Cloud Security Best Practices

{{ firstError }}
We care about security of your data. Privacy Policy

Cloud security best practices cover a range of processes that include control over people, applications and infrastructure. Which best practices are important for your security strategy depends in part on the cloud service model you use. 

Cloud Service Models

Cloud computing services are grouped into three types, listed here with some examples:

  • Infrastructure as a service (IaaS) — Azure, AWS, virtual data centers
  • Platform as a service (PaaS) — Redhat Openshift, Apprenda
  • Software as a service (SaaS) — Microsoft 365, Salesforce

Each model addresses a different set of business requirements and demands different security measures.


In IaaS, the consumer is the system administrator. As a sysadmin, you have authority to provision network-accessible storage, control processing, and deploy and run applications and operating systems. You may have limited control over the selection of network components, like the host firewall. However, you cannot manage or control the underlying cloud infrastructure. 

For IaaS, your security responsibilities include, but not limited to:

  • Data governance
  • Client and endpoint protection
  • Identity and access management
  • Application-level controls
  • Network controls
  • Security testing


With PaaS, you control the cloud vendor’s platform and execution resources to develop, test, deploy and administer applications. Unlike the IaaS model, you cannot manage or control the underlying cloud infrastructure, including the network, servers, operating systems or storage. But you can deploy your cloud applications to the PaaS infrastructure using programming languages and tools supported by the PaaS provider. 

For PaaS, your security responsibilities include, but not limited to:

  • Data governance
  • Client and endpoint protection
  • Identity and access management
  • Application-level controls
  • Security testing


SaaS applications are accessible from client devices using an interface like a web browser. You are authorized to use specific software applications on demand and perform data management tasks such as configuring backups and data sharing between users. You have control over limited user-specific application configuration settings. You do not have the right to manage or control the underlying cloud-based infrastructure, including the network, servers, operating systems, storage services and individual applications. 

For SaaS, your security responsibilities include, but not limited to:

  • Data governance
  • Client and endpoint protection
  • Identity and access management

Cloud Deployment Models

The deployment model describes the relationship between the cloud provider and a consumer. The way you access different cloud computing service types depends on your business's characteristics and the type of data you have.

Cloud deployment models include:

  • Private cloud — Provisioned for exclusive use by a single organization, which might comprise multiple consumers, such as business units. A private cloud may be owned, managed or operated by the organization, a third party or a combination of both. It may exist on or off the premises of the organization.
  • Public cloud — Provisioned for use by the general public, where you share the same hardware, storage and network resources with other organizations (tenants). With a public cloud, all hardware, software and supporting infrastructure is owned and managed by the cloud provider.
  • Hybrid cloud — A combination of two or more distinct private or public clouds. Each entity remains unique, but they are bound together by a standard or proprietary technology that enables data and application portability between them.

Risk Management in the Cloud

Prior to acquiring a cloud service, a cloud consumer needs to analyze the risks associated with the adoption of a cloud-based solution for a particular information system, and develop a plan for managing those risks. Your risk assessment should determine:

  • The components you should implement to secure your cloud
  • The controls you are responsible for implementing in-house
  • The controls that are the responsibility of the cloud provider

Cloud Security Best Practices at the Infrastructure Level

The entire hardware infrastructure should be controlled, secured and hardened.

Configuration Auditing

Configuration auditing is about ensuring that cloud environment is configured according to your organization’s policies or relevant compliance standards. Implement regular audits to check for signs of misconfiguration. Improper configuration settings can put you at serious risk of data loss. You can avoid this by regularly auditing the configuration of your: 

  • Network and network components, such as firewalls
  • Permissions

To ensure configuration checks are performed regularly, automate them with a monitoring solution, and promptly investigate and remediate any suspicious changes in your cloud environment.

Incident Prevention, Detection and Response

  • Defend against external attacks —Apply advanced malware protection to IaaS. Review the perimeter for exposure to distributed denial-of-service (DDoS) attacks against public-facing cloud interfaces.
  • Install intrusion detection and prevention systems — In IaaS environments, implement intrusion detection at the user, network and database layers. In Paas and SaaS environments, intrusion detection is the responsibility of the provider.
  • Enable traffic monitoring — Unusually high volumes of traffic might be signs of security incidents.

Cloud Security Best Practices at the Application Level

At the application level, operational security is paramount. Reduce internal and external security risks, and ensure the safety of employee devices and credentials.

Permissions Management

  • Adhere to the least-privilege principle — Give each user only the permissions they need to do their job.
  • Conduct regular entitlement reviews and revoke excessive rights — Regularly review your current permissions and revoke permissions that users no longer require.
  • Monitor for unauthorized changes — Monitor your cloud applications for changes to group membership, especially changes to any group that grants administrator-level privileges. Also watch for any permissions that are assigned directly instead of through group membership.


  • Make multi-factor authentication (MFA) mandatory — MFA reduces the risk of account hijacking.
  • Monitor login activities — If you see a spike in failed logins, investigate all user accounts involved, since their accounts may have been compromised. Set up alerts on the following:
    • Attempts to log in from multiple endpoints
    • Multiple failed logins by any account in a short period
    • A  high number of login failures during a specified period

Activity Monitoring

Leverage user behavioral analytics (UBA) to detect anomalous actions. Significant changes in a user’s behavior or access patterns might be indicators of a security threat. In particular:

  • Regularly monitor and record user activity to develop baselines.
  • Identify users whose behavior deviates from their baseline or their group’s baseline.
  • Monitor for unauthorized or external file sharing

Cloud Security Best Practices at the Data Level

Data Discovery and Classification

  • Identify and classify you data Data discovery and classification examines your data and classifies it according to its value and sensitivity. Automate your data classification to ensure accurate, reliable results. Use this information to prioritize your data security efforts and set up appropriate security controls and policies.
  • Plan which data will be in the cloud and how it will be governed — Make sure that you can properly protect any sensitive data you store in the cloud. Some data may need to stay on premises to meet security standards or compliance requirements.

Data Access Standards

  • Establish data access management — Regularly review access rights, especially permissions to your most sensitive data, and revoke any excessive rights. Implement the proper access controls for each type of data you store.
  • Set limitations on how data can be shared — This will help prevent accidental public data sharing, or unauthorized sharing beyond your organization.
  • Monitor and control file downloads —Pay special attention to excessive downloads. Block downloads to unmanaged devices. Set up requirements for device security verification before downloading. Automate activity monitoring across the entire IT environment to identify all personnel who are downloading, modifying or sharing data in the cloud.

Data Protection

  • Set up automated data remediation workflows—Invest in a solution that can automatically move vulnerable data to a safe quarantine area.
  • Set up secure data erasure practices —Erase unnecessary duplicates or expired data. NIST and ISO guidelines recommend using cryptographic erasure, an industry standard technique that renders data unreadable by discarding its encryption keys. Deletions must be auditable.
  • Use encryption for all data, both in motion and at rest —Encrypting your data before uploading it to the cloud adds another layer of protection. Protect the encryption keys with robust key management.
  • Implement a data recovery plan — Take regular data backups and ensure you have a well-tested plan for recovering from accidental or deliberate data loss.

Best Practices for Secure Cloud Service Management 

The goal of managing business relationships is to enable effective interactions between the cloud provider and a consumer. Your primary focus is how security requirements and concerns will be addressed. 

Investigate Contracts and SLAs

The contract is the only guarantee you have of service and remediation. Review the terms and conditions of the agreement, and ensure it meets all your internal security requirements.

Make sure the provider gives you clear answers to the following questions:

  • Where are the servers located?
  • Does the client have permission to monitor the provider's compliance?

Among the most important conditions is the differentiation between who is responsible for the data stored in the cloud and who has ownership of the data. Only 37.9% of providers specify the data owner, making ownership legally unclear. 

Before signing a contract, negotiate any objectionable terms. If terms are not negotiable, decide whether the risk of agreeing to those terms is acceptable. If it is, develop alternatives for managing the risk through processes such as encryption or monitoring. If not, find another provider that can offer the terms you require.

Define Shared Responsibilities

Define shared responsibilities for cybersecurity between you and the provider by clarifying the following:

  • What is the provider’s liability?
  • What policies for data storage and deletion does the cloud provider have?
  • Which security tools are used to safeguard your data?
  • Which audit and control processes are applied on the provider’s side, and which should you apply?
  • How is the maintenance of data confidentiality organized?

Determine Compliance Standards

When subscribing to a cloud service provider, your organization is still responsible for regulatory compliance. It is solely your responsibility to develop compliant applications and services in the cloud and maintain compliance on an ongoing basis. 

Cloud providers should commit to transparency, accountability and meeting established standards. Those that do will display certifications such as SAS 70 Type II or ISO 27001.

The provider should give you access to all documentation and reports with details relevant to the assessment process: 

  • Audit results should be independently conducted and based on existing standards.
  • The provider is responsible for maintaining certifications. It should notify consumers of any status changes.

Develop an Incident Response and Disaster Recovery Plan

Create an incident response and disaster response (IRDR) plan in collaboration with your cloud provider. Include pathways of communication, along with roles and responsibilities for responding to each incident. Then practice the response and hand-off ahead of time.

Your SLA should include such details as:

  • The data cloud service provides in the event of an incident.
  • How data availability will be maintained.
  • A guarantee of the support necessary to effectively execute each stage of the enterprise's IRDR plan

For early detection, perform continuous monitoring. Perform full-scale testing annually and use additional testing whenever there is a significant architecture change. 

Related best practices