Cloud Security Policy Template

Creating a cloud security policy is a best practice. An essential part of your cloud security strategy, this policy helps your organization properly store and protect your critical data assets. It shows who is responsible for each aspect of cyber security, details your approach to cloud services and provides written evidence of your commitment to protecting enterprise data. Moreover, a documented cloud security policy document is a requirement of some compliance regulations. 

A cloud security policy is not a stand-alone document. You must link it to other security policies developed within your organization, such as your data security and privacy policies.

The cloud security policy template below provides a road map of recommended key sections, with descriptions and examples. Adapt it to meet your organization’s unique legal and regulatory requirements.

1. Purpose

The purpose section contains the reasons for developing and maintaining the policy. 

Example:

This policy ensures the confidentiality, integrity and availability of data stored, accessed and manipulated using cloud computing services. It establishes a framework of responsibility and actions required to meet regulatory requirements and security guidelines for cloud computing.

2. Scope

This section explains where the policy applies. It can include sections that call out specific groups, services or locations.

Example:

This policy covers systems handling data within the “3.1. Information Types” section of this document. All services within the cloud environment that fall into this category will be subject to the requirements specified within this policy. Therefore, it applies to every server, database and other IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. The requirements apply to new and existing installations. Every user who interacts with company IT services is also subject to this policy. The security control requirements are product agnostic and applicable for all approved cloud systems.

2.1. Information Types

Provide a list of information types covered by this policy. Use data classification best practices to label the data your organization stores and processes.

Example:

This policy applies to all customer data, personal data and other company data defined as sensitive by the company’s data classification policy. The sensitive data types covered by this policy include:

Identity and authentication data:

• Passwords
• Cryptographic private keys
• Hash tables

Financial data:

• Invoices 
• Payroll data
• Revenue data
• Accounts receivable data

Proprietary data:

• Software test and analysis
• Research and development

Employee personal data:

• Names and addresses 
• Social Security numbers
• State-issued driver’s license number
• State-issued identification card number
• Financial account numbers, including security code, access code or password admitting access to the account
• Medical and/or health insurance information

3. Ownership and Responsibilities

In this section, list all roles related to cloud security actions, controls and procedures. Examples can include cloud security administrators, data owners, users and cloud providers. Describe each role and the associated responsibilities for safe cloud usage and security maintenance. 

To compile this list, consider the following questions:

• Who is using the cloud?
• Who is responsible for maintaining the cloud service on the organizational end and the provider end?
• Who is responsible for maintaining cloud security?
• Who is responsible for selecting new cloud solutions?
• Who is responsible for making significant decisions?

Example:

Cloud Security Administrator

The person ultimately responsible for implementation, configuration and maintenance of cloud services security. This person shall address the following:

• Implementing security for new services
• Customizing the configuration of the cloud service security settings
• Maintaining access control and permissions management for each cloud service provided
• Retiring terminated services

Service Level Manager

The person ultimately responsible for managing service-level agreements and acting as liaison with the cloud provider to negotiate SLA contracts and ensure the provider meets all the terms of those contracts.

4. Secure Usage of Cloud Computing Services

This section defines the requirements for acceptable use of cloud services. 

Example:

All cloud-based services must be approved prior to acquisition and deployment. To ensure secure adoption and usage of cloud services, the following steps must be taken:

• Define organizational needs and priorities.
• Define service users, both internal and external.
• Determine the type of cloud service to be adopted, including the physical and operational characteristics for SaaS, PaaS and IaaS solutions.
• Define the data types to be stored.
• Determine the security solutions and configurations required for encryption, monitoring, backups, etc.
• Generate a list of past security incidents involving this cloud provider.
• Request available security certifications.
• Obtain copies of agreements with the provider, including SLAs.

4.1 Inventory

Describe how your organization will track what cloud services it is using and keep that inventory current.

Example:

The cloud security administrator and IT security manager must perform an inventory of cloud services in use at least quarterly.

4.2. Approved Services

Provide a synopsis of your cloud-based infrastructure with a list of approved services. 

Example:

The organization has a central headquarters and several offices located across the U.S. Some employees access services remotely from mobile devices. Each department — such as human resources, sales and project management — uses one or more cloud services. All departments must maintain a list of authorized cloud vendors and services that align with the overall cloud security policy.

The list of approved services includes: 

Hardware layer: <Indicate data centers>

Infrastructure layer: <Example: Amazon EC2>

Platform layer: <Example: Microsoft Azure, Google App Engine, Amazon SimpleDB/S3>

Application layer: <Example: business applications, web services, multimedia>

4.3 Unauthorized Services

In this section, explain what cloud-based services are not permitted.

Example:

Only the cloud-based solutions on the list of approved services specified in Section 2 of this document may be used. The installation of unauthorized software on organizationally owned or managed user end-point devices (e.g., workstations, laptops and mobile devices) and IT infrastructure network and systems components is restricted. The cloud security administrator must provide authorization for any third-party cloud service before it is placed into use. The introduction of any unauthorized cloud service will immediately generate a notification for IT security and block the service from use.

5. Risk Assessment

Use this section to integrate your cloud security policy with the organization’s risk assessment policy. Define the scope and schedule for risk assessments.

Example:

Data from the “Sensitive” tier of the Data Classification Policy shall be available at all times, per regulations, for discovery and audit. Cloud providers shall conform to these compliance requirements.

The Cloud Security Administrator and the IT Security team shall conduct a risk assessment at the following times:

• Upon the implementation of a new cloud service
• After major upgrades or updates to an existing cloud service
• After any changes to the configuration of a cloud service
• When following up on a security event or incident
• Quarterly for all existing cloud services

The cloud security risk assessment shall include the following:

• Audit results, both internal and external (cloud provider system security audit results)
• Threat and vulnerability analysis
• Regulatory compliance

6. Security Controls

The cloud security policy specifies the various security components available and in use by the organization. It should include both internal controls and the security controls of the cloud service provider, breaking out specific groups of requirements, including technical and control requirements, mobile security requirements, physical security requirements and security controls assurance practices.

Example:

At the time of cloud service implementation and quarterly after that, the Cloud Security Administrator shall review each service-level agreement, as well as request and analyze the cloud provider’s security audits.

6.1. Technical Security Controls Requirements

This section specifies all requirements for technical controls for access management.

For example:

The organization shall put into place tools for centralized visibility of the cloud service infrastructure, such as cloud workload protection (CWP) tools. The tools shall offer traffic analysis, configuration monitoring and assessment, and alerts for configuration issues.

Access control methods to be used shall include:

• Auditing of attempts to log on to any device on the company network
• Windows NTFS permissions to files and folders
• Role-based access model
• Server access rights
• Firewall permissions
• Network zone and VLAN ACLs
• Web authentication rights
• Database access rights and ACLs
• Encryption at rest and in flight
• Network segregation

Access controls apply to all networks, servers, workstations, laptops, mobile devices, cloud applications and websites, cloud storages, and services.

Identity and access controls include authentication, data access standards, credential lifecycle management and access segmentation.

Auditing includes configuration and change auditing. 

Data protection includes encryption, data remediation, data erasure, and data recovery.

Other technical controls include network security and wireless security (such as VPNs and firewalls).

6.2. Mobile Security Requirements

This section should include controls for configuring mobile access, generating a robust identity, device monitoring, employing anti-malware solutions and mobile device management.

Example:

Cloud security shall include mobile security controls to prevent malware infection on company mobile devices and privately owned devices used to access the organization’s cloud services. Any device found without anti-malware protection shall be quarantined.

6.3. Physical Security Requirements

Include in the policy the reasons for designing and applying countermeasures against damage to physical access and equipment. Highlight protection of power, temperature, water and other utilities at the data center location. Physical security also covers issues from natural and human-made disasters, such as the process for disaster recovery.

Example:

The company shall monitor the interior temperature of the data center. Ensure that the owner of physical security receives an immediate notification if the temperature varies more than 5 degrees from the baseline.

6.4. Security Controls Assurance

This section defines how often security controls should have a regular IT health check. 

Example:

Monthly, the Cloud Security Administrator shall perform an assessment of security control configurations and all failed attempts of unauthorized access. 

7. Security Incident Recovery

This section contains rules for determining the areas for assessment in the event of a security incident and sets priorities for cloud service and data recovery. 

Example:

In the event of a data breach, both the cloud provider and the cloud security administrator shall perform an assessment of the systems and users that are directly or indirectly involved in the incident to determine the method of access, such as physical, via software/malware or through human error. 

Reporting requirements:

• Daily incident reports shall be produced and handled by the IT Security Department or the Incident Response Team.
• Weekly reports detailing all incidents shall be produced by the IT Security Department and sent to the IT Manager or Director.
• High-priority incidents discovered by the IT Security Department shall be immediately escalated; the IT Manager should be contacted as soon as possible.
• The IT Security Department shall also produce a monthly report showing the number of IT security incidents and the percentage that were resolved.

Priorities for data recovery:

• All non-archived data classified as Sensitive is considered to have a priority of High. 
• All archived data classified as Sensitive is considered to have a priority of Moderate.
• All data classified as Internal is considered to have a priority of Moderate.
• All data classified as Public is considered to have a priority of Low.

8. Awareness-Raising

This section spells out how often the organization should perform security training, who must pass the training and who is responsible for conducting the training.

Example:

The IT Security Management office shall provide quarterly security training to all users of cloud services. All users of cloud services must pass security training to maintain permissions and access to the service.

9. Enforcement

This part details the penalties for policy violations and how they will be enforced.

Example:

Employees who attempt to use unauthorized services shall have their permissions revoked until they pass security training.

10. Related Documents

This section lists all documents related to the cloud security policy and procedures. 

Example: 

• Data Protection Policy
• Data Classification Policy
• Password Policy
• Risk Assessment Policy
• Encryption Policy
• Workstation Security Policy
• Incident Response Policy
• Data Processing Agreement 

11. Revision History

Maintain a history of the policy document, with entries for the original implementation and each time it is changed. 

Example:

Conclusion

Using this cloud computing security policy example, you can develop a solid cloud security policy for your organization that enables you to protect sensitive data. Make the policy robust and feasible, and ensure it is accessible, concise and easy to understand at every level of the company.