Skip to main content

Cloud Critical Controls

January 31, 2018

It’s no secret – organizations are moving to the cloud faster than their security teams can secure them. The daunting task of catching up to the security needs of the cloud can overwhelm and frustrate security professionals and business transformation leaders. While a thorough cloud security strategy is an essential part of cloud adoption, this process can take more than a year to implement. During this period, cloud adoption will continue to happen without any validated security program. While many cloud architects and developers will follow established “best practices,” there is little to no validation or verification that can be applied to the security work done. What’s needed is a set of baseline cloud security controls and capabilities that can be applied to any cloud environment to establish a minimum level of security competency. More than a simple control matrix, the cloud critical controls lay out provider-specific capabilities that can be implemented without slowing down the dev-ops process. 

Cloud Critical

Optiv has established a comprehensive cross platform set of cloud critical controls based on a combination of the Cloud Security Alliance’s Cloud Control Matrix (CCM), Center for Internet Security (CIS) consensus-based benchmark and our own experience. Implementing critical security controls for the 10 cloud domains listed below will give your organization insight into the following questions:

  • Architecture 

    • Is your architecture designed for cloud consumption?
    • Do you fully understand the “shared responsibility model?”
  • Identity and Access Management 

    • Are you giving too much access privilege to users?
    • How are you maintaining user access?
  • Data 

    • Is your data protected at all times? 
    • What is your level of visibility into whom and how different types of data are being shared?
  • Visibility 

    • How are you monitoring the usage of cloud applications and the transfer of data for malicious activity?
  • Threat Protection 

    • Do you have processes in place to address the full lifecycle from identification, analysis, treatment, risk management and resolution? 
  • Application Security 

    • Do you follow software development lifecycle (SDLC) and stage gate process during development?
    • What security architecture principles defines your development of applications?
  • Governance, Risk and Compliance 

    • Have you built baseline security requirements for your cloud implementation?
    • How do you deal with deviation from it?
  • Incident Response

    • How do you respond to incident-level alerts from verification to event closure as a holistic enterprise incident management function?
  • Business Resilience (Business Continuity and Disaster Recovery) 

    • Do you have a consistent unified framework for addressing business resiliency, including disaster recovery, continuity and reliability as it relates to cloud workloads (and security)?
  • Legal and Privacy 

    • How do you address legal and privacy considerations such as the EU General Data Protection Regulation (GDPR), data sovereignty, and other local and regional applicable regulations in the cloud?

Many of these controls can be verified through the cloud providers’ API delivering continuous validation. Others will help establish baseline policies and awareness that can be applied with minimal effort. 

These critical controls covering cloud service providers such as AWS, Azure and Office 365 are maintained on a regular basis and updated to reflect new security feature releases from the cloud providers. 

While not a complete cloud security program, implementing security controls in each of these cloud domains is a strong start to a comprehensive cloud security program.

    John Turner

By: John Turner

Senior Director, Cloud Security

See More

Related Blogs

September 21, 2017

Six Key Alignments for CISO's on Cloud Security

Many CISO's and security teams are struggling with developing and executing an effective cloud security strategy, especially one that can keep up with...

See Details

November 17, 2015

Endpoint Protection in the Cloud Era

Over the last several years there has been a major paradigm shift to a cloud computing model for enterprise computing. This new model has allowed a le...

See Details

February 04, 2014

Internet Security Questions for the Cloud Provider | Optiv

When considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Alm...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 31, 2018

Cloud Critical Controls

It’s no secret – organizations are moving to the cloud faster than their security teams can secure them. The daunting task of catching up to the secur...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.