Cloud

Readiness
Assessment
Guide
Is your company doing everything it should
to protect its cloud assets?
As cloud service adoption expands, all organizations should pay What does a sound cloud security program look like? While
particular attention to their cloud security program. In its 2022 a single correct answer doesn’t exist, we created this cloud
Cost of a Data Breach Report, IBM Security found that 45% security readiness guide to help you formulate a plan that is
of all breaches over the previous year occurred in the cloud. aligned with the NIST CSF framework. This guide can help
Concerningly, the report found that 43% of organizations had you gauge your organization’s readiness to Identify, Protect,
either not started or were in the early stages of implementing Detect, Respond, and Recover from cloud security incidents.
cloud security capabilities. Continue reading if you’re ready to assess your security gaps
and gain insights for bolstering your cloud security posture.
Cloud services operate under a shared security model where the
cloud provider assumes some level of responsibility for security.
It’s critical to understand exactly how the responsibilities are
allocated and what is required by your organization for each of
your cloud security services.

Cloud Readiness Assessment Guide 2

Identify

Cloud Readiness Assessment Guide 3

My organization manages its hardware,
software, and data assets.
Asset management is the process of identifying all of your organization’s
critical assets, where they’re located, who owns them, who takes care
of them, and who has access to them. People often make the mistake of
accepting accounting’s definition of assets and count things like laptops,
desktops, and servers as assets. Security teams must always consider the
company’s data as an asset. Laptops, desktops, and servers are important
only as locations for data.
Regardless of the cloud service you use, you will need to know what data
is placed into the service. It is essential that you control who has access to
specific data and under what conditions, as you are trusting an external
organization to provide some level of protection. You’ll need to understand
where their responsibility for data security ends and yours begins and ensure
that your part of the shared security responsibility model is well executed.
The organization needs to manage cloud data so that it always controls who
has access, and what kind of access. You also need to retain data for a defined
period. Storing data that is not actively being used in case it may be of use
one day is a common corporate problem which exposes an organization to
an increased risk from data theft. Data needs to be classified so that access
may be governed; the company benefits from ensuring the integrity of the
data, as well as its availability. Remember, an organization only needs to
protect the confidentiality of some of its data, based on its classification.
The modern economy is data driven. The analysis of data has a real and
tangible value to an organization’s ability to grow and enter new markets.
Controls that ensure the utility and authenticity of data bring an organization
real value.
Cloud Readiness Assessment Guide 4
My organization centrally enforces policy
in all environments.
The enforcement of policy in the cloud is a particular challenge. The
organization wants to ensure they’re getting the performance boost from
Policy enforcement tools
using a specialty provider without any negative surprises. Organizations manage certain risks, such as
can use tools such as a cloud access security broker to ensure that access is
well regulated across all cloud service providers and that data is not shared a policy not being followed,
outside of what is permitted by policy.
but they can also introduce
The success of governance tools depends on the organization controlling its other risks.
purchasing. Governance tools can be readily bypassed if business leaders
can simply purchase cloud services using their credit cards. As they monitor employee activities, they can create an impression of
mistrust between the organization and the employees. In organizations with
European employees, they may violate the employee’s right to privacy. All
controls are a balance between the risks they manage and the risks they
introduce.

Cloud Readiness Assessment Guide 5

My organization manages risk.
Risk management is a corporate function in which information security
participates. Risks include loss of customers, failure to grow at a projected
rate, as well as various loss events where information security controls can
offer some protections. Those protections allow the organization to take
more risks when an organization is well run, though that may frustrate some
security leaders who see their role as that of risk reduction.
While classic security texts speak of the ability to transfer risk to another
organization, this risk management strategy never works as well in practice
as it does in theory. The only means to transfer risk is through insurance
and those insurance companies that offer cyber insurance will gladly deny
coverage of an event if there is evidence that controls have not been effectively
maintained. For example, the insurance provider may decide (whether you
agree or not) that a failure to patch fast enough represents grounds to deny
coverage in the event of a data breach or ransomware incident.
The other risk management strategies of accept, remediate, or avoid are
more manageable within an organization. Most organizations are willing to
accept more risk than most security leaders want to accept, because they
need to focus on growing the business, not on avoiding consequences that
are below their tolerance for risk. Security leadership should ensure that the
organization understands how decisions place the impact or probability of
an event higher than the stated tolerance level and then work to ensure the
risks are properly managed.
This is harder when components of your application and/or infrastructure are
outsourced to cloud providers, where part of the responsibility of securing
the organization’s assets resides with the service provider.
Cloud Readiness Assessment Guide 6
My organization manages
supply chain risk.
This involves the selection and management of partners to work with you
in providing both functionality and data security to your organization. The
Selecting a good third-party
Cloud Security Alliance urges you to select organizations that are at least provider is essential, because
registered as a level 1 provider, but selecting an organization mature enough
to be a level 2 provider offers you the guarantee that their controls have been if they have a data breach, you
audited by a trusted third party.
have a data breach and you
As all third parties provide some level of data protection, it is important will face the consequences.
to understand each third party’s shared security model and plan how you
will manage the security aspects that remain your responsibility. While this
includes only identity and access management if you’re working with a SaaS
provider, mistakes can lead to unauthorized access to your data.

Cloud Readiness Assessment Guide 7

Protect

Cloud Readiness Assessment Guide 8

My organization manages the
entire identity lifecycle.
An identity is a form of data, one that defines the relationship between a
person and an organization. Within many organizations, an individual
One of the most common ways
may have many identities which provide a means to control access to that security events become
different kinds of data. Some of those identities include your record in your
organization’s payroll system, Human Resource system, email system, and incidents is compromised
electronic badge. Each of these are assigned to the person and have different
amounts of data about the person.
credentials.
This allows unauthorized access to your organization’s most important
Because organizations use certain forms of identity to regulate the access
assets; its information. Strengthening both the credentials and the systems
to data, identity has become a very valuable corporate asset. This form of
that use them will go a long way to preventing a data breach.
identity, called a credential, has multiple attributes, often considered factors.

Cloud security depends heavily on good identity and access management,

as a compromised credential is all that is needed to provide full access to
your data and the services provided by the cloud services provider. Securing
identity and access management is always the responsibility of your
organization and should not be outsourced.

Cloud Readiness Assessment Guide 9

Authentication systems query the use of the identity to ensure
that the person attempting to use the identity for access to data
Identities must also be
is authorized. The more factors the authentication system uses disabled as required
to validate the authenticity of the identity and the validity of the
control of that identity, the stronger the authentication system. by policy — often with
Authorization systems pick up where authentication systems end their factors removed or
and validate that the authenticated identity is permitted access to
the specific data on the systems in use from where they are located.
irrevocably altered so they
The more factors that are used to validate the authorization of
the identity to access and manipulate data, the stronger the
can’t be used — and may
authorization system. be destroyed, like any
Because identity defines a relationship between a person and a other form of data, after
process within an organization, identities have a life cycle. They
are created at the establishment of that relationship and must they’re no longer of utility.
be renewed throughout the relationship through the rotation of
factors such as a password, encryption key, or one-time password.

Cloud Readiness Assessment Guide 10

My organization performs security
awareness training.
Information security professionals recognize most attempts to circumvent
the controls an organization maintains, but this awareness didn’t come
without a significant amount of training. Most people don’t have the time to
learn as much about security as an information security professional. After
all, they need to master their own jobs.
The goal of awareness and training is to provide employees with enough
information to make an informed decision on which emails to interact with,
which phone calls to engage with, and which represent efforts to defraud
them and their organizations.
Your employees need to be educated on selecting good cloud service
providers and using the procurement department to select those services.
Your employees will need to be educated by the cloud service provider on how
to implement your organization’s part of the shared security responsibility
model, and how to engage with the service provider in the event of a security
incident.
There are some kinds of training that use simulations to teach. These
simulations behave like real attacks but are instead sponsored by the
organization. When done well, these can inform. However, when done
poorly, these can actually destroy the trust between an organization and
its employees without actually teaching anything. Better solutions reward
getting correct responses instead of penalizing for making mistakes. A certain
form of simulation, often called a breach simulation or a cyber range, is used
to educate executives and corporate boards on what an attack looks like.
Cloud Readiness Assessment Guide 11
My organization controls access to all its
data and the entire data life cycle.
Data is one of your organization’s most important assets as even money is Regardless, it all needs to be protected, which is the charter of the information
stored as data in its financial and banking systems. Ensuring the authorized security department.
access and use of data is among the most important things an information
security professional must do, especially when that data becomes enriched Data security in the cloud starts with ensuring that the cloud provider
by context to become information. While data in context is information, encrypts the data at rest as well as across all back-end networks. If they are
data about data is called meta data. Meta data, data, and information have decrypting the data, they have full access to your data and are in violation
tremendous value to all organizations. of the CEK controls the Cloud Security Alliance’s security standard. Ideally,
you’ll be able to use your keys to encrypt the data, but this is likely only with
an IaaS provider.
Some data is owned by the
organization and some data is
held in custody for others who
own that data.

Cloud Readiness Assessment Guide 12

You should access logs that show who has had access to
your data, when, and under what conditions. SaaS providers
Ensure this before
who claim to have problems providing access to those logs you sign the
should be avoided if sensitive data or high-value assets are
used. contract so that
The data life cycle must be fully managed even when data
you always remain
resides in the cloud. It is often harder to ensure that data has in control of your
been destroyed when relying on the cloud service provider to
ensure the destruction of that data. Cloud service providers data.
should provide a means to recover your data in a standard
format in the event of termination of the contract.

Cloud Readiness Assessment Guide 13

Detect

Cloud Readiness Assessment Guide 14

My organization centrally monitors all logs for security
events and generating alerts.
The technology often used for this is called a SIEM, or Security Information
and Event Management system. When configured properly, all software
should create an electronic ledger of the actions taken in the interaction
with the software. This ledger is called a log and will track who did what,
when, with what result. Each log event should be very explicit so that a clear
record can be played back by either human or software to recreate exactly
what was done.
Centralized log management (CLM) is the combination of process and
technology to collect logs from all the software run in an organization and
place them into a single place so events across multiple systems can be
tracked. Log management software provides the means to query the logs
regarding specific and related events and track them forward and backward
in time. Logs are another kind of data, and, as such, will need to be managed
as data. Both the archiving and the deletion of logs are essential components
of a good log management system.
Getting logs from your cloud service providers is a unique challenge, as the
logs contain very sensitive data at tremendous volumes and must be sent
across the public network over encrypted transports. Not every SIEM can
handle data at those volumes, and the logs are often in formats unsupported
by the SIEM, necessitating the ability to customize both the data analysis and
anomaly detection.
Cloud Readiness Assessment Guide 15
Security continuous monitoring looks at events across multiple platforms,
in logs and in network flows for evidence that an event is malicious and
evidence of a security incident. Alerts can then be sent to appropriate staff
so that an appropriate response can be coordinated.
These centralized log management systems also are used to provide
evidence of a crime. They are commonly integrated with other defensive
technologies such as ticketing systems, Intrusion Prevention Systems, Data
Leakage Prevention Systems, and Security Orchestration and Response to
ensure effective incident management.

As the volume of logs and

netflows is too much for
humans to analyze every
event, both machine learning
and user behavior analytics
are often used to analyze
events for anomalous
behavior.

Cloud Readiness Assessment Guide 16

My organization uses threat intelligence.
While most information security controls involve the organization, threat
intelligence involves looking outside of the organization at the entirety of the
internet. There are places on the internet that cannot be found using normal
search engines. Some require authentication to access; others are simply
hidden. This part of the internet is called the dark web. Threat intelligence aims
to provide a view into what is happening on the dark web, revealing where
stolen data is offered for sale, or where stolen credentials are made available to
customers with tools to leverage them to attack organizations.
Threat intelligence uses specialized technologies to communicate results such
as STYX and TAXII. Contributors to threat intelligence systems will use the traffic
light protocol to indicate the specifics of how data may be shared across threat
intelligence platforms. Threat intelligence may provide signatures of malware,
actual IP addresses, and email addresses of known malicious actors, along
with indicators of compromise (IOCs). Threat intelligence makes other tools
more effective.

Most good cloud service providers will use threat intelligence to enrich their
part of the security event analysis, ensuring that they can respond quickly and
effectively to attacks designed to compromise their ability to execute on their
responsibilities for your organization’s security.

Cloud Readiness Assessment Guide 17

My organization uses EDR/XDR/MDR.
The acronyms stand for endpoint detection and response, extended detection
and response, and managed detection and response. Essentially this
technology is the modern replacement for anti-malware, using either machine
learning or user behavior analytics to detect when malware downloads, installs,
or activates.
In addition to providing alerts about an incident in progress, EDR/XDR/MDR
software will sometimes initiate an automated response. This will work to shut
down the malware, isolate it so that it cannot execute again, roll back anything
that was changed by the malware, and eliminate it from other machines where
it may or may not have begun to activate.
MDR systems have the added benefit of human analysts to monitor the system
for malware that the automated response misses partially or fully, so human
agents can step in and complete the response. These human agents can
also roll back the activities of the MDR system if the machine learning or user
behavior analytics mistakenly categorized unusual activities as malicious.
Many EDR/XDR/MDR systems are cloud service providers whose management
interface is an application hosted in the cloud. This application has two points
of attack, the agents that run on your systems and the accounts that your
organization will maintain to manage your implementation of the service. The
EDR/XDR/MDR provider has the responsibility to maintain the security of the
first, but the security of those accounts will remain with your organization.
EDR/XDR/MDR systems will write the logs of its actions and interactions into
a centralized logging and alerting system such as a CLM or SIEM. This way, an
independent record can be maintained of the systems’ activities and retained
as per the organization’s data retention policy.
Cloud Readiness Assessment Guide 18
Respond

Cloud Readiness Assessment Guide 19

My organization has a security incident response plan.

Regardless of how good the organization’s controls and tools may be,
there will always be something that requires a human response. Having
a prewritten plan for how to respond that is drilled by the response team
allows your organization to effectively respond to any event that becomes
an incident.
A good incident response plan will have guidance on how to triage an event
to determine if it is an incident; how to analyze an event to determine what
happened, when, and how; provide a mechanism for fast response to a
variety of event types; and include prewritten communication templates to
ensure fast and effective communication.

The plan should have a

A security incident response plan is essential if your organization gets a call
from its cloud service provider that they suffered a data breach, or had a
ransomware infection, and your data was involved. framework for post-event
Security incident response in the cloud requires negotiated handoffs between analysis of the response
so that lessons learned may
your organization and the service provider. Those can be as simple as a data
breach notification and as complex as a shared investigation responsibility.
Better cloud providers will allow full access to the logs they use to ensure be captured and
that an event can be managed and coordinated by the response teams.
improvements made.

Cloud Readiness Assessment Guide 20

My organization’s security incident response plan has
predeveloped communications templates.
Regardless of the nature of the incident or disaster, few can communicate
complex issues effectively during the stress of the investigation.
Predeveloped communication templates ensure that individuals know what
to communicate to whom.
As part of an incident response plan, predeveloped communications provide
a means to inform senior management, customers, and staff regarding the
events your organization is managing and how you are coordinating the
response.

The cloud service provider should know whom from your organization
to contact in the event of a security incident and make you aware of any You should also have a
predeveloped communication mechanisms, such as a portal for managing
incidents and outages. prewritten communication to
the press in case you need to
respond to public disclosure of
a data breach or ransomware
attack.

Cloud Readiness Assessment Guide 21

My organization’s security incident response plan mandates
human-driven analysis of incidents .
While speed of response is a common success metric of an incident response Analyzing events that transpire at the cloud provider requires access to the
capability, the ability to effectively analyze an event is crucial. Both Machine logs, as well as an understanding of the log format, the events that should be
Learning and User Behavior Analytics are ways to automate parts of the monitored, and the relationship between events that could be an indicator
analysis of an incident, but neither has the capacity to collect and review of compromise.
all relevant details of every kind of event. Being able to coordinate that the
denial-of-service attack seen from a particular set of IP addresses was a
smoke screen to hide data exfiltration to a different set of IP addresses is the
kind of analysis that, for now, only humans can accomplish.

Cloud Readiness Assessment Guide 22

My organization automates an orchestrated
response across disparate systems.
Security Orchestration, Automation, and Response (SOAR) is a technology
that coordinates activities across disparate systems, ensuring changes on
servers, networks, firewalls, applications, web application firewalls — all
resulting from a single event.

SOAR systems usually have complex workflows driven to automate parts of

the incident response plan using inputs from both the EDR/XDR/MDR and
the CLM/SIEM. This technology is unique in its ability to coordinate workflow
driven actions taken across all cloud service providers in response to an
incident.

Cloud Readiness Assessment Guide 23

Recover

Cloud Readiness Assessment Guide 24

My organization leverages cloud-
hosted data storage.
Cloud-hosted data storage is essentially an external storage device, hosted
by a third party, on which data can be written and read at the same speed
Cloud-hosted storage can be
and with the same flexibility as local drives. These systems are amazingly both the means to recover
powerful, allowing for voluminous storage and the ability to share data
across organizational boundaries. A key component of cloud-hosted data swiftly from ransomware and
storage the capability to roll back changes.
the root cause of the infection.
Cloud-hosted data storage can detect the pattern of sudden bulk change of As a data repository, it needs
files being encrypted by ransomware, alert you to the problem, and facilitate
roll back to a known good state. Be aware, however, that cloud-hosted data proper management.
storage can also be the mechanism through which ransomware is spread
from system to system and organization to organization.

Cloud Readiness Assessment Guide 25

My organization has service level agreements
with its third parties.
Organizations outsource to third parties, such as cloud service providers,
because they have expertise in a particular functionality that would be
It is common to bind the
too expensive for an organization to develop and maintain internally. The disaster recovery and
expectation is that both utility and availability will be of the highest quality.
To ensure this, your organization should negotiate a service level agreement business continuity plans
which includes a mechanism for monitoring the service provider’s adherence
to the agreement. Most contracts specify a penalty for violation of this
into the contract as the
agreement. ultimate expression of
While not formally part of a service level agreement, but behind it, is that the the service level
service provider has a comprehensive ability to recover from even the worst
of disasters quickly and effectively.
agreement.

Cloud Readiness Assessment Guide 26

My organization uses IaaS fail over
zones and regions.
Organizations that provide Infrastructure as a Service specialize in ensuring
that their services never go down regardless of failures in any location across
the globe. As such, if clients use the services properly, whatever they run on
that infrastructure will also be able to survive any disaster. One of the primary
reasons that organizations have been abandoning their own infrastructure
and migrating to the cloud is the ability to manage the risks of their business
plans being interrupted by a disaster.
Cloud service providers offer their customers a variety of techniques to
ensure they can continue to run in the event of a disaster. In the end, the
services run by the cloud service provider run in data centers, and any data
center can have an outage. Most IaaS service providers have clusters of data
centers near each other in specific regions to allow fast fail over from one center
to another with minimum alteration in how the application works. As a region
may be impacted by a storm, IaaS providers will also offer other regions with
similar clusters of data centers to operate. As these are far enough away from
each other to survive large storms and other regional disasters, there needs to
be more preparation on the part of the customer to ensure that their application
will run in the other zones. Often the fail-over technologies used are similar to
those used between traditional data centers, with the ability to have data written
to the remote database and servers where the application is pre-loaded and
ready to be spun up. Also, similar to legacy data centers, the databases send
changes to each other, with application systems writing into this geographically
dispersed cluster from across the globe.
Cloud Readiness Assessment Guide 27