the
CSP regarding connection to APIs that are external to the customer’s cloud environment to ensure the
configuration is successful.

62 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 D | SECURE CONFIGURATION 1 2 3 4 5 6 7 8

CONTROL IMPLEMENTATION
APIs allow an organisation to extend functionality of cloud services using a common method that links
applications to other useful services, often in the supporting cloud environment. APIs are very versatile in their
use and cloud adoption has only helped to increase their popularity. For example, an API request can be used
to provide a postal address lookup service when entering a postcode on a webpage form.

Any organisation leveraging API technology in the cloud environment should configure APIs securely, use an API
management tool and deploy an API gateway to help protect their systems and data. These approaches are not
mutually exclusive, and more than one can be used to improve API security.

APIs increase the visibility of an organisation’s infrastructure and therefore increase the attack surface for various
threats, such as a hacker, who can attempt the subversion of an API by conducting a:
‒ parameter attack (e.g. SQL injection)
‒ identity attack (e.g. credential theft)
‒ man-in-the-middle attack.

D.2.1 Configure web APIs securely

The most common type of API used in the cloud environment is the web API, which allows communications or
requests to be sent over normal web traffic ports. To secure the web API, an organisation can:
‒ restrict the ports and IP addresses allowed via firewalls or WAF rulesets, and/or
‒ use HTTPS to encrypt data in transit.
‒ enforce a clear separation between administrative API connections and normal functional connections.

Web APIs are usually based on SOAP (Simple Object Access Protocol) or REST (Representational State
Transfer) – these protocols should be used to configure the appropriate authentication and authorisation to
provide security to the API.

As a web API effectively opens an organisation’s web servers to the internet, great care needs to be taken in
planning and implementing these services to ensure that security is built in from the start.

D.2.2 Deploy an API management tool

To manage the various aspects of developing and securing APIs, organisations can leverage an API management
tool, which is a cloud-based platform that can be used to:
‒ create and test APIs for functionality and compatibility
‒ configure APIs securely and consistently
‒ support ongoing operation, security and version control (lifecycle management).

When selecting an API management tool, an organisation should consider the business objectives of using APIs
and the corresponding features and functionality that the prospective tool will need to provide.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 63
 1 2 3 4 5 6 7 8 D | SECURE CONFIGURATION

D.2.3 Use an API gateway

Many CSPs offer an API gateway, which can also be procured from security vendors. An API gateway controls
and manages all the API requests that are intended for an organisation’s cloud services. API gateways will
allow organisations to centrally manage their APIs from multiple CSPs as well as those that link to on-
premises services.

An API gateway, if configured correctly, can reduce vulnerabilities since all the API requests will traverse this
gateway and therefore be processed in the same way. Once the API gateway receives a request, it will:
‒ check where the request initiated
‒ determine what service the request is intended for
‒ forward the request only after it has checked that the connection is allowed.

An API gateway also provides greater granular control and visibility of the requests, helping analysts in a SOC to
identify and respond to potential threats. An additional benefit that can be derived from an API gateway is the
termination of SSL certificates, which are required for a secure HTTPS connection. The API gateway manages
any HTTPS request that is initiated, checks the validity of the certificate and will forward on any genuine
requests to the relevant cloud device.

CONSIDERATIONS FOR SUCCESS

‒ Identify where APIs are currently, or will be, used by the organisation in the cloud environment.
‒ Use well-known external APIs sourced by an approved and signed contract.
‒ Incorporate secure methods into the design lifecycle for APIs.

Additional considerations to secure APIs include:

‒ Password hashing: passwords that need to be included in any code or API requests should be hashed at a
minimum (they should ideally also have had a salt added).
‒ Least privilege: any accounts that are used within the API should have the minimum level of access required to
perform the specific task the API has been designed for.
‒ Restrict information in URLs: any URLs used within API calls should not give away any useful data (e.g. API keys,
session tokens, usernames or passwords).
‒ Quotas and rate limiting: limits should be set on the amount of connections that can be made via an API over a
given period to reduce the chance of a denial of service attack, or a hacker making numerous calls in an attempt
to exfiltrate data.
‒ Authentication: specific API authentication methods should be assessed and approved.
‒ Authorisation: when creating code for APIs, processes used as part of the API should not run operations outside
their remit.
‒ API keys: keys need to be secured and not used directly in any application code, they can be secured by utilising
a key vault, restricting access to the key, changing keys regularly and storing them in a different location from
the source files.

Related ISF Standard references

BA1.2 Business Application Protection
TS1.1 Security Architecture

Cloud-related threat events

Adversarial Accidental
‒ Exploit cloud design or configuration weaknesses ‒ Misconfiguration of cloud services
‒ Exploit insecure interfaces and APIs
‒ Introduce unauthorised code into applications
or software
‒ Session hijacking of cloud services

64 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 D | SECURE CONFIGURATION 1 2 3 4 5 6 7 8

D.3 VIRTUALISATION AND CONTAINERISATION

Virtualisation provides organisations with a platform to create services that can be tailored to meet
organisational requirements. It provides the ability to control system resources (e.g. CPU, memory and disk
space) and allocate them to specific devices.

Within the cloud environment, virtualisation provides an organisation the opportunity to create, manage
and control their own devices, whether to mimic their current set-up or to create and innovate new ideas
and applications.

There are two core security controls to consider:

D.3.1 Secure virtual machines (VMs)

D.3.2 Configure containers securely

Figure 22: Comparison of virtual machines and containers

Virtualisation Containerisation

VM VM Container Container

Application Application
Application Application
Operating system Operating system
Libraries Libraries

Cloud
customer Hypervisor Kernel/Daemon

CSP
CPU – Memory – Disk

OBJECTIVE
To leverage the computing power the cloud offers and enhance current systems while maintaining a secure
working environment.

BENEFITS
‒ Improves patching of systems, as they can be implemented and tested quickly and efficiently in
duplicated environments.
‒ Reduces the number of accessible devices and vulnerabilities that could be a target for a potential attacker.
‒ Improves availability of systems by helping to increase the speed with which new devices are provisioned to
enhance capacity or replace a failed device.

An advantage of virtualisation is that it provides the ability to control when cloud devices are active. Rather than
these devices being live constantly, they should only be active when required to reduce the attack surface. This
also provides additional cost savings as CSPs normally charge for devices only when they are in use.

CLOUD CUSTOMER RESPONSIBILITIES

Even within an IaaS cloud environment, the core underlying infrastructure is managed by the CSP, however, the
cloud customer can install their own virtualisation controller (e.g. hypervisor or container daemon) to obtain
greater control over devices within their cloud environment.
IaaS: in most instances, the cloud customer will be responsible for their own virtualisation, while the CSP
is always responsible for the underlying infrastructure.
PaaS: the cloud customer will sometimes be responsible for virtualisation but this is more common when
using containerisation. Virtualisation is mainly the responsibility of the CSP.
SaaS: virtualisation is outside the cloud customer’s remit of responsibility and lies solely with the CSP.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 65
 1 2 3 4 5 6 7 8 D | SECURE CONFIGURATION

CONTROL IMPLEMENTATION
Organisations can use virtualisation technologies through virtual machines (VMs) or containers. Plans should
be established to help secure VMs or containers when organisations design (or retrofit) the cloud environment.
If the cloud customer implements their own instances of virtualisation then security can be applied in the
cloud environment by establishing a connection to existing on-premises security tools, either via the cloud
management console or through a specific security vendor solution (e.g. patching or malware protection).

D.3.1 Secure virtual machines (VMs)

The most common usage of virtualisation is server virtualisation, which creates a replica of computer hardware
using a technology called a hypervisor. A hypervisor manages VMs and segregates them from each other,
assigning each VM a portion of the host computing resources (e.g. CPU, memory and disk space).

VMs should be secured in the same way as any standard hardware, for example, by implementing malware
protection software, applying regular patching and disabling unused functionality.

Virtual machines are not static, unlike non-virtual versions of the same devices – consequently, some standard
security controls will not work effectively within a cloud environment (e.g. vulnerability scanning and malware
protection). For these controls to provide the most value, they should be incorporated into ‘gold standard’ images
or automated scripts (for further details, see control topic D.1).

D.3.2 Configure containers securely

Another form of virtualisation is to emulate the operating system, rather than the underlying hardware.
Operating system virtualisation occurs primarily through containers, which are commonly used in the cloud
environment to isolate applications.

Containerisation
Within the software context, containerisation is a virtual environment that enables an application to run without the
need for external dependencies. It removes the need for an operating system (OS), hypervisor or other services to be
installed and running before the application can load and run. This can be advantageous as it means the application is
very lightweight and requires fewer resources to operate.
As the container is not tied to an OS, it is portable and can be transferred to other segments of the cloud environment
or to another CSP with very little effort or compatibility issues. With its small footprint and portability advantages, it
suits the DevOps and agile methodologies often used for cloud services.

Containerisation brings with it new security challenges. With no OS, there is no simple way to install agents
(e.g. vulnerability scanners, anti-malware or patch management tools) or to patch systems, therefore
application security is a vital component of securing a container environment. Reviewing the code used to build
an application for vulnerabilities is an important factor and can be achieved with peer reviews, external expert
reviews or software tools.

Developers should also be trained in secure coding and understand the OWASP Top 10,5 in order to avoid
introducing common vulnerabilities into applications and to secure passwords or secrets. The cloud customer
needs to adopt a secure development lifecycle approach so that security is considered at each step (design,
development, delivery and support).

5 "OWASP Top 10 Most Critical Web Application Security Risks", OWASP, 2017, https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

66 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 D | SECURE CONFIGURATION 1 2 3 4 5 6 7 8

CONSIDERATIONS FOR SUCCESS

‒ Ensure virtualised devices are only accessible externally once they have been tested and signed off as ready.
‒ Use the advantages of virtualisation to test functionality and security before releasing devices
into production.

Organisations should consider the following challenges when mitigating security concerns associated with
virtualisation in the cloud:
‒ Additional tools will often need to be acquired, which can increase the cost of running devices in the cloud.
‒ Monitoring can be difficult as a result of transferring device workloads between backend devices, which the
organisation does not have access to.

Related ISF Standard references

SY1.3 Virtual Servers

Cloud-related threat events

Adversarial Accidental
‒ Exfiltrate sensitive data from cloud services ‒ Undesirable effect of change
‒ Introduce malware to cloud services ‒ User error (negligence or accidental)
‒ Introduce unauthorised code into applications
or software

Information Security Forum Using Cloud Services Securely: Harnessing core controls 67
 1 2 3 4 5 6 7 8

E | SECURITY MONITORING

Monitoring the security posture of the cloud environment is crucial in addressing potential
security vulnerabilities, identifying threat patterns and reducing the likelihood and impact of
information security incidents.
Security monitoring can be achieved through an ongoing vulnerability management programme that entails
vulnerability scanning, penetration testing and code reviews. Security events should be monitored using a
SIEM, typically managed by a SOC. Any information security incidents detected in the cloud environment
should be addressed through an incident management capability, supported by an incident management plan
agreed with each CSP and tested on a regular basis.

The core security monitoring controls are presented in the table below with their level of applicability to each
of the cloud service models.

LEVEL OF APPLICABILITY TO SERVICE MODEL

E | SECURITY MONITORING
IaaS PaaS SaaS

E.1 VULNERABILITY MANAGEMENT

E.1.1 Implement vulnerability scanning

E.1.2 Conduct regular penetration tests

E.1.3 Consider crowdsourced penetration testing

E.1.4 Perform code reviews

E.2 SECURITY EVENT MANAGEMENT

E.2.1 Use a cloud-based security information and event

management (SIEM)

E.2.2 Connect the cloud environment to an on-premises SIEM

E.2.3 Leverage a managed security service provider’s

(MSSP) experience

E.3 SECURITY INCIDENT MANAGEMENT

E.3.1 Create a cloud security incident management capability

E.3.2 Establish a cloud security incident management process

E.3.3 Develop and test cloud security incident management plans

High Medium Low None

68 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 E | SECURITY MONITORING 1 2 3 4 5 6 7 8

E.1 VULNERABILITY MANAGEMENT

Organisations need to understand the technical risks of operating in the cloud environment to prevent
potential security incidents and optimise the implementation of security controls. A cloud security testing
programme should be developed to discover, assess and remediate technical security vulnerabilities in line
with the organisation’s risk appetite.

There are four core security controls to consider:

E.1.1 Implement vulnerability scanning

E.1.2 Conduct regular penetration tests

E.1.3 Consider crowdsourced penetration testing

E.1.4 Perform code reviews

Figure 23: Vulnerability testing options

IaaS PaaS SaaS

Reporting
2nd
CVS score

Risk rating

Source
1st
Testing

OBJECTIVE
To address technical vulnerabilities in the cloud environment quickly and effectively, thereby reducing the
likelihood of these vulnerabilities being exploited.

BENEFITS
‒ Identifies technical vulnerabilities in an organisation’s cloud environment, which enables planning and
budgeting for remediation according to their severity.
‒ Reduces the number and severity of vulnerabilities in the cloud environment.
‒ Provides visibility to a SOC of which cloud devices may be vulnerable to certain attacks, helping analysts to
determine if an observed event is a genuine threat.
‒ Informs the original build process for those cloud devices created using build standardisation (see control
topic D.1), reducing the number of vulnerabilities when new devices are created.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS: the cloud customer is primarily responsible for all aspects of vulnerability management, but testing
should still be checked with the CSP if details are not included within the cloud contract.

PaaS: the cloud customer should perform all vulnerability management tasks where possible; the agreed
levels of assessment will either be detailed in the cloud contract or can be arranged directly with the CSP.

SaaS: the cloud customer is typically not responsible for vulnerability management with regard to SaaS
applications. Many CSPs do not allow customers to perform scans or reviews of their cloud applications
but will typically provide customers with a copy of their own vulnerability or penetration testing reports.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 69
 1 2 3 4 5 6 7 8 E | SECURITY MONITORING

CONTROL IMPLEMENTATION
Organisations are often already running a vulnerability assessment programme and deploying a range of
associated tools on-premises. With respect to cloud devices, the contract with the CSP should list permissible
scanning and testing. The security controls below are not mutually exclusive and if more than one is used to
form a cloud security testing programme, a greater level of assurance can be gained.

Given many CSPs run multi-tenanted environments (using the same underlying hardware to serve multiple
customers), vulnerability assessments may unintentionally affect other customers. In some instances,
organisations will be required to complete a form to clarify the scope of testing – details requested by the CSP
typically include timeframes, IP addresses and clarification on liabilities.

E.1.1 Implement vulnerability scanning

There are various options available to perform vulnerability scanning in the cloud environment. Using local
vulnerability agents is preferable since a cloud device may not always exist long enough to be picked up by a
scheduled scan. Usually, devices only exist at certain times of the day or are created and then removed within
hours. The advantage of a vulnerability scanning agent is that it will:
‒ continuously monitor a device for vulnerabilities, raising real-time alerts when a vulnerability is discovered
‒ typically offer the option of web application scanning, which probes deeper into a device and looks for
vulnerabilities (e.g. cross-site scripting, URL request forgery and SQL injection attacks) within the application
code as well as the software.

Some organisations, however, are reluctant to install multiple software agents as there can be considerable
resource overheads on the host device running multiple agents. Additionally, when installing multiple agents
there is an increased chance of causing conflicts that negatively impact the host device and in extreme cases,
even stop the host working. Alternative options to using vulnerability agents include:
‒ deploying a virtual scanner within the cloud environment
‒ implementing host scanning as opposed to network scanning
‒ broadening the scope of an existing vulnerability scanner.

A vulnerability agent should be incorporated into the cloud device build configuration, enabling devices to be
checked as soon as they are built and while they remain in use (see control topic D.1).

E.1.2 Conduct regular penetration tests

Organisations can conduct penetration tests on their cloud environment, which are ISF Member Survey
particularly useful for IaaS applications that are under the organisation’s control.

It is at the organisation’s discretion whether penetration testing is performed by an internal 77%

team, an expert supplier or both, taking into account their respective advantages:
...are already performing
‒ internal testing is useful to gain an understanding of the development process and how it penetration tests on
their cloud environment.
can be improved
‒ external testing can provide a more detailed assessment of the live cloud environment.

E.1.3 Consider crowdsourced penetration testing

Crowdsourced penetration testing can be used to augment or replace traditional testing. It can be achieved by
engaging a specialist security vendor for continuous testing or introducing a bug bounty programme. A review
of the cloud contract must be performed to understand if this method of testing is acceptable.

Some security vendors offer a crowdsourced solution for penetration testing, harnessing the skills of
ethical hackers to provide organisations with results that usually take much longer to produce (e.g. by using
techniques such as brute force password attacks and social engineering). The hackers are paid a reward by the
vendor for each genuine vulnerability they discover and disclose.

70 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 E | SECURITY MONITORING 1 2 3 4 5 6 7 8

Some organisations leverage an external bug bounty programme, which involves external individuals (in
the form of hackers) targeting an organisation’s cloud environment and rewarding the hackers financially
for providing any details about discovered vulnerabilities. Before embarking on an external bug bounty
programme, organisations need to ensure that all legal paperwork has been completed and regulatory
requirements are satisfied.

An organisation benefits from crowdsourced testing as it mimics the methods a real hacker would use if they
were attempting to breach an organisation. Compared to a normal penetration test, which is limited by time
and the specific scope of testing, a crowdsourced approach brings the added advantage of a global workforce
with a diverse array of skills and testing techniques.

E.1.4 Perform code reviews

For those organisations who use code to build cloud devices (e.g. for IaC), it is important to review the
code that is developed. Given that the code will be used multiple times to repeat the creation of cloud
devices, organisations need to ensure that this code is not creating and replicating any vulnerabilities in the
cloud environment.

Reviewing the code as part of the build process will ensure devices are built accurately and without
vulnerabilities from the start. Periodic reviews should also be carried out once the device has been deployed
(especially after changes to the code). These can take the form of internal peer reviews or more commonly,
be conducted by an expert supplier. There are some software tools (e.g. source code analysers) that can be
procured to perform a code review but at present, these are relatively immature and therefore the results may
not be accurate.

For code reviews to be beneficial, it is essential that:

‒ actions are repeatable
‒ testing/scans are performed on a regular basis
‒ vulnerabilities discovered are remediated based on an agreed priority.

CONSIDERATIONS FOR SUCCESS

‒ Establish a process to review the results of vulnerability assessments performed on the cloud environment
and follow-up on any remediation work required.
‒ Create a robust method for risk acceptance so that an organisation can accept the risk where it cannot or will
not apply a risk treatment option.
‒ Remove newly discovered vulnerabilities promptly from devices deployed within the cloud environment (e.g.
by updating the build methods).

Related ISF Standard references

SD2.4 System Build SD2.6 Security Testing
SD2.5 System Testing SC1.1 External Supplier Management Process

Cloud-related threat events

Adversarial Accidental
‒ Exploit cloud design or ‒ Introduce unauthorised code into N/A
configuration weaknesses applications or software
‒ Exploit insecure interfaces and APIs ‒ Session hijacking of cloud services
‒ Exploit vulnerable ‒ Unauthorised network scanning
authorisation mechanisms or probing
‒ Introduce malware to cloud services

Information Security Forum Using Cloud Services Securely: Harnessing core controls 71
 1 2 3 4 5 6 7 8 E | SECURITY MONITORING

E.2 SECURITY EVENT MANAGEMENT

An organisation needs to be able to correlate and assess security-related events from logs produced by cloud
services in order to detect any anomalous activity and prevent a potential cyber attack. An attack could
result in the exploitation of an organisation’s data, adversely affect on-premises or cloud infrastructure,
disrupt business operations and ultimately damage both reputation and brand. A quick response can save an
organisation from going out of business.

There are three core security controls to consider:

E.2.1 Use a cloud-based security information and event management (SIEM)

E.2.2 Connect the cloud environment to an on-premises SIEM

E.2.3 Leverage a managed security service provider’s (MSSP) experience

Figure 24: Security event management process

Logs

ALERT!

SIEM SOC
FW

ALERT!

IaaS PaaS SaaS

OBJECTIVE For practical advice on how to design,

To monitor the cloud environment, detect potential establish and evolve an efficient and effective
SOC see the ISF report Building a successful
threats and respond quickly to security incidents to
SOC: Detect earlier, respond faster.
mitigate their impact.

BENEFITS
‒ Provides early visibility of threats in the cloud environment that may affect the cloud customer.
‒ Increases speed of response to potential security incidents.
‒ Provides greater clarity of a potential threat, provided that security event management for cloud services is
integrated with an existing on-premises solution.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS: the cloud customer is responsible for cloud infrastructure, and therefore can access and configure
the requisite logs. They will need to liaise with the CSP to gain insight into what additional logs could
assist them from the underlying cloud infrastructure.

PaaS: the cloud customer is responsible for the applications and some of the infrastructure within the
cloud environment and therefore can gain access to the majority of requisite logs but will need to work
with the CSP to access logs from the core infrastructure elements within the PaaS set-up.

SaaS: the cloud customer has to work closely with the CSP to understand whether they can gain access to
any logs and what alerting options are on offer to assist the cloud customer with monitoring their systems.

72 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 E | SECURITY MONITORING 1 2 3 4 5 6 7 8

Since most SaaS solutions run on multi-tenanted cloud set-ups, it may not be possible to gain access to the relevant
logs as the infrastructure is shared – this could restrict the ability to detect a threat.
This issue also exists within PaaS and IaaS, but with these cloud service models, an organisation has greater control
over more of the systems involved.

CONTROL IMPLEMENTATION
There are several ways an organisation can monitor security-related events in the cloud environment. At a
minimum, a SIEM tool should be used to provide an organisation with increased visibility of anomalous activity.

A SIEM needs to have the correct inputs to be an effective tool. An organisation needs to understand its infrastructure
and critical assets so that it knows what needs to be protected and can identify the relevant cloud service logs and
requisite security events that should be ingested by the SIEM.

E.2.1 Use a cloud-based security information and event management (SIEM)

There are many cloud-based SIEM services available, which can be procured from SIEM vendors or via the
CSP. A SIEM can use a lot of processing power and storage, whereas a cloud-based service involves less
infrastructure outlay and can scale quickly in line with demand. An organisation connects directly to the cloud
SIEM, thus removing the need to connect cloud devices to the on-premises network, which reduces bandwidth
usage and the potential for data to be intercepted.

Running two separate SIEM systems could mean that a sophisticated attack is missed since events are seen in
isolation instead of being correlated.

E.2.2 Connect the cloud environment to an on-premises SIEM

An on-premises SIEM tool can be configured to ingest security events from cloud service logs, sending
the logs via the same route used by the organisation to connect to cloud devices. This approach is most
attractive for an organisation with an existing SIEM, maximising the considerable investment of money and
time already expended in deploying the tool. It also has the advantage of consolidating logs from different
cloud services into one tool, which then serves as a single point of visibility, spanning local infrastructure and
the cloud environment.

E.2.3 Leverage a managed security service provider’s (MSSP) experience

Configuring and monitoring a SIEM tool can be difficult, costly and labour-intensive, so an organisation
will often find that outsourcing the work to an MSSP can be advantageous. Organisations can utilise the
MSSP's experience, knowledge and resources to help implement the SIEM and monitor for anomalies in the
cloud environment.

Many MSSPs are also experienced in investigating and responding to security events, so an organisation
may wish to take advantage of this expertise, particularly if they do not have their own security incident
management function.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 73
 1 2 3 4 5 6 7 8 E | SECURITY MONITORING

CONSIDERATIONS FOR SUCCESS

‒ Build on prior experience and knowledge garnered from deploying or running a SIEM.
‒ Define how internal teams can effectively respond to suspicious or malicious activity.
‒ Review what cloud devices should be monitored and what level of logging is required for effective
event management.
‒ Harness the existing tools, resources and capabilities of a SOC, in particular for security investigation, to gain
context and greater clarity as to whether security events in the cloud environment indicate suspicious or
malicious behaviour.

Related ISF Standard references

TM1.2 Security Event Logging
TM1.3 Security Event Management

Cloud-related threat events

Adversarial Accidental
‒ Conduct denial of service attack ‒ Misconfiguration of cloud services
‒ Exploit cloud design or configuration weaknesses ‒ Mishandling of critical or sensitive information by
‒ Exploit insecure interfaces and APIs authorised users
‒ Exploit vulnerable authorisation mechanisms ‒ User error (negligence or accidental)
‒ Introduce unauthorised code into applications
or software
‒ Session hijacking of cloud services
‒ Unauthorised access to cloud service
authentication credentials
‒ Unauthorised network scanning or probing

74 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 E | SECURITY MONITORING 1 2 3 4 5 6 7 8

E.3 SECURITY INCIDENT MANAGEMENT

Many organisations have suffered from cloud-related information security incidents, such as loss of service,
corruption of data, malware infection or data breach. As these types of incident become more commonplace, it
is vital to manage and respond to any threat event or loss of service quickly and effectively.

There are three core security controls to consider:

E.3.1 Create a cloud security incident management capability

E.3.2 Establish a cloud security incident management process

E.3.3 Develop and test cloud security incident management plans

Figure 25: Security incident management flow

e.g.
Data breach

Repair
problem

Incident report
ALERT!
Type
System developers Business users System admin
Date
ALERT! ALERT! ALERT! CSP
affected

OBJECTIVE
To identify and resolve security incidents affecting the cloud environment, minimise their business impact and
apply lessons learned to minimise future risk.

BENEFITS
‒ Assists in reducing the impact of cloud-related security incidents.
‒ Identifies lessons learned and performs root cause analysis on previous incidents so to improve systems and
processes and reduce the frequency of incidents.

The ISF Member Survey

revealed that Members
experienced at least one
cloud-related incident
over the past 12 46% suffered 23% suffered
months, including: from service loss 28% experienced a from data loss or 20% suffered a
or degradation. malware infection. corruption. data breach.

CLOUD CUSTOMER RESPONSIBILITIES

IaaS: the cloud customer is responsible for a significant portion of incident response, but collaboration with
the CSP is still paramount.

PaaS: the cloud customer is responsible for incident management but will need support from the CSP,
particularly to access logs from the underlying infrastructure.

SaaS: the cloud customer is responsible for initiating and managing most security incidents but the CSP is
responsible for reporting any incident to the cloud customer and conducting much of the investigative work.
It is rare for the cloud customer to have access to the relevant systems and logs that would be involved.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 75
 1 2 3 4 5 6 7 8 E | SECURITY MONITORING

CONTROL IMPLEMENTATION
Managing and responding to security incidents that occur in, or affect, the cloud environment does not differ
significantly from any other type of information security incident. The cloud environment should therefore be
incorporated into an organisation’s existing security incident management processes and relevant corporate
response plans, ensuring that the nuances of using cloud services are taken into account.

When dealing with cloud-related security incidents, organisations should focus on contractual
arrangements, collaboration, data breach notification, gaining access to security event logs and performing
forensic investigations.

Cloud incident detection and response can seem challenging because of:
‒ a lack of visibility into the underlying cloud infrastructure
‒ insufficient detail and/or the difficulty of accessing event data or evidence
‒ skills shortages in technical areas, such as cloud configuration and cloud incident response.

E.3.1 Create a cloud security incident management capability

Organisations should establish a security incident management capability for the cloud environment comprised
of skilled individuals as well as relevant tooling. The capability should be developed taking into account the
CSP’s offering as well as existing on-premises arrangements. Key points of contact should be agreed with all
parties, and communication plans should be used and tested regularly.

E.3.2 Establish a cloud security incident management process

There should be a method for managing cloud-related security incidents that links to the organisation's existing
incident management process. This process should cover:
‒ identifying a security incident (e.g. receiving security incident reports, assessing the business impact,
categorising and classifying the incident, identifying the CSP involved and recording information about
the incident)
‒ responding to a security incident (e.g. escalation to the incident management team for investigation,
escalation to the CSP where appropriate, containment and eradication of the cause of the incident)
‒ recovering from a security incident (e.g. rebuild of cloud devices and restoring data)
‒ following up a security incident (e.g. post-incident activities such as root cause analysis, forensic
investigation, improvement of discussions with the CSP, report to the business and notification to the
authorities and customers of a data breach if necessary).

Security orchestration and automated response tools (SOAR) can assist the cloud customer by automating some
parts of the incident management process. Automation can help with some of the more repetitive, simpler tasks
involved in incident response, improving efficiency and response time.
Some CSPs offer a range of incident management tools including SOAR that the cloud customer can leverage.

E.3.3 Develop and test cloud security incident management plans

Security incident management plans should be agreed with each significant CSP and embedded in service level
agreements (SLAs) as part of the contract. The SLA should require CSPs to meet the organisation's security
requirements by:
‒ protecting the confidentiality and integrity of the organisation’s data during a security incident
‒ providing dedicated support (e.g. identified support specialists and a method of contacting them directly) in
the event of a security incident
‒ supporting the organisation in the event of legal action that involves the organisation's data stored or
transmitted via the cloud (e.g. e-discovery requests or forensic investigations).

76 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 E | SECURITY MONITORING 1 2 3 4 5 6 7 8

Security incident response simulations should be conducted regularly, typically in conjunction with one or
more significant CSPs, to test the incident response plan. By simulating security incidents that might occur in or
affect cloud services, an organisation can validate that the plan and process performs as expected. By using this
approach, an assessment can be made about whether an organisation will be able to effectively respond and
recover when an incident occurs.

CONSIDERATIONS FOR SUCCESS

‒ Understand the content and format of data that the CSP will supply for analysis purposes and evaluate
whether the available forensics data satisfies the legal chain of custody requirements.
‒ Procure services from the CSP and external cloud security experts in advance on retainer.
‒ Set expectations clearly in the SLA around the cloud customer’s role in incident response versus that of the CSP.

Related ISF Standard references

TM1.3 Security Event Management
TM2.1 Security Incident Management Framework
TM2.2 Security Incident Management Process
TM2.4 Forensic investigations

Cloud-related threat events

Adversarial Accidental
‒ Exfiltrate sensitive data from cloud services ‒ Undesirable effect of change
‒ Introduce malware to cloud services ‒ User error (negligence or accidental)
‒ Misuse of cloud services

Information Security Forum Using Cloud Services Securely: Harnessing core controls 77
 1 2 3 4 5 6 7 8

7 CLOUD SECURITY PRODUCTS

AND SERVICES
Cloud security products and services underpin the ISF Approach, supporting governance
activities and the deployment of core cloud security controls. With a vast array of vendors
to choose from, organisations will need to carefully select the right combination of security
products that will enable them to derive the best value from their security investments.
Administration, configuration and management of security in the cloud environment rely on an effective toolkit
that accounts for the nuances of using cloud services. This section helps organisations to navigate the different
types of cloud security products and services, which can be grouped into three broad categories as presented
in Figure 26:
‒ CSP security services offered by the CSP to enable their cloud customers to apply the required security
configurations to the CSP’s proprietary range of cloud services.
‒ Specialised cloud vendor products designed specifically for managing security in the cloud environment.
‒ Generic vendor products traditionally developed as on-premises security solutions, adapted to provide
additional functionality so they can extend to the cloud environment.

Figure 26: The main categories of cloud security products and services

CSP SECURITY SPECIALISED CLOUD GENERIC VENDOR

SERVICES VENDOR PRODUCTS PRODUCTS

CLOUD SECURITY PRODUCTS

AND SERVICES

78 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

CSP SECURITY SERVICES

Most CSPs provide their own cloud security services as part of their standard offering ISF Member Survey
(e.g. AWS Security Hub or Azure Security Centre). Generally, there is no additional cost to Has your organisation
adopted (fully
use CSP security services, with the exception of advanced security capabilities, such as or partially) CSP
DLP and WAF. security services?

CSP security services serve as a fundamental mechanism for the cloud customer to fulfil 13%
their security obligations. When using the different tools and features offered by the CSP,
organisations should be cognisant that CSP security services:
‒ are designed to support individual security topics such as firewall configuration, access
87%
management, encryption or DLP
‒ are only accessible from the cloud management console of the given CSP Yes No
‒ do not always integrate with other generic security solutions that an organisation has
deployed on-premises.

CSP security services have some inherent limitations, which include:

‒ incompatible features: some functions may not be compatible with the organisation’s
advanced security requirements. For instance, the organisation may require strict rules for
password management or implementation of granular role-based access management,
which may not work with the CSP's default security offering.
‒ CSP lock-in: CSP security services only apply to those cloud services offered by that CSP,
so security services will have to be replicated across each individual CSP used by the cloud
customer. For instance, access management can be tailored specifically for a category
of users within an AWS implementation, whereas users of Google Cloud will need to be
registered with another access management system.
‒ limited offerings: not all CSPs offer a large portfolio of security services, in which case the
missing services will need to be acquired elsewhere.

While organisations should not depend solely on CSP security services, their low cost,
simple management and wide coverage provide enough attraction to rely on them as
a starting point. To supplement CSP security services, there is an increasing array of
products that are being developed with the multi-cloud environment in mind.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 79
 1 2 3 4 5 6 7 8

SPECIALISED CLOUD VENDOR PRODUCTS

There are several specialist vendors that have devised products and services solely for use ISF Member Survey
in the cloud environment that the cloud customer can deploy to secure the cloud services Has your organisation
of multiple CSPs. Some of these products relate to one specific security control topic, for adopted (fully or
partially) a CASB?
instance, in the case of IAM, organisations may choose to procure an IDaaS. Other products,
such as a CASB, can facilitate implementation of more than one security control (e.g. DLP, 54%
encryption and security event management).

CASB (Cloud Access Security Broker) 46%

A CASB is positioned between an organisation’s on‑premises infrastructure and that of the CSP.
A CASB improves visibility of user activity in the cloud environment by providing information Yes No
about the usage levels of cloud services (e.g. volumes of data downloads and uploads) as well
as the number of individuals accessing each cloud service.
In addition to supporting security activities, CASB capabilities enable elements of cloud security
governance, including information risk assessments of cloud services. Some CASBs offer a
risk rating for each CSP, calculated according to pre-set criteria that account for attributes,
such as the legal jurisdiction within which the CSP operates; recent incidents that may have
affected the CSP and the approach taken to protect customers’ data. Although these risk ratings
provide an initial view of the CSP’s risk profile, they are no substitute for a detailed information
risk assessment.
There are several benefits to a well-configured CASB, but its expense can be a considerable
inhibiter especially since CASB capabilities do not cover the full spectrum of core cloud security
controls. Indeed, there is an ongoing debate about the true value of using CASBs to achieve
security in the cloud environment since many aspects of CASB functionality can be realised
through existing, less costly methods.

“CASBs have taken centre stage as a set of critical controls for securing
an organisation’s use of cloud services.” – Oracle6

GENERIC VENDOR PRODUCTS

There is a wide range of generic security products available from external suppliers ISF Member Survey
(sometimes referred to as third party products) that can and should be used to extend Has your organisation
coverage of security arrangements to cloud services. These products are typically adopted (fully or
partially) generic
associated with security controls for an on-premises IT environment but increasingly are vendor products?
tailored to equally apply to multi-cloud environments.
33%
Some of the popular vendor products used by ISF Members include:
‒ web application firewalls (WAF) to protect against web application attacks (see security
control A.3.3)
67%
‒ SIEM tool to monitor in real-time for threats in the cloud environment (see security
control E.2.1) Yes No
‒ vulnerability scanners to discover technical vulnerabilities in the cloud environment (see
security control E.1.1).

6 “Cloud Threat Report 2019”, Oracle and KPMG, https://www.oracle.com/a/ocom/docs/dc/final-oracle-and-kpmg-cloud-threat-report-2019.pdf

80 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

PRODUCTS AND SERVICES APPLIED TO THE CORE CLOUD SECURITY CONTROLS

Cloud security products and services can be leveraged to implement most of the core cloud security controls
presented in Section 6. To support ISF Members in deciding which type of security product is best suited to
their security requirements, the table below maps the security controls to the three categories of products
and services. Some of the security controls do not require deployment of a specific product or service, but rely
more on people and processes for successful implementation, although organisations may perform some of
the tasks within the process through supporting tools and technology.

CSP security

Generic
cloud vendor
services

Specialised
products

products
vendor
A.1.1 Apply HTTPS (SSL/TLS) X X
A | NETWORK SECURITY

A.1.2 Configure a virtual private network (VPN) X X

A.1.3 Implement a wide area network (WAN) solution X X

A.2.1 Implement virtual local area networks (VLANs) X

A.2.2 Use software-defined networking (SDN) X X

A.2.3 Configure firewalls to manage networks X X

A.3.1 Leverage the inbuilt firewalls supplied by the CSP X

A.3.2 Implement virtual firewalls X X

A.3.3 Deploy web application firewalls (WAFs) X X

B.1.1 Leverage existing on-premises IAM solution X

B | ACCESS MANAGEMENT

B.1.2 Deploy an identity as a service (IDaaS) product X

B.1.3 Build a hybrid IAM solution X X X

B.2.1 Use single sign-on (SSO) X X X

B.2.2 Deploy multi-factor authentication (MFA) X X X

B.3.1 Apply least privilege principle

B.3.2 Maintain an inventory of cloud administrators

B.3.3 Consider deploying a privileged access management tool X X

B.3.4 Review administrator activities

Information Security Forum Using Cloud Services Securely: Harnessing core controls 81
 1 2 3 4 5 6 7 8

CSP security

Generic
cloud vendor
services

Specialised
products

products
vendor
C.1.1 Use data location services X X
C | DATA PROTECTION

C.1.2 Perform data backups regularly X X X

C.1.3 Protect data in line with its classification

C.2.1 Use the CSP default encryption solution X

C.2.2 Configure customer-managed key encryption X X

C.2.3 Implement customer-supplied key encryption X X X

C.3.1 Extend on-premises DLP programme to cloud services X

C.3.2 Configure DLP functionality in cloud services X X

C.3.3 Use DLP functionality of a cloud access security broker (CASB) X

D.1.1 Employ a manual build process

D | SECURE CONFIGURATION

D.1.2 Adopt an infrastructure as a code (IaC) approach X

D.1.3 Apply 'gold standard' images X X X

D.2.1 Configure web APIs securely X X X

D.2.2 Deploy API management tool X

D.2.3 Use an API gateway X X

D.3.1 Secure virtual machines (VMs) X X X

D.3.2 Configure containers securely X X

E.1.1 Implement vulnerability scanning X X X

E | SECURITY MONITORING

E.1.2 Conduct regular penetration tests

E.1.3 Consider crowdsourced penetration testing

E.1.4 Perform code reviews X

E.2.1 Use a cloud-based security information and event management (SIEM) X X

E.2.2 Connect the cloud environment to an on-premises SIEM X

E.2.3 Leverage a managed security service provider's (MSSP) experience

E.3.1 Create a cloud security incident management capability

E.3.2 Establish a cloud security incident management process

E.3.3 Develop and test cloud security incident management plans

82 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 1 2 3 4 5 6 7 8

EVOLUTION OF CLOUD SECURITY PRODUCTS AND SERVICES

As cloud security products and services mature, new types of products will emerge. There are two major trends
that are already evident. Firstly, vendors are responding to the demand for a centralised mechanism that
offers increased visibility of an organisation’s entire cloud environment and the ability to manage security for
different cloud services from a single location. Secondly, there are new technologies that vendors are starting
to incorporate into their products, but these remain at an early stage of development.

There are several examples of new products that exemplify these trends such as:
‒ cloud management platforms: combine the functionalities of multiple cloud management consoles into a
single portal
‒ cloud security posture management tools: assess an organisation’s cloud environment against good practice
security configurations and perform the necessary steps required to remediate them
‒ container security products: conduct in-depth analysis of container images and block the use of images with
specific vulnerabilities
‒ artificial intelligence (AI) systems: enhance certain security products and services, particularly those used for
advanced threat protection and behavioural network traffic analysis.

An example of an AI enhanced product is a network monitoring tool that observes the network traffic coming
in and out of an organisation. Such a tool can build up knowledge of a complex multi-cloud environment by
analysing the typical patterns of network traffic so that any unusual activity can be detected at an early stage,
helping to respond to cloud-related threat events before they escalate into major security incidents.
For advice on using defensive AI see the ISF briefing paper Demystifying Artificial Intelligence in
Information Security.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 83
 1 2 3 4 5 6 7 8

8 MAXIMISE POTENTIAL,
TAKE RESPONSIBILITY
Modern organisations must operate at a fast pace, delivering new products and services to
stay ahead of the competition. Many are therefore choosing to move ever further towards
cloud computing, as the elasticity and scalability offered by cloud services provide the
desired flexibility needed to compete. For an organisation to have confidence that it can
move to the cloud whilst ensuring that vital technological infrastructure is secure, a robust
strategy is required.
The cloud environment has become an attractive target for cyber attackers, highlighting the pressing need for
organisations to enhance their existing security practices. Yet consistently implementing the fundamentals of
cloud security can be a complicated task due to the diverse and expanding nature of the cloud environment.

This is but one of many challenges that organisations need to overcome to use cloud services securely.
Organisations cannot rely purely on CSPs to secure their critical information assets but must accept their own
share of responsibility. This responsibility calls for a combination of good governance, deployment of core
controls and adoption of effective security products and services. Controls that cover network security, access
management, data protection, secure configuration and security monitoring are not new to information
security practitioners, but they are critical to using cloud services securely.

Going forward, organisations can select from a variety of trends and technologies that will enable them to use
cloud services securely – from the adoption of new products to the embedding of improved processes, such as
a focus on secure containers, where security is given greater emphasis during development.

Assuring that services are used securely will provide business leaders with the confidence they need to fully
embrace the cloud, maximising its potential and driving the organisation forward into the future.

84 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 APPENDIX A: Glossary
This appendix provides a description of the main cloud-related terms used in this report.
Cloud computing: distributed, on-demand computing services delivered across networks, typically using the
internet.

Cloud customer: an organisation that is using cloud services.

Cloud environment: the combination of multiple cloud services that an organisation typically makes use of.

Cloud deployment types: the type of cloud infrastructure that an organisation is looking to operate or acquire
(i.e. Private, Public or Hybrid).

Cloud devices: different types of virtual appliances configured and used by cloud customers, including virtual
servers, virtual networking devices (e.g. virtual firewall) and relevant application containers.

Cloud infrastructure: the physical hosting and related devices such as servers, network equipment and an
underlying OS for virtualisation.

Cloud management console: a single entry-point portal, specific to the CSP, used to configure cloud services.

Cloud security vendor: a vendor of security products and services related to the cloud environment.

Cloud services: computing services offered by an external provider, including business applications, document
storage solutions, databases and virtual servers.

Cloud service model: the type of cloud service that is offered by CSPs. There are three main types of cloud
service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).

Cloud service provider (CSP): a vendor that provides cloud services, which can be purchased on demand by a
cloud customer.

DevOps: a set of practices where organisations use the principles of an agile method (i.e. iterative and
incremental changes) for the ongoing development and operation of their applications.

Hypervisor: a combination of software and hardware that creates and runs multiple virtual computers or
servers on the same physical machine.

Multi-tenancy: an architectural model where CSPs store data from different customers on virtual servers using
the same physical servers, which are logically segregated via the hypervisor (i.e. the technology that enables
multi-tenancy).

On-premises computing: represents the traditional IT equipment and facilities that an organisation possesses
and is logically separated from the cloud environment by a network boundary or gateway.

Serverless: a technology used to develop scalable applications, whilst avoiding the administrative functions
to maintain virtual and physical servers. Fundamentally, the server still exists, but is ‘hidden’ to individuals
working on application development.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 85
 APPENDIX B: CSP cloud
security certifications
This appendix provides examples of the main certifications and standards that CSPs typically
seek to obtain. Some are specific to a cloud environment whereas others are generic to
information security certifications and accreditations.

TYPE NAME FULL NAME AND BRIEF OVERVIEW

Cloud CSA STAR CSA STAR program (Security Trust Assurance and Risk)
specific
There are three levels of certification:
‒ Level 1: Self-assessment
‒ Level 2: Third-party certification
‒ Level 3: Continuous auditing
Most of the major CSPs (e.g. Microsoft, Google) have obtained a STAR certification. The CSA publishes the list
of CSPs with their level of certification and their validity on their website.

Cloud BSI – C5 Cloud Computing Compliance Controls Catalogue (C5)

specific While primarily targeted at CSPs working with German government agencies, C5 is quickly becoming a
well‑regarded and sought-after certification when evaluating CSPs. It includes both the traditional aspects
of information security controls as described in ISO/IEC 27002:2013 and adds the necessary data protection
requirements for the cloud.
Some of the major CSPs have gained this level of certification (e.g. Box, AWS, SAP) primarily to conduct
business with German agencies, but also to demonstrate how they comply with a well-regarded certification,
irrespective of country specific requirements.

Cloud FedRAMP Federal Risk and Authorization Management Program (FedRAMP)

specific FedRAMP’s security baselines are derived from NIST SP 800-53 (Security and Privacy Controls for Federal
Information Systems and Organizations – required to comply with FISMA) with a set of control enhancements
that pertain to the unique security requirements of cloud computing.
There are three levels of baseline controls: High; Moderate; Low.
Any cloud services that hold federal data (i.e. US Government agencies) must be FedRAMP authorised, by
meeting the necessary level of baseline controls according to the agency’s size and risk profile.

Cloud ISO/IEC Code of practice for information security controls based on ISO/IEC 27002 for cloud services
specific 27017:2015 The standard gives guidelines for information security controls based upon ISO/IEC 27002:2013, applicable to
the provision and use of cloud services. It can lead to certification (e.g. Google, Salesforce).

Cloud ISO/IEC Code of practice for protection of personally identifiable information (PII) in public clouds acting
specific 27018:2014 as PII processors
The standard covers the protection of PII in public clouds and can lead to certification (e.g. Microsoft, AWS).

Generic ISO/IEC Information security management systems — Requirements

27001:2013 This well-known standard is used by many of the CSPs to certify their cloud services against the
implementation and maintenance of an Information Security Management Systems (ISMS).

Generic: AICPA-SOC SOC 2 (Service Organization Control 2)

supply An assurance report that focuses on organisational controls related to five principles: Security, Availability,
chain Processing integrity, Confidentiality and Privacy. The standard for regulating these five issues was formed
under the AICPA Trust Services Principles and Criteria. SOC 2 provides a formal attestation at the end of the
assessment.
SOC 3 (Service Organization Control 3)
A report that focuses on the same five principles as a SOC 2 report but is intended for a general audience –
shorter, less detailed and can be posted on a company website to demonstrate compliance.

86 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 APPENDIX C: Cloud security
controls applicability
This appendix presents the applicability ratings of the 45 core cloud security controls to the
three cloud service models.
LEVEL OF APPLICABILITY TO SERVICE MODEL

IaaS PaaS SaaS

A.1 CLOUD CONNECTIONS
A | NETWORK SECURITY

A.1.1 Apply HTTPS (SSL/TLS)

A.1.2 Configure a virtual private network (VPN)

A.1.3 Implement a wide area network (WAN) solution

A.2 NETWORK SEGMENTATION

A.2.1 Implement virtual local area networks (VLANs)

A.2.2 Use software-defined networking (SDN)

A.2.3 Configure firewalls to manage networks

A.3 FIREWALL CONFIGURATION

A.3.1 Leverage the inbuilt firewalls supplied by CSP

A.3.2 Implement virtual firewalls

A.3.3 Deploy web application firewalls (WAFs)

B.1 IDENTITY AND ACCESS MANAGEMENT (IAM)

B | ACCESS MANAGEMENT

B.1.1 Leverage existing on-premises IAM solution

B.1.2 Deploy an identity as a service (IDaaS) product

B.1.3 Build a hybrid IAM solution

B.2 SECURE SIGN-ON PROCESS

B.2.1 Use single sign-on (SSO)

B.2.2 Deploy multi-factor authentication (MFA)

B.3 ADMINISTRATOR ACCESS

B.3.1 Apply least privilege principle

B.3.2 Maintain an inventory of cloud administrators

B.3.3 Consider deploying a privileged access management tool

B.3.4 Review administrator activities

High Medium Low None

Information Security Forum Using Cloud Services Securely: Harnessing core controls 87
 LEVEL OF APPLICABILITY TO SERVICE MODEL

IaaS PaaS SaaS

C.1 DATA MANAGEMENT
C | DATA PROTECTION

C.1.1 Use data location services

C.1.2 Perform data backups regularly

C.1.3 Protect data in line with its classification

C.2 DATA ENCRYPTION

C.2.1 Use the CSP default encryption solution

C.2.2 Configure customer-managed key encryption

C.2.3 Implement customer-supplied key encryption

C.3 DATA LEAKAGE PREVENTION (DLP)

C.3.1 Extend on-premises DLP programme to cloud services

C.3.2 Configure DLP functionality in cloud services

C.3.3 Use DLP functionality of a cloud access security broker (CASB)

D.1 BUILD STANDARDISATION

D | SECURE CONFIGURATION

D.1.1 Employ a manual build process

D.1.2 Adopt an infrastructure as code (IaC) approach

D.1.3 Apply ‘gold standard’ images

D.2 APPLICATION PROGRAMMING INTERFACE (API)

D.2.1 Configure web APIs securely

D.2.2 Deploy an API management tool

D.2.3 Use an API gateway

D.3 VIRTUALISATION AND CONTAINERISATION

D.3.1 Secure virtual machines (VMs)

D.3.2 Configure containers securely

E.1 VULNERABILITY MANAGEMENT

E | SECURITY MONITORING

E.1.1 Implement vulnerability scanning

E.1.2 Conduct regular penetration tests

E.1.3 Consider crowdsourced penetration testing

E.1.4 Perform code reviews

E.2 SECURITY EVENT MANAGEMENT

E.2.1 Use a cloud-based security information and event management (SIEM)

E.2.2 Connect the cloud environment to an on-premises SIEM

E.2.3 Leverage a managed security service provider’s (MSSP) experience

E.3 SECURITY INCIDENT MANAGEMENT

E.3.1 Create a cloud security incident management capability

E.3.2 Establish a cloud security incident management process

E.3.3 Develop and test cloud security incident management plans

High Medium Low None

88 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 APPENDIX D: Cloud-related
threat events
This appendix provides a list of the most common cloud-related threat events.
Adversarial threat events:
‒ Compromise business partners to gain access to cloud services (ADV024)
‒ Conduct denial of service attack (ADV005)
‒ Exfiltrate sensitive data from cloud services (No mapping)
‒ Exploit cloud design or configuration weaknesses (ADV008)
‒ Exploit insecure interfaces and APIs (No mapping)
‒ Exploit vulnerable authorisation mechanisms (ADV003)
‒ Introduce malware to cloud services (ADV007)
‒ Introduce unauthorised code into applications or software (ADV0023)
‒ Misuse of cloud services (ADV011)
‒ Session hijacking of cloud services (ADV001)
‒ Unauthorised access to cloud service authentication credentials (ADV002)
‒ Unauthorised monitoring of communications (ADV004)
‒ Unauthorised network scanning or probing (ADV0016)

Accidental threat events:

‒ Malfunction of cloud services (No mapping)
‒ Misconfiguration of cloud services (ACC007)
‒ Mishandling of critical or sensitive information by authorised users (ACC002)
‒ Undesirable effect of change (ACC005)
‒ User error (negligence or accidental) (ACC003, ACC001)

Additional notes
‒ The ISF cloud-related threat event list focuses on adversarial and accidental threat events as environmental threat
events are outside the control of the cloud customer.
‒ To support an information risk assessment of a cloud environment using IRAM2, the reference code of the most
closely aligned IRAM2 threat event is provided in brackets after each cloud-related threat event.
‒ This list has been cross-checked with publicly available references, such as the CSA threat list.7

7 “Top Threats to Cloud Computing: Egregious Eleven”, CSA, 8 June 2019, https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-egregious-eleven/

Information Security Forum Using Cloud Services Securely: Harnessing core controls 89
 APPENDIX E: Cloud controls mapping
to the cloud-related threat events
The ability of the 45 core cloud security controls to protect against one or more cloud-related threat events
has been analysed based upon industry-wide surveys and ISF Members' input throughout the workshops. The
relevant mapping has been provided at a control topic level within Section 6 and is summarised in the following
table:
A | NETWORK B | ACCESS C | DATA D | SECURE E | SECURITY
SECURITY MANAGEMENT PROTECTION CONFIGURATION MONITORING
A.1 Cloud connections

A.2 Network

A.3 Firewall

b.1 Identity and access

B.2 Secure

B.3 Administrator

C.1 Data management

C.2 Data encryption

C.3 Data leakage

D.1 Build

D.2 Application

D.3 Virtualisation

E.1 Vulnerability

E.2 Security event

E.3 Security incident

segmentation

configuration

management (IAM)

sign-on process

access

prevention (DLP)

standardisation

interface (API)
programming

and containerisation

management

management

management
Compromise business
ADVERSARIAL

partners to gain access X X

to cloud services
Conduct denial of X X
service attack
Exfiltrate sensitive data X X X X X X X X X X X
from cloud services
Exploit cloud design
or configuration X X X X X X X
weaknesses
Exploit insecure X X X X X X X
interfaces and APIs
Exploit vulnerable
authorisation X X X X X
mechanisms
Introduce malware to X X X X X X X X
cloud services
Introduce unauthorised
code into applications X X X X X
or software
Misuse of cloud services X
Session hijacking of X X X X
cloud services
Unauthorised access
to cloud service X X X X X
authentication
credentials
Unauthorised
monitoring of X X X X
communications
Unauthorised network X X X X
scanning or probing
Malfunction of cloud
ACCIDENTAL

services X

Misconfiguration of X X X
cloud services
Mishandling of critical
or sensitive information X X X X X
by authorised users
Undesirable effect of X X X X
change
User error (negligence X X X X X X X X
or accidental)

90 Using Cloud Services Securely: Harnessing core controls Information Security Forum
 ACKNOWLEDGEMENTS
The ISF would like to thank all ISF Members and external experts who contributed to
this report by being interviewed, posting comments on ISF Live and attending solution
development workshops.
As always, because ISF Members are providing information that may be about their own organisation, their
contributions are anonymous. These acknowledgements show the individuals and the organisations they
represented at the time they contributed to this project. Some workshop participants preferred not to have
their attendance acknowledged here.

ISF MEMBERS
Suyi Guo ABN AMRO Tunç Bilgin Ingenico ePayments
Dragan Stevanovic Allianz Technology SE Clive Payne* JP Morgan Chase
Lawrie Lee A. P. Moller-Maersk Group Kieran Mongan KM Security Consulting Ltd
Abdelberi Chaabane AXA Hans Blankestijn Legian
Mathieu Cousin AXA Ruud Jongejan Legian
Manoj Mathai AXA Andre Poeltuyn Liberty Global
Sarah Schuckert Capgemini Invent Aline Barthelemy Louis Dreyfus Company
Thierry de Brabandere Coca Cola European Partners Michael Nebauer Munich Re
Venkatesh Ravindran Colt Technologies Services Cédric Eiffling National Bank of Belgium
Juergen Diehl* Commerzbank Eugene Gryazin Nordea
Hugh Gilmour Compass Group PLC Aleksi Luhtamäki OP Financial Group
Tim Wilson Córas Iompair Éireann Sami Hölsömäki Outokumpu Oyj
Geir Berglind DNB Bank ASA Johan Bom Robeco
Robert Frandsen DSV A/S Jelle Elzinga Royal FrieslandCampina
Jacques Sibué Engie Ove Liljeqvist Samlink
Jean-Christophe Vidon Essity Fabian Fuhrmann SAP Deutschland SE & Co. KG
Wes Sheppard Exact Software B.V. Bert Kloor Sociale Verzekeringsbank (SVB)
Julia Hermann Giesecke+Devrient Dinesh Shah Swiss Re
Michael Koepferl Giesecke+Devrient Andrew Donaldson Swivel Secure
Didier Mas GSK ltd. Clive Blake Symantec Corporation (UK)
Marcus Schmid IBM Germany Thomas Hemker Symantec Corporation (Germany)
Thierry Matusiak IBM Security (France) Jari Pirhonen Tieto Corporation
Dr. Werner Gutau Infineon Technologies AG

*Contributors marked with an asterisk reviewed part of this document. Additional thanks for their time and feedback.

Information Security Forum Using Cloud Services Securely: Harnessing core controls 91
ABOUT ISF
Founded in 1989, the Information Security Forum (ISF)
is an independent, not-for-profit association of leading
organisations from around the world. It is dedicated
to investigating, clarifying and resolving key issues in
cyber, information security and risk management and
developing best practice methodologies, processes and
solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing

in-depth knowledge and practical experience drawn
from within their organisations and developed through
an extensive research and work programme. The ISF
provides a confidential forum and framework, which
ensures that Members adopt leading-edge information
security strategies and solutions. And by working
together, Members avoid the major expenditure
required to reach the same goals on their own.

FOR FURTHER
INFORMATION CONTACT:
Information Security Forum
+44 (0)20 3875 6868
[email protected]
securityforum.org

REFERENCE: ISF 19 10 01
©2019 Information Security Forum Limited. All rights reserved.