Cloud Security & Compliance
Cloud infrastructure security, compliance standards, best practices
What is the shared responsibility model in cloud security?
The shared responsibility model divides security duties between the cloud provider and the customer. Providers secure the underlying infrastructure (hardware, networking, hypervisors), while customers are responsible for securing their data, identities, applications, and configurations within the cloud environment. [Source: AWS]
What is zero trust architecture and how does it apply to cloud security?
Zero trust is a security model that eliminates implicit trust, requiring continuous verification of every user, device, and workload regardless of network location. NIST defines it as assuming breach and verifying explicitly, which is especially critical in cloud environments where traditional network perimeters no longer exist. [Source: NIST]
What are the major cloud compliance frameworks organizations must follow?
Key cloud compliance frameworks include SOC 2 (AICPA), ISO/IEC 27001, PCI DSS for payment data, HIPAA for healthcare, and FedRAMP for U.S. federal systems. Each imposes specific technical and administrative controls on cloud environments to protect sensitive data and demonstrate security posture to auditors. [Source: NIST]
What is FedRAMP and which cloud providers are authorized?
FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government program that standardizes security assessment, authorization, and monitoring for cloud products used by federal agencies. Authorized cloud service offerings are listed in the FedRAMP Marketplace, which includes products from AWS, Microsoft Azure, and Google Cloud. [Source: FedRAMP]
What is NIST SP 800-53 and how does it relate to cloud security?
NIST SP 800-53 is a comprehensive catalog of security and privacy controls for federal information systems, published by the National Institute of Standards and Technology. It serves as the foundational control baseline for FedRAMP and is widely adopted by private-sector organizations to structure cloud security programs. [Source: NIST]
How does the NIST Cybersecurity Framework apply to cloud environments?
The NIST Cybersecurity Framework (CSF) provides a risk-based structure organized around five functions—Identify, Protect, Detect, Respond, and Recover. Organizations map these functions to cloud-specific controls such as asset inventory in CSPM tools, encryption policies, and automated incident response workflows to manage cloud risk. [Source: NIST]
What is Cloud Security Posture Management (CSPM)?
Cloud Security Posture Management (CSPM) refers to tools and practices that continuously assess cloud infrastructure configurations against security best practices and compliance benchmarks. CSPM solutions automatically detect misconfigurations—such as publicly exposed storage buckets or overly permissive IAM roles—which remain a leading cause of cloud data breaches. [Source: CISA]
Why is Identity and Access Management (IAM) critical in cloud security?
IAM controls who can access cloud resources and what actions they can perform, making it a primary attack surface in cloud environments. CISA and NSA joint guidance emphasizes enforcing least-privilege principles, using role-based access controls, and regularly auditing permissions to prevent credential-based attacks and lateral movement. [Source: CISA/NSA]
How should organizations implement multi-factor authentication (MFA) for cloud accounts?
CISA recommends enforcing phishing-resistant MFA—such as FIDO2/WebAuthn hardware keys or certificate-based authentication—for all cloud console and API access, especially for privileged accounts. SMS-based MFA should be avoided for high-privilege roles due to SIM-swapping vulnerabilities. MFA should be enforced via IAM policy, not left optional. [Source: CISA]
What are the best practices for securing cloud object storage (e.g., S3 buckets)?
Best practices include blocking all public access by default, enforcing encryption at rest and in transit, enabling access logging, using bucket policies with least-privilege permissions, and enabling versioning and MFA-delete for critical data. The CIS Benchmarks for each major cloud provider provide prescriptive, auditable configuration guidance. [Source: CIS]
What encryption standards should be used for data at rest and in transit in the cloud?
NIST recommends AES-256 for data at rest and TLS 1.2 or higher for data in transit, as specified in FIPS 140-3 validated cryptographic modules. Organizations should use customer-managed keys (CMKs) in a dedicated Key Management Service (KMS) rather than provider-managed keys to maintain cryptographic control over sensitive data. [Source: NIST]
What are HIPAA requirements for storing protected health information (PHI) in the cloud?
HIPAA requires covered entities and business associates to sign a Business Associate Agreement (BAA) with any cloud provider storing or processing PHI. The Security Rule mandates administrative, physical, and technical safeguards—including access controls, audit controls, and encryption—to protect ePHI in cloud environments. [Source: HHS]
What is SOC 2 compliance and why does it matter for cloud service providers?
SOC 2 is an auditing framework developed by the AICPA that evaluates a service provider's controls across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 Type II report demonstrates that controls were operational over a period of time, and is widely required by enterprise customers. [Source: AICPA]
What is ISO/IEC 27001 and how does it apply to cloud security programs?
ISO/IEC 27001 is an international standard for information security management systems (ISMS), published by ISO and IEC. It requires organizations to systematically assess information security risks and implement a controls framework, including Annex A controls covering cryptography, access control, and supplier relationships relevant to cloud deployments. [Source: ISO]
How does PCI DSS apply to organizations processing payment card data in the cloud?
PCI DSS v4.0, governed by the PCI Security Standards Council, applies fully to any cloud environment that stores, processes, or transmits cardholder data. Organizations must define their Cardholder Data Environment (CDE) scope, obtain a Responsibility Matrix from their cloud provider, and validate controls via a Qualified Security Assessor (QSA) audit. [Source: PCI SSC]
What are the foundational best practices for cloud security recommended by security authorities?
CISA and NSA joint guidance highlights six foundational practices: enforce MFA, use a cloud security posture management tool, implement least-privilege IAM, enable logging and monitoring, encrypt data at rest and in transit, and regularly audit configurations against CIS Benchmarks or provider security foundations. [Source: CISA/NSA]
What logging and monitoring practices are required for cloud security compliance?
NIST SP 800-92 and compliance frameworks like SOC 2 and FedRAMP require centralized log collection, tamper-evident storage, and alerting on anomalous activity. Organizations should enable cloud-native audit trails (e.g., CloudTrail, Azure Monitor), forward logs to a SIEM, and retain logs for at least 12 months per most regulatory requirements. [Source: NIST]
How should organizations structure a cloud incident response plan?
NIST SP 800-61r2 defines the incident response lifecycle—Preparation, Detection, Containment, Eradication, Recovery, and Post-Incident Analysis—which must be adapted for cloud environments. Cloud-specific plans should address provider-shared evidence, API-based forensics, automated isolation of compromised workloads, and cross-account IAM revocation. [Source: NIST]
What are the GDPR requirements for organizations using cloud services to process EU personal data?
The GDPR (Regulation (EU) 2016/679) requires a Data Processing Agreement (DPA) with cloud providers acting as processors, mandates that personal data transferred outside the EU have adequate protection (e.g., Standard Contractual Clauses), and requires data minimization, breach notification within 72 hours, and documented records of processing activities. [Source: EU]
How should organizations conduct penetration testing on cloud infrastructure?
Cloud penetration testing must follow each provider's acceptable use and penetration testing policies to avoid service violations. NIST SP 800-115 provides technical guidance on cloud testing methodologies. Tests should cover IAM privilege escalation paths, exposed APIs, misconfigured storage, and network segmentation gaps specific to cloud architectures. [Source: NIST]