Cloud security focuses on securing data, applications, and services that are hosted in the cloud. As businesses increasingly migrate to cloud environments, it is essential to ensure that cloud resources are protected from data breaches, unauthorised access, and other cyber threats. This sector includes securing cloud infrastructure, APIs, identity management, encrypting sensitive data, and ensuring cloud service providers comply with security standards. By adopting cloud security best practices, organisations can ensure the integrity, availability, and confidentiality of their cloud-hosted assets, while maintaining compliance with relevant regulations.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 13.1: Use Reputable Cloud Providers

Does your enterprise use reputable and trusted cloud service providers who have established security measures in place?
Example: Select cloud providers like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud that comply with industry-standard security certifications for example ISO 27001.

Measure 13.2: Implement Basic Identity and Access Management (IAM)

Does your enterprise manage user access to cloud services using basic identity and access management (IAM) practices?
Example: Set up simple IAM controls to ensure that only authorised personnel have access to your cloud resources. Implement role-based access control (RBAC) to limit access based on user roles.

Measure 13.3: Enable Data Encryption

Does your enterprise ensure that sensitive data stored or transmitted in the cloud is encrypted?
Example: Enable built-in encryption features offered by cloud providers for both data at rest and data in transit. Ensure sensitive information like customer data and financial records are encrypted before being uploaded to the cloud.

Measure 13.4: Regularly Backup Cloud Data

Does your enterprise implement regular data backups for all critical cloud-hosted data to prevent data loss?
Example: Schedule regular cloud data backups to a secure, separate location, ensuring that data can be restored in the event of a breach or system failure.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 13.5: Implement Multi-Factor Authentication (MFA)

Does your enterprise require multi-factor authentication (MFA) for accessing cloud services and applications?
Example: Enable MFA for all employees using cloud services to provide an extra layer of security, especially for critical systems and applications.

Measure 13.6: Use Secure APIs

Does your enterprise use secure APIs when integrating cloud services with other applications or systems?
Example: Ensure that APIs used to connect to cloud applications are secured using authentication methods such as OAuth, API keys, or mutual TLS, and regularly test APIs for vulnerabilities.

Measure 13.7: Perform Regular Security Audits of Cloud Configurations

Does your enterprise conduct regular security audits of your cloud environments to ensure that configurations are secure and up to date?
Example: Regularly review cloud settings for potential security misconfigurations, such as open storage buckets or unused open ports, and use tools like AWS Config or Azure Security Center to assess the security posture of your cloud services.

Measure 13.8: Establish Clear Cloud Security Policies

Does your enterprise have clear cloud security policies that outline how data should be handled, accessed, and protected in the cloud?
Example: Develop cloud security guidelines and best practices for employees, including acceptable use policies, data protection requirements, and rules for secure cloud application development.

Measure 13.9: Monitor Cloud Activity for Suspicious Behaviour

Does your enterprise monitor cloud environments for unusual or suspicious activity?
Example: Implement tools like AWS CloudTrail or Microsoft Sentinel to monitor for unauthorised access attempts or other suspicious activities in your cloud infrastructure.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 13.10: Conduct Advanced Cloud Security Audits and Penetration Testing

Does your enterprise conduct advanced security audits, including penetration testing, to assess the security of cloud infrastructure and applications?
Example: Regularly conduct penetration testing to identify vulnerabilities in cloud configurations, applications, or networks. Work with third-party security experts to test the effectiveness of your cloud security measures.

Measure 13.11: Enforce Data Loss Prevention (DLP) in the Cloud

Does your enterprise enforce data loss prevention (DLP) strategies for sensitive data in the cloud to prevent data leaks or unauthorised sharing?
Example: Use cloud DLP tools to monitor, detect, and block sensitive data from being shared or downloaded from cloud services without proper authorisation, such as customer information or intellectual property.

Measure 13.12: Implement Cloud Security Posture Management (CSPM)

Does your enterprise use Cloud Security Posture Management (CSPM) tools to automate security configurations and compliance monitoring in cloud environments?
Example: Leverage CSPM solutions, such as Prisma Cloud or Check Point CloudGuard, to continuously monitor your cloud environments for misconfigurations, vulnerabilities as well as compliance violations.

Measure 13.13: Ensure Cloud Providers Meet Security Standards

Does your enterprise ensure that your cloud service providers comply with relevant security certifications and standards, such as ISO 27001?
Example: Regularly review your cloud provider’s security certifications and ask for their most recent audit reports to ensure they comply with industry standards and best practices for cloud security.

Measure 13.14: Establish Incident Response Plans for Cloud Incidents

Does your enterprise have an incident response plan specific to cloud environments that addresses potential security breaches or data loss incidents?
Example: Develop a cloud-specific incident response plan that includes processes for detecting, containing, and recovering from cloud security incidents, including identifying impacted resources and notifying customers.
———————————————————————————————————