BACKGROUND AND KEY RISKS:
What you need to know about enterprise cloud security
Cloud security is the collection of practices, protocols, policies, and controls that organizations put in place to secure their digital assets in the cloud. Cloud security is designed to protect cloud environments, data that resides in the cloud, applications running in the cloud, and users that interact with cloud assets. In most cloud environments, security is a shared responsibility between the cloud provider and the customer.
WHAT MANAGEMENT CAN DO:
There are several common cloud security management standards that organizations can use as a framework for implementing effective cloud security practices. Adhering to these security standards can help organizations establish a comprehensive and effective cloud security management program that protects their cloud resources and sensitive data.
Additionally, compliance with these standards can help organizations demonstrate their commitment to security and compliance with customers, regulators, and other stakeholders.
These standards include:
ISO 27001 This is an international standard that provides a systematic approach to managing sensitive information and ensuring its security. ISO 27001 provides a framework for implementing a comprehensive information security management system (ISMS) that covers all aspects of cloud security management.
SOC 2 This is an auditing standard developed by the American Institute of CPAs (AICPA) that evaluates the controls relevant to security, availability, processing integrity, confidentiality, and privacy. SOC 2 provides a framework for evaluating and reporting on the effectiveness of an organization’s cloud security controls.
NIST Cybersecurity Framework This is a framework developed by the National Institute of Standards and Technology (NIST) that provides a risk-based approach to managing cybersecurity risks. The NIST Cybersecurity Framework provides a set of standards, guidelines, and best practices to help organizations manage and reduce cybersecurity risks in their cloud environments.
CSA Security, Trust, and Assurance Registry (STAR) This is a registry developed by the Cloud Security Alliance (CSA) that provides a comprehensive set of standards for assessing the security of cloud service providers (CSPs). The CSA STAR provides a framework for evaluating the security practices of CSPs, including their security policies, procedures, and controls.
PCI DSS This is a standard developed by the Payment Card Industry Security Standards Council (PCI SSC) that applies to organizations that store, process, or transmit payment card data. The PCI DSS provides a framework for implementing a secure environment for handling payment card data in the cloud.