What is Cloud Security?

Speak to a cyber security expert

To find out more on how our Cloud security products and services can help you protect your organisation, or to get free guidance and advice, speak to one of our experts today.


Cloud security definition: what is Cloud security?

Cloud security is a subset of cyber security concerned with securing data, applications and infrastructure in the Cloud. The Cloud itself is a virtualisation of networks, servers, applications and data storage that is accessible via the Internet.

Cloud services include IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service). These provide on-demand access for users wherever they are, without their direct management.

Free PDF download: Cloud Security – Who is responsible?

Free download: Cloud Security – Who is responsible?

Download this free paper to find out more about the security challenges of using the Cloud, how the Cloud provider–customer relationship works and where your respective responsibilities lie, and relevant legal and contractual requirements. The paper also lays out a practical approach to meeting your obligations.

Download now

Why is Cloud security important?

With hybrid working now the norm, many organisations are increasingly reliant on the Cloud to ensure their staff can access the data and services they need wherever they are.

However, there are security risks associated with Cloud services.

These are especially concerning as the nature of Cloud computing means organisations will inevitably rely on third parties for some element of their information security.

If you use Cloud services, you need to satisfy yourself of the security and resilience of your Cloud service providers at the trust boundary – the point at which the responsibility passes from your organisation to your supplier.

This is particularly important when it comes to observing your legal and regulatory compliance obligations.

For instance, the DPA (Data Protection Act) 2018 and GDPR (General Data Protection Regulation) apply to the processing of personal data regardless of where that processing takes place.

If you are a data controller, the Cloud service providers you use need to be able to demonstrate that their technical and organisational security measures comply with the data protection law(s) to which you are subject.

Learn more about DPA 2018 and GDPR compliance

Learn more about data sovereignty and the Cloud

Looking to improve your Cloud security?

We are the leading provider of information, books, products and services that help boards develop, implement and maintain a Cloud governance framework.

If you’re looking for guidance, practical advice or consultation, we can help.

Our team of experts are on hand to help you at any stage of your Cloud security journey.

Find out more

Top Cloud security challenges

According to the (ISC)2 2021 Cloud Security Report, 96% of organisations are moderately to extremely concerned about Cloud security. Their biggest concerns are:

  • Data loss/leakage (64% of respondents)
  • Data privacy/confidentiality (62%)
  • Accidental exposure of credentials (46%)

For Cloud service providers, addressing these concerns by following Cloud security best practices is of paramount importance.

Cloud security best practices

There are many established approaches to Cloud security, including:

The EU Data Protection Code of Conduct for Cloud Service Providers or EU Cloud CoC (Code of Conduct)

The EU approved the Cloud CoC in 2021 to help Cloud providers demonstrate that they meet their obligations under Article 40 of the GDPR.

Covering SaaS, PaaS and IaaS, the Code sets out requirements for business-to-business Cloud service providers that act as processors.

It is supported by a Controls Catalogue that maps these requirements to the GDPR, ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 2, C5:2016 (Cloud Computing Compliance Controls Catalog), NIST SP 800-53 and the NIST Cybersecurity Framework.

Declarations of adherence to the Code are overseen by an independent monitoring body, SCOPE Europe.

The EDPB (European Data Protection Board) published its positive opinion of the Belgian Data Protection Authority’s approval of the Code in May 2021.

The 14 CSPs (Cloud Security Principles)

The 14 CSPs are defined by the NCSC (National Cyber Security Centre) and provide a comprehensive set of security controls for operation within the Cloud:

  1. Data in transit protection
  2. Asset protection and resilience
  3. Separation between users
  4. Governance framework
  5. Operational security
  6. Personnel security
  7. Secure development
  8. Supply chain security
  9. Secure user management
  10. Identity and authentication
  11. External interface protection
  12. Secure service administration
  13. Audit information for users
  14. Secure use of the service

CSA CCM (Cloud Security Alliance Cloud Controls Matrix)

The CSA developed and maintains the CCM, a set of additional information security controls designed specifically for Cloud service providers, and against which customers can carry out a security audit.

BSI and the CSA have collaborated to offer a certification scheme (designed as an extension to ISO 27001) against which Cloud service providers can achieve independent certification.

The CSA CCM provides a framework that gives a detailed understanding of security concepts and principles that are aligned with the CSA guidance in 16 domains:

  1. Application & Interface Security
  2. Audit Assurance & Compliance
  3. Business Continuity Management & Operational Resilience
  4. Change Control & Configuration Management
  5. Data Security & Information Lifecycle Management
  6. Datacenter Security
  7. Encryption & Key Management
  8. Governance and Risk Management
  9. Human Resources
  10. Identity & Access Management
  11. Infrastructure & Virtualization Security
  12. Interoperability & Portability
  13. Mobile Security
  14. Security Incident Management, E-Discovery & Cloud Forensics
  15. Supply Chain Management, Transparency and Accountability
  16. Threat and Vulnerability Management

CSA STAR (Security, Trust and Assurance Registry)

The CSA STAR provides a comprehensive framework for Cloud governance and security controls. It complements other standards, such as ISO 27001, by providing a risk-based assessment of Cloud security risks and remediation strategies.

STAR consists of three levels of assurance, which cover four unique offerings based on the Cloud-centric control objectives in the CSA CCM.

Cloud service providers can achieve certification to STAR.

The STAR programme includes a registry that documents the security controls provided by popular Cloud computing offerings.

There are two levels:

Level 1 – self-assessment

  • Free and open to all Cloud service providers, this levels allows them to submit self-assessment reports that document their compliance with CSA-published best practices, either:
    • i. Consensus Assessments Initiative Questionnaire (CAIQ); or
    • ii. The CSA CCM.

Level 2 – third-party assessment

  • CSA STAR attestation
    • STAR attestation is an independent third-party assessment of the security of a Cloud service provider, based on Type I or Type II SOC attestations supplemented by the criteria in the CCM.
  • CSA STAR certification
    • STAR certification is an independent third-party assessment of the security of a Cloud service provider. The technology-neutral certification is based on the requirements of the ISO 27001 standard and the CSA CCM.
  • CSA C-STAR assessment
    • C-STAR assessment is an independent third-party assessment of the security of a Cloud service provider for the Greater China market, which harmonises CSA best practices with Chinese national standards.

ISO 27017 and ISO 27018

The international standard ISO 27017 was designed to provide guidance on applying 37 of ISO 27001’s Annex A information security controls to Cloud environments. It also provides seven additional controls that relate specifically to Cloud services.

ISO 27018 provides guidance for Cloud service providers on selecting and implementing security controls from Annex A of ISO 27001.

Both standards’ controls can be adopted as part of an ISO 27001-compliant ISMS (information security management system).

Learn more about ISO 27017 and ISO 27018

Cloud Security Toolkit – ISO 27017 & ISO 27018Cloud Security Toolkit – ISO 27017 & ISO 27018

Cloud Security Toolkit – ISO 27017 & ISO 27018

Accelerate your compliance with ISO 27017 and ISO 27018 with customisable templates, documents, policies and records. This toolkit was designed to integrate with our ISO 27001 Toolkit to give you complete control over the security of your Cloud services.

Buy now

ISO 27017/ISO 27018 FastTrack™ 20

ISO 27017/ISO 27018 FastTrack™ 20

Our ISO 27017/ISO 27018 FastTrack™ 20 consultancy service is a bolt-on service to our ISO 27001 FastTrack™ 20.

It extends your ISO 27001-compliant ISMS following the ISO 27017 and ISO 27018 standards.

Buy now

Cloud Configuration Penetration Test

Cloud Configuration Penetration Test

Review the security of your Cloud services with our Cloud Configuration Penetration test.

Our advanced manual testing techniques, configuration benchmarking and automated scans will be used to perform an in-depth health check looking for misconfigurations and vulnerabilities.

Buy now
This website uses cookies. View our cookie policy
SAVE 10%