Cloud security standards include clear steps that organizations can take to secure their cloud environments and mitigate the risk of cyberattacks.
Wiz Experts Team
8 min read
What are cloud security standards?
Cloud security standards are specialized technical regulations and guidelines for securing cloud platforms. Although organizations take different paths to cloud adoption, like infrastructure as a service (IaaS), software as a service (SaaS), or platform as a service (PaaS), all paths pose pressing security challenges. The diversity of approaches to cloud adoption also makes it difficult for organizations to know what to secure, how to assess their security postures, and if they’re meeting industry-wide standards.
These challenges, coupled with common issues such as flawed software configurations, inadequate authentication and authorization, and poor access controls, can make cloud platforms a prime target for threat actors. Cloud security standards were developed to combat these vulnerabilities, providing benchmarks for cloud service providers (CSPs) and organizations aiming to safeguard their cloud environments.
The importance of cloud security standards
Cloud security standards include clear steps that organizations can take to secure their cloud environments and mitigate the risk of cyberattacks. The standards facilitate cloud resource interoperability and help organizations assess their cloud security posture. Most standards target specific areas of cloud security—let’s take a look at the top four:
1. Data encryption
To safeguard cloud-hosted data and protect customer identity in industries that deal with sensitive information (such as healthcare and finance), cloud security standards mandate the encryption of data in transit and at rest. Encryption helps prevent data breaches, exfiltration, and unauthorized modification. That’s why many standard-bearers, like the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the National Institute of Standards and Technology (NIST) provide guidelines for data storage.
For example, ISO/IEC 27040, in accordance with ISO/IEC 27001, provides security frameworks for cloud databases and prohibits organizations from storing unencrypted data. NIST SP 800-57 mandates organizations must protect encryption and decryption keys from unauthorized access.
2. Identity and access Management (IAM)
Cloud standards provide roadmaps for managing user identities, granting access privileges, and authorizing and authenticating staff access and actions. IAM measures include the implementation of role-based access control (RBAC) and zero-trust network access (ZTNA) to reduce the risk of credential theft, account compromise, privilege escalation, and data breaches. Both ISO/IEC 27001:2022 Annex A 5.16 and NIST SP 800-207 fall under this category.
3. Compliance audits
Cloud compliance audits help you review your adherence to security frameworks. After completing audits, compliant organizations earn certifications that demonstrate their commitment to cloud security, which boosts customer trust. Compliance audits may occur regularly or at scheduled intervals and can be automated.
Let’s take a look at some important standards in more detail.
ISO/IEC standards for cloud security
ISO/IEC standards for cloud security are guidelines jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and they provide robust frameworks for information security management systems (ISMSs). The end goal of these standards is to help organizations safeguard cloud infrastructure, separate information on virtual servers based on sensitivity, and protect customer data and privacy.
Organizations that handle personally identifiable information (PII) and protected health information (PHI)—regardless of size or type—require ISO/IEC certifications to operate in certain regions, as well as to protect themselves from associated financial, legal, and regulatory risks.
The 27000 series standards relate to cloud security and include key provisions like ISO/IEC 27001, 27002, 27017, and 27018. ISO/IEC 27001:2013 outlines best practices and principles for protecting sensitive data, but it’s not specifically about cloud storage. ISO/IEC 27002:2013 is also relevant because it focuses on access control and data privacy. ISO/IEC 27001:2013 and ISO/IEC 27002:2013 were adapted and improved in ISO 27017 and 27018 to address contemporary cloud security challenges. Let’s take a closer look at ISO/IEC 27017 and 27108.
The ISO/IEC 27017:2015 standard builds on many of the guidelines provided by ISO/IEC 27001 and 27002 and covers the seven areas explained in the table below.
CLD.6.3.1 stipulates that ownership of and responsibilities for securing cloud infrastructure must be clearly defined in a service level agreement (SLA) between a customer and a service provider. In short, each party must be aware of their roles.
Cloud service customer assets
CLD.8.1.5 stipulates that cloud service providers must return and remove assets belonging to customers once the contract between both parties is terminated or when the service provider can no longer ensure that sensitive data is safe from unauthorized parties.
Cloud data segregation
CLD.9.5.1 stipulates that service providers must separate data stored in virtual environments to ensure that customers do not have access to each other's assets.
Virtual machine hardening
CLD.9.5.2 mandates that both customers and providers must configure and harden virtual machines (VM) based on their security needs. Hardening lessens the potential weaknesses of standard containers and VM images and safeguards VM-hosted deployments against unauthorized modifications through the container image.
Administrator’s operational security
CLD.12.1.5 stipulates that customers should define and document administrative operations related to the security of their cloud environments, while CSPs should share documented proof (certifications, for example) to demonstrate their compliance with security standards.
Monitoring of cloud services
CLD.12.4.5 requires cloud service providers to enable customers to monitor specific aspects of operations within the cloud architecture to facilitate the swift identification and remediation of security threats.
Alignment of virtual and physical network security management
CLD.13.1.4 requires cloud service providers to implement network security policy configurations that are consistent across physical and virtual networks. Policy alignment improves an organization’s security posture.
These controls highlight the roles of each party in ISO 27017 standards and also emphasize the role of cloud service providers (CSPs) in industry-wide cloud security.
ISO 27018 describes principles for safeguarding PII (such as a client’s name, date of birth, credit card details, social security number, and medical records) in a public cloud environment. It introduces multiple controls (in addition to those related to PII in 27001 and 27002) that outline guidelines for selecting public clouds, assessing their associated risks, and implementing appropriate security controls. The controls include the following:
Public CSPs and customers must encrypt PII in transit and at rest.
Public CSPs must ensure their operations are audited routinely—or when significant procedural changes are made—by a third party. However, if third-party assessment poses a security risk to sensitive PII, self-auditing may be allowed with the CSP detailing the entire process with evidence.
Public CSPs must delete or remove PII within a specified timeframe once it is no longer needed.
Public CSPs must only process PII for prestated reasons and using pre-agreed processors. If sub-processors are used, this must also be stated in SLAs.
Public CSPs must help customers to provide PII principals with the opportunity to inspect how and where their PII is stored, as well as make changes to their PII as required.
Public CSPs and customers must protect PII in their care from undue access, grant role-based access to necessary employees only, and train the employees on privacy/security regulations for handling PII.
NIST cybersecurity framework
Developed by the National Institute of Standards and Technology, the NIST cybersecurity framework is a set of guidelines for U.S. federal agencies and the organizations that conduct business with them. NIST aims to foster secure cloud and technology adoption and encourage compliance with regulations and standards like the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Federal Information Security Management Act (FISMA). Let’s take a look at a few key standards.
The NIST Cloud Computing Reference Architecture is a special publication (NIST SP 500-292) that delineates a cloud security architecture consisting of key actors; their services, roles, and activities; the relationships between them; and how they can work together to facilitate cloud security. These actors are the cloud consumer, provider, auditor, broker, and carrier. While all actors are charged with the responsibility of data security, there are also actor-specific responsibilities as explained in the table below.
IaaS, PaaS, and SaaS consumers who use cloud services for storage, content delivery, application building and deployment, database management, accounting, and banking
Implement data encryption, integrity, and confidentiality, and PII privacy. Conduct security and privacy audits to prevent unauthorized access, modification, and exfiltration.
IaaS, PaaS, and SaaS providers who offer the services listed above and more
Ensure availability, interoperability, portability, rapid provisioning, monitoring (user access and behavior), auditing, and customer management (including opening and closing customer accounts, providing customers with clear contractual agreements on responsibilities of each party, ensuring PII privacy, allowing for customer access and relations, and resolving customer issues).
Independent or integrated assessors
Conduct security and privacy audits of companies’ cloud infrastructure and security practices to ascertain regulatory compliance.
Service intermediation, aggregation, and arbitrage
Manage, facilitate, and improve the security, performance of, and access to CSPs’ services. Aggregate one or more CSP services into a comprehensive and unified suite.
Intermediaries who facilitate consumer-provider data transmissions by offering cloud connectivity and transport services
Provide secure connections to prevent packet hijacking, MITM, and DDoS attacks.
NIST Special Publication (SP) 800-144
NIST SP 800-144 outlines the security and privacy challenges of using public services. It offers frameworks to consider when outsourcing data or using third-party app components, especially in regards to accountability and service/deployment models. It’s targeted at technical decision makers in U.S. federal agencies and private organizations who are cloud service customers. Some important guidelines from the publication are discussed below:
Cloud customers must carefully plan the security and privacy components of cloud solutions before adopting/deploying them. This planning should be based on data sensitivity and organizations’ security objectives.
Customers must have comprehensive knowledge of their public service provider’s cloud computing environment. This includes understanding the shared responsibility model and independently verifying providers’ security and privacy assurances. Customers must also identify the technologies that make up the services and their security implications.
Customers must verify that public cloud solutions meet industry and organizational security and privacy requirements on both the client and server sides. While most public CSPs offer non-negotiable service agreements, organizations with sensitive data should consider those who offer negotiable agreements on issues relating to data encryption, ownership, management and deletion (after contract termination), data and app segregation in the cloud, and regulatory compliance (e.g., standards that require notification of end users in the event of data breach).
Customers must be accountable to users and regulatory bodies for steps taken to ensure app and data privacy and security. This involves implementing and compiling records of regular NIST penetration testing, risk assessment, and service monitoring.
NIST Special Publication 800-53
NIST 800-53 establishes a framework of security controls that can be adopted by organizations and is mandatory for federal agencies who deal with all forms of PII. It provides a set of security control families, including base controls and control enhancements. These may be necessary in organizations where sensitive data is often handled that base controls cannot fully cover.
The basic controls are divided into 20 categories:
Access Control (AC)
Awareness and Training (AT)
Audit and Accountability (AU)
Assessment, Authorization, and Monitoring (AAM)
Configuration Management (CM)
Contingency Planning (CP)
Identification and Authentication (IA)
Individual Participation (IP)
Incident Response (IR)
Media Protection (MP)
Privacy Authorization (PA)
Physical and Environmental protection (PE)
Program Management (PM)
Personnel Security (PS)
Risk Assessment (RA)
System and Communications Protection (SC)
The main takeaway? While compliance with all the cloud security standards from NIST that we’ve discussed is not compulsory for non-federal information systems-related organizations, organizations that handle PII should implement them to safeguard against cybersecurity incidents and earn the trust of their clientele.
The Cloud Controls Matrix (CCM)
The Cloud Security Alliance (CSA) developed the CCM as a framework of cybersecurity principles for risk-based assessment. Cloud Security Alliance standards explain security regulations that are CSA-aligned (such as ISO/IEC and NIST) to promote transparent security assessment and easy and secure adoption of cloud infrastructure. The CCM is particularly helpful because it classifies control guidelines by cloud model, service provider, and consumer, making it easy for organizations to implement controls that are relevant to their specific use case.
The CCM covers areas including cryptography and cryptographic key management; app, data and service security; supply chain management, penetration testing, and vulnerability assessment; identity access management; and audit compliance. CSA offers STAR certifications for vendors who pass a comprehensive audit.
The CIS Cloud Benchmarks
The Center for Internet Security (CIS) Benchmarks are a set of consensus-based, vendor-agnostic cybersecurity standards for implementing cloud technologies and services. They include two profile-level benchmarks classified based on ease of implementation and security/sensitivity impact, with the first level being less sensitive than the second. The benchmarks also cover areas such as OS, CSP, server, and network security configurations.
Implementing the CIS Benchmarks helps organizations improve network, device, and server performance because they include guidelines for controlling administrative access and granting privileges, authenticating users, limiting app permissions, and securing container and VM images.
Standards from CSPs
Besides the standards we’ve already discussed, individual CSPs also provide architectural frameworks, best practices, and standards for their customers to follow. Most CSPs’ frameworks (like the AWS Well-Architected Framework, Google Cloud Architecture Framework, and the Azure Well-Architected Framework) are based on five key pillars: security, reliability, cost optimization, operational excellence, and performance efficiency. Let’s take a closer look.
Security (privacy and compliance)
CSPs offer best practices for implementing data privacy and security controls and achieving regulatory compliance. Guidelines include identity management, role assignment and RBAC, data and app segregation based on sensitivity, and network firewalls.
CSP frameworks offer suggestions for developing and deploying highly available apps and services. Advice includes designing apps with the possibility of failure (and recovery) in mind, designing for self-healing, designing based on business requirements, and implementing automation.
The frameworks provide guidelines for selecting cost-effective components, tools, and services during app development. Developers must estimate initial and peak throughput costs and consider long-term optimization and monitoring costs when choosing service providers.
The frameworks specify principles to consider (including incidence response, pre-deployment experimentation and testing, software health monitoring, patching, and maintenance) for operational excellence.
CSPs guide developers towards building resilient systems that remain optimally functional regardless of changes in traffic and memory load. The frameworks advise building apps with scalability and performance patterns at peak/non-peak periods in mind.
Implementing cloud security standards with Wiz
As we’ve seen, compliance can be challenging. There are countless regulations, and the landscape is always changing. Wiz can help. We offer automated compliance assessments that provide organizations with accurate security posture scores for 100+ cloud security standards. Take advantage of our compliance assessments to streamline internal audits and swiftly resolve non-compliance before it becomes a real problem. And if you have custom frameworks specific to your organizations, you can also conduct tailored compliance assessments with Wiz. To see what Wiz can do for you, try out our demo today.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.