Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Sat, 13 Jun 2026 17:32:50 GMT https://searchcloudsecurity.techtarget.com editor@techtarget.com <p>Cloud containers are a hot topic, especially in security. Technology giants Microsoft, Google and Facebook all use them. Google uses containers for everything it runs, totaling several billion each week.</p> <p>The past decade has seen containers anchoring a growing number of production environments. This shift reflects the modularization of <a href="https://www.techtarget.com/searchitoperations/definition/DevOps">DevOps</a>, enabling developers to adjust separate features without affecting the entire application. Containers promise a streamlined, easy-to-deploy and secure method to implement specific infrastructure requirements and are a lightweight alternative to VMs.</p> <p>Let's examine the evolution of containers and discuss why cloud container security can't be overlooked.</p> <section class="section main-article-chapter" data-menu-title="How do cloud containers work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How do cloud containers work?</h2> <p>Container technology's roots were based on partitioning and chroot process isolation developed as part of Linux. Modern containers are expressed in <a href="https://www.techtarget.com/searchitoperations/definition/application-containerization-app-containerization">application containerization</a>, such as <a href="https://www.techtarget.com/searchitoperations/definition/Docker">Docker</a>, and in system containerization, such as Linux containers (LXC). Both enable IT teams to abstract application code from the underlying infrastructure as they work to simplify version management and enable portability across various deployment environments.</p> <p>Containers rely on virtual isolation to deploy and run applications that access a shared OS kernel without the need for VMs. Because they hold all the necessary components -- files, libraries and environment variables -- containers run desired software without worrying about platform compatibility. The host OS constrains the container's access to physical resources, so a single container cannot consume all of a host's physical resources.</p> <p>The key thing to recognize with cloud containers is they are designed to virtualize a single application. Consider a MySQL container. It provides a virtual instance of that application and that is all it does. Containers create an isolation boundary at the application level rather than at the server level. If anything goes wrong in that single container -- for example, excessive resource consumption by a process -- it only affects that individual container, not the whole VM or whole server. It also eliminates compatibility problems between containerized applications that reside on the same OS.</p> <p>Major cloud vendors offer <a href="https://www.techtarget.com/searchitoperations/definition/Containers-as-a-Service-CaaS">containers as a service</a>, such as Amazon Elastic Container Service, AWS Fargate, Google Kubernetes Engine, Microsoft Azure Container Instances, Azure Kubernetes Service and Oracle Cloud Infrastructure Kubernetes Engine. Containers can also be deployed on public or private cloud infrastructure without the use of dedicated products from a cloud vendor.</p> <p>Containers are deployed in two ways: by creating an image to run in a container, or by downloading a pre-created image, such as those available on Docker Hub. Docker -- originally built on LXC -- is by far the largest and most popular container platform. Although alternatives exist, Docker has become synonymous with containerization.</p> </section> <section class="section main-article-chapter" data-menu-title="Cloud container use cases"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud container use cases</h2> <p>Enterprises use containers in a variety of ways to reduce costs and improve the reliability of software. Among the most common and beneficial are the following:</p> <ul class="default-list"> <li><b>Microservices architecture.</b> Containers are ideal for microservices-based application development, where apps are broken into smaller, independently deployable services. This improves scalability and simplifies development cycles. Kubernetes <a href="https://www.techtarget.com/searchitoperations/tip/Kubernetes-automation-Use-cases-and-tools-to-know">orchestrates the deployment, scaling, and management</a> of these services, enabling enterprises to deploy updates with minimal downtime.</li> <li><b>Hybrid and multi-cloud deployments.</b> Containers enable cloud-agnostic portability, letting enterprises run the same workloads across AWS, Azure, Google Cloud Platform or on-premises without changes to the application. This supports disaster recovery, cost optimization and vendor neutrality strategies.</li> <li><b>DevOps and continuous integration/continuous delivery automation.</b> Enterprises use containers in CI/CD pipelines to ensure consistency from development to production. Containers enable developers to test in isolated environments that mirror production, reducing bugs and streamlining integration and deployment workflows.</li> <li><b>Legacy application modernization.</b> Many enterprises use containers to refactor legacy monolithic applications into more agile and maintainable services. By containerizing older apps, organizations can incrementally modernize their infrastructure without full rewrites.</li> <li><b>Edge and IoT deployments.</b> Containers can be deployed at the edge for use cases such as IoT, manufacturing and retail. Container runtimes such as K3s (lightweight Kubernetes) help IT staff support orchestration at the edge with limited resources.</li> <li><b>Security and policy enforcement.</b> By containerizing applications, enterprises can enforce <a href="https://www.techtarget.com/searchitoperations/tip/Apply-policy-as-code-best-practices-to-reap-benefits">policy as code</a> using services like Open Policy Agent and manage runtime security through integrations with cloud workload protection platforms (<a href="https://www.techtarget.com/searchsecurity/definition/cloud-workload-protection-platform-CWPP">CWPPs</a>) and cloud-native application protection program (CNAPP) tools.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Cloud containers vs. VMs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud containers vs. VMs</h2> <p><a href="https://www.techtarget.com/searchcloudcomputing/tip/Why-should-I-use-Docker-containers-vs-VMs-for-my-cloud-apps">Compared with VMs</a>, container deployments consume only a minimal amount of resources. Unlike VMs, they don't need a full OS to be installed within the container, and they don't need a virtual copy of the host server's hardware.</p> <p>Containers need only minimal resources to perform the task they were designed for -- a few pieces of software, libraries and the basics of an OS. As a result, enterprises can deploy two to three times as many containers on a server as VMs, and they can be spun up much faster than VMs.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/windows_server-virtual_machines_vs_containers.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/windows_server-virtual_machines_vs_containers_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/windows_server-virtual_machines_vs_containers_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/windows_server-virtual_machines_vs_containers.png 1280w" alt="Graphic explaining the differences between cloud containers and VMs" height="380" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Benefits of containers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of containers</h2> <p>Cloud containers are portable. Once a container has been created, it can easily be deployed to different servers. From a software lifecycle perspective, this enables enterprises to quickly copy containers to create environments for development, testing, integration and production. From a software and security testing perspective, this ensures the underlying OS is not causing a difference in the test results.</p> <p>Containers also offer a more dynamic environment. IT can scale up and down more quickly based on demand, keeping resources in check.</p> </section> <section class="section main-article-chapter" data-menu-title="Challenges of containers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges of containers</h2> <p>One downside of containers is the issue of splitting the virtualization into a lot of smaller chunks. When there are just a few containers involved, it's an advantage because the team knows exactly what configuration it is deploying and where. If, however, the organization fully invests in containers, it's quite possible to have so many containers that they become difficult to manage. Imagine <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Use-this-10-step-patch-management-process-to-ensure-success">deploying patches</a> to hundreds of different containers. Without an easy process, updating a specific library or package inside a container image due to a security vulnerability can be difficult.</p> <p>Container management is often a constant headache, even using systems such as Docker that aim to provide IT with easier orchestration.</p> </section> <section class="section main-article-chapter" data-menu-title="Cloud container security risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud container security risks</h2> <p>While containers offer many advantages, they also introduce unique security risks that enterprises must address. The ephemeral and dynamic nature of containers demands a modern security approach that is proactive, automated and integrated into DevOps workflows. The following are some of the key risks that organizations should prioritize with cloud containers:</p> <ul class="default-list"> <li><b>Vulnerable images.</b> Containers are built from images, which often include system libraries, runtime dependencies and custom code. Many enterprises use public base images from registries such as Docker Hub, which could contain unpatched vulnerabilities or malware. Organizations should scan images continuously, use signed and verified sources, and establish image allowlists to ensure all builds are secure.</li> <li><b>Container escape.</b> Containers are isolated, but not impenetrable. A container breakout occurs when a malicious actor escapes the container runtime to access the host OS. This risk is elevated if containers run with <a href="https://www.techtarget.com/searchsecurity/tip/6-ways-to-prevent-privilege-escalation-attacks">privileged access</a> or root permissions. Mitigations include running containers as non-root users, using kernel security modules, such as AppArmor and SELinux, and deploying sandboxed runtimes, such as gVisor or Kata Containers. In cloud environments, some of these mitigation options might be difficult or impossible due to client lack of control and configuration.</li> <li><b>Secrets exposure.</b> Storing credentials, API keys or tokens inside containers or environment variables poses significant risk. If compromised, attackers could gain access to databases, cloud resources or internal assets and services. Best practices include using secret management tools, such as HashiCorp Vault or AWS Secrets Manager, and avoiding hardcoded secrets in images or Git repositories.</li> <li><b>Supply chain attacks.</b> Containers are part of a broader software supply chain that includes code, images, pipelines, registries and CI/CD tooling. Attackers can exploit vulnerabilities in this chain to inject malicious code or compromise deployments. Mitigation requires enforcing code signing and image integrity, using software bills of materials where possible to track dependencies, and monitoring for anomalies in build pipelines.</li> <li><b>Runtime threats.</b> Once deployed, containers remain vulnerable to attacks, including reverse shells, cryptomining malware and lateral movement in Kubernetes clusters. Security teams should deploy runtime protection tools -- most CNAPP and CWPP platforms prioritize this functionality -- to monitor system calls, container behavior, and network activity to detect and stop threats in real time.</li> <li><b>Misconfigured orchestration.</b> Misconfigurations in Kubernetes or other orchestrators are among the top container security risks. Common mistakes include exposing Kubernetes dashboards and APIs to the internet, running default or weak authentication settings and granting broad cluster roles to service accounts.</li> <li><b>Insufficient network segmentation.</b> Containers often communicate across virtual networks in a cluster. Without proper network policies, any compromised container could potentially facilitate attackers moving laterally. Enforce least privilege using Kubernetes network policies, Calico or service meshes, such as Istio, to limit connectivity.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Cloud container security best practices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud container security best practices</h2> <p>Once cloud containers became popular, the focus turned to how to keep them secure. Consider the following:</p> <ul class="default-list"> <li><b>Set access privileges.</b> Docker containers once had to run as a privileged user on the underlying OS. If key parts of the container were compromised, root or administrator access could potentially be obtained on the underlying OS, or vice versa. Today, Docker supports user namespaces, which enable containers to run as specific users.</li> <li><b>Deploy rootless containers.</b> These containers add an <a href="https://www.techtarget.com/searchitoperations/tip/Dockers-rootless-mode-a-welcome-security-update">additional security layer</a> because they do not require root privileges. Therefore, if a rootless container is compromised, the attacker will not gain root access. Another benefit of rootless containers is that different users can run containers on the same endpoint. Docker currently supports rootless containers, but Kubernetes does not.</li> <li><b>Consider image security.</b> Pay attention to the security of images downloaded from public repositories, such as Docker Hub. By downloading a community-developed image, the security of a container cannot necessarily be guaranteed. Images can be scanned for vulnerabilities. This step can provide some assurance, but its verification processes might not be thorough enough if you are using containers for particularly sensitive applications. In this case, it would be sensible to create the image yourself to ensure your security policies have been enforced and updates are made regularly. Note, however, that company-made images are only as secure as employees make them. Proper training for those creating images is critical.</li> <li><b>Monitor containers. </b>Treat containers for sensitive production applications in the same way as any other deployment when it comes to security. If a container starts acting oddly or consuming more resources than necessary, it's easy enough to shut it down and restart it. It's not quite a <a href="https://www.techtarget.com/searchnetworking/tip/The-role-of-network-sandboxing-and-testing">sandbox</a>, but containers provide a way to keep untrusted applications separate and unaware of other applications on the endpoint.</li> <li><b>Prioritize security threats and vulnerabilities.</b> Follow container and cloud container security best practices and be aware of container security vulnerabilities and attacks. Proper deployment and management are key. Regularly scan containers to ensure images and active containers remain updated and secure.</li> <li><b>Do not forget the security of the server hosting the containers.</b> If your organization is using a cloud container provider, that company is responsible for operating, patching and hardening the service.</li> </ul> <p>One final point: Although containers are a newer technology, this doesn't mean <a href="https://www.techtarget.com/searchsecurity/tip/10-cybersecurity-best-practices-and-tips-for-businesses">traditional security policies and procedures</a> shouldn't be applied.</p> <p><i>Rob Shapland, Ben Cole and Kyle Johnson previously contributed to this article.</i></p> <p><i>Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.</i></p> </section> Containers are an integral part of a growing number of production environments. But they can become security risks if not managed correctly. https://cdn.ttgtmedia.com/visuals/searchCloudSecurity/architecture/cloudsecurity_article_003.jpg https://www.techtarget.com/searchsecurity/feature/What-are-cloud-containers-and-how-do-they-work Fri, 12 Dec 2025 09:00:00 GMT <p>A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises <a href="https://www.techtarget.com/searchdatacenter/definition/infrastructure">infrastructure</a> and a <a href="https://www.techtarget.com/searchitchannel/definition/cloud-service-provider-cloud-provider">cloud provider's</a> infrastructure. A CASB tool provides a unified and consistent method of delivering cloud security for an organization to access cloud resources.</p> <p>CASBs are designed to combine and enforce an organization's <a href="https://www.techtarget.com/searchsecurity/definition/security-policy">security policies</a> when accessing cloud-based resources. They help prevent potential threats that can occur when an organization adds cloud-based networking to its IT infrastructure. CASBs are particularly important for maintaining data security, compliance and threat protection.</p> <p>CASBs combine security policies, such as <a href="https://www.techtarget.com/searchsecurity/definition/authentication">authentication</a>, authorization, role-based access control, credential mapping, <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a>, logging and <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> detection. A CASB tool sits between on-premises infrastructure and the cloud, ensuring that all traffic sent to the cloud complies with security policies before being sent, minimizing the security risk.</p> <p>CASBs are available as on-premises and cloud-based software, as well as software as a service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">SaaS</a>).</p> <section class="section main-article-chapter" data-menu-title="How does a CASB work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does a CASB work?</h2> <p>CASBs ensure network traffic between on-premises devices and the cloud provider complies with an organization's security policies, such as controlling access and identifying suspicious activity.</p> <p>The value of cloud security brokers stem from their ability to deliver <a href="https://www.techtarget.com/searchcloudcomputing/tip/Ways-to-use-AI-for-cloud-infrastructure-management">insight into cloud application use</a> across cloud platforms and identify unsanctioned use. This is especially important in regulated industries.</p> <p>CASBs work in a discovery, classification and remediation process. The discovery process identifies in-use cloud applications, the classification process assesses each application and creates a risk factor, and the remediation process identifies and resolves detected threats based on the organization's security policy.</p> <p>CASBs use auto-discovery to identify cloud applications in use, high-risk applications, high-risk user devices and other key risk factors. Cloud access security brokers enforce several different security access controls, including encryption and device profiling. They can also provide other services, such as credential mapping when single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>) isn't available and <a href="https://www.techtarget.com/whatis/definition/threat-intelligence-cyber-threat-intelligence">threat intelligence</a>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/cloud_security-casb_cloud_access_security_broker.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/cloud_security-casb_cloud_access_security_broker_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/cloud_security-casb_cloud_access_security_broker_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/cloud_security-casb_cloud_access_security_broker.jpg 1280w" alt="Diagram of a Cloud Access Security Broker." height="297" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>CASBs sit between an organization's on-premises software and a cloud service infrastructure. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>CASBs sit between an organization's on-premises software and a cloud service's infrastructure.</p> </section> <section class="section main-article-chapter" data-menu-title="4 pillars of CASB"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4 pillars of CASB</h2> <p>A CASB acts as a gatekeeper, enabling organizations to extend the reach of their security policies beyond their own infrastructure.</p> <p>The core components of a CASB are the following:</p> <ol class="default-list"> <li><b>Visibility.</b> <a href="https://www.techtarget.com/searchsecurity/feature/Security-observability-vs-visibility-and-monitoring">Visibility</a> is an important aspect of creating a secure environment. In a cloud environment, organizations typically have limited visibility and insight into the cloud provider's underlying infrastructure. CASBs improve visibility for cloud usage with access logs that provide insights on corporate cloud infrastructure and attempted attacks. CASBs can also help detect instances of <a href="https://www.techtarget.com/searchcloudcomputing/definition/shadow-IT-shadow-information-technology">shadow IT</a>.</li> <li><b>Compliance.</b> Different regional regulations, such as the Health Insurance Portability and Accountability Act (<a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">HIPAA</a>) or the General Data Protection Regulation (<a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">GDPR</a>), mean organizations must make sure their cloud provider complies with any regulations that might apply to the organization and its customers. CASBs define strict access controls to help comply with data regulations.</li> <li><b>Threat protection.</b> Employees might unintentionally introduce malware-based threats to cloud-based services. A CASB tool can detect and prevent potential threats. Any file upload, for example, can be inspected before it's sent to the cloud.</li> <li><b>Data security.</b> CASBs provide <a href="https://www.techtarget.com/searchsecurity/Data-security-guide-Everything-you-need-to-know">data security</a> through access management and data loss prevention (<a href="https://www.techtarget.com/whatis/definition/data-loss-prevention-DLP">DLP</a>) processes that help secure an organization's cloud-based data.</li> </ol> <p>I</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/cloud_computing-casb_core_features.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/cloud_computing-casb_core_features_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/cloud_computing-casb_core_features_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/cloud_computing-casb_core_features.png 1280w" alt="Chart outlining the four core features of cloud access security brokers." height="314" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>A CASB tool provides four core security features to users. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Key benefits of a CASB"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key benefits of a CASB</h2> <p>The principal benefit of a CASB is that it facilitates secure connections between users and cloud services. To achieve a secure environment, CASBs offer the following features:</p> <ul class="default-list"> <li>Authentication to check users' credentials and ensure they only access appropriate company resources -- this is meant to complement identity and access management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>) tools.</li> <li><a href="https://www.techtarget.com/searchsecurity/definition/Web-application-firewall-WAF">Web application firewalls</a> to thwart malware designed to breach security at the application level rather than at the network level.</li> <li>DLP to ensure users cannot transmit sensitive information outside the organization.</li> <li>Shadow IT discovery to identify all unauthorized cloud applications in use and to evaluate the risks associated with each.</li> <li><u><a href="https://www.techtarget.com/searchsecurity/definition/access-control">Access control</a></u> to set restrictions on what users can see and do within company applications, helping users gain access to the resources they need.</li> <li>Visibility features to identify all the cloud services being used within an organization and offer user and data activity monitoring.</li> <li>Threat protection features, which include <a href="https://www.darkreading.com/cyberattacks-data-breaches/behavioral-analytics-cybersecurity-who-benefits-most">behavioral analytics</a> and malware detection to help restrict access by <a href="https://www.techtarget.com/whatis/definition/threat-actor">threat actors</a>.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Challenges of using a CASB"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges of using a CASB</h2> <p>Despite the many important benefits of a CASB, a few challenges need to be considered.</p> <ul class="default-list"> <li>Difficulty identifying devices not in a corporate infrastructure.</li> <li>Integration issues with other tools such as Zero Trust Network Access (ZTNA) or software-defined WAN (<a href="https://www.techtarget.com/searchnetworking/definition/SD-WAN-software-defined-WAN">SD-WAN</a>).</li> <li>Potential difficulty integrating CASB into an existing infrastructure.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Use cases for CASBs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Use cases for CASBs</h2> <p>CASB tools have evolved to include, or work alongside, other IT security services -- although some vendors still offer standalone tools. CASBs are particularly useful in organizations with <a href="https://www.techtarget.com/searchcio/tip/What-are-the-pros-and-cons-of-shadow-IT">shadow IT operations</a> or liberal security policies that allow operating units to procure and manage their own cloud resources.</p> <p>Potential uses for CASB tools include the following:</p> <ul class="default-list"> <li><b>Data security.</b> CASBs collect and configure granular access to data. DLP features also enable users to protect <a href="https://www.techtarget.com/whatis/definition/sensitive-information">sensitive data</a> that is transferred to or from a cloud service.</li> <li><b>Protection against malware.</b> CASBs can protect against cloud-based malware threats that users might accidentally introduce to the environment.</li> <li><b>Monitoring.</b> CASBs can continuously monitor users by activity, application, cloud service usage and identity. CASBs can also be used for budgeting purposes.</li> <li><b>Compliance.</b> Organizations can use CASBs to assess <a href="https://www.techtarget.com/searchdatamanagement/definition/compliance">compliance</a> with security, regulatory and legal standards.</li> <li><b>Cloud application usage tracking.</b> CASBs can provide a way to view cloud application usage, making it easier to identify abuse and usage patterns.</li> <li><b>User behavior analytics (UBA).</b> Usage tracking serves as a foundation for more sophisticated behavior tracking, as the same data is subjected to more detailed analysis.</li> <li><b>Integrations.</b> CASBs can integrate with other tools, such as firewalls, IAM and <a href="https://www.techtarget.com/searchsecurity/definition/What-is-endpoint-security-How-does-it-work">endpoint security</a>.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Inline vs. API-based CASBs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Inline vs. API-based CASBs</h2> <p>CASBs can be based on an inline proxy or an application programming interface (<a href="https://www.techtarget.com/searchapparchitecture/definition/application-program-interface-API">API</a>). Each provides the necessary security to protect the data heading to a cloud service.</p> <p>Before data traffic reaches a cloud vendor, an inline proxy-based CASB captures the transaction and provides the required security protection. The proxy helps facilitate the CASB connection. It is also the way early CASBs handled data traffic.</p> <p>API-based CASBs, by contrast, deliver security activities on data heading to the cloud through APIs already in place in SaaS cloud services. This way a separate arrangement for handling proxies can be eliminated.</p> </section> <section class="section main-article-chapter" data-menu-title="Cloud access security broker vendors and resources"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud access security broker vendors and resources</h2> <p>There are numerous vendors that provide CASBs. The following is just a sample of vendors and tools in the cloud access security space:</p> <ul class="default-list"> <li><b>Broadcom Symantec CloudSOC CASB.</b> The system provides tools for ensuring compliance, DLP and a variety of <a href="https://www.techtarget.com/searchbusinessanalytics/definition/business-analytics-BA">analytics</a>.</li> <li><b>Cisco Cloudlock.</b> An API-based CASB that uses <a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-ML">machine learning</a> for threat identification.</li> <li><b>Forcepoint CASB.</b> Provides services including behavior analysis and enforcement of security policies.</li> <li><b>Fortinet FortiCASB.</b> Cloud-native service that delivers security, threat detection, visibility and compliance.</li> <li><b>Lookout CASB (Now Fortra CASB).</b> Secure access controls and extensive threat protection.</li> <li><b>Microsoft Defender for Cloud Apps.</b> Integrates with Microsoft 365 and Azure, providing a wide range of security features.</li> <li><b>Netskope One CASB.</b> Delivers visibility into cloud environments, DLP and protection from cyberthreats.</li> <li><b>Palo Alto Networks Prisma Cloud.</b> Driven by <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-Artificial-Intelligence">AI</a>, delivers consistent security across cloud activities.</li> <li><b>Proofpoint CASB.</b> Integrates with email security elements and detects potential breaches.</li> <li><b>Skyhigh CASB.</b> Provides support for compliance and delivers advanced threat protection and access management.</li> <li><b>Zscaler CASB.</b> Delivers inline and API-based CASB support using a <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust security framework</a>.</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/STv9iiJXZdo?si=k33SgdF1rZE_YnoV?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://searchcloudsecurity.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>To meet the needs of infrastructure-as-a-service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Infrastructure-as-a-Service-IaaS">IaaS</a>) and platform-as-a-service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Platform-as-a-Service-PaaS">PaaS</a>) users, CASB vendors have added or expanded functionality for security tasks, such as the following:</p> <ul class="default-list"> <li><b>Single sign-on.</b> Enables employees to enter their credentials one time and access several applications.</li> <li><b>Encryption.</b> Encrypts information from the moment it's created until it's <a href="https://www.techtarget.com/searchstorage/definition/data-at-rest">at rest</a> in the cloud.</li> <li><b>Compliance reporting tools.</b> Ensures the company's security systems <a href="https://www.techtarget.com/searchcio/tip/Top-cloud-compliance-standards-and-how-to-use-them">comply with corporate policies and government regulations</a>.</li> <li><b>User behavior analytics.</b> Identifies aberrant behavior that could indicate an attack or data breach.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Future of CASB in SASE"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Future of CASB in SASE</h2> <p>CASBs will continue to be adopted in secure access service edge (<a href="https://www.techtarget.com/searchnetworking/definition/Secure-Access-Service-Edge-SASE">SASE</a>) architectures. SASE is a cloud architecture model that bundles network and cloud-native security technologies to deliver them as a single cloud service. A SASE solution helps an organization unify its network and security tools in one management console. These tools typically bundle SD-WANs with network security measures, such as <a href="https://www.techtarget.com/searchnetworking/definition/firewall-as-a-service-FWaaS">firewall as a service</a>, secure web gateways, zero-trust network access and CASBs.</p> <p>CASBs are commonly included in SASE tools, as they provide the access control, policy enforcement, threat prevention and visibility features that are essential to protecting cloud-based resources. Alongside other security and cybersecurity services CASB solutions will likely become a core component of SASE architectures.</p> <p>The future of CASBs also depends on the increase and severity of <a href="https://www.techtarget.com/whatis/34-Cybersecurity-Statistics-to-Lose-Sleep-Over-in-2020">cyberthreats</a>, such as ransomware; their ability to comply with key regulations, such as the GDPR, HIPAA and CCPA; and their ways of managing deployment costs.</p> <p><i>Learn more about </i><a href="https://www.techtarget.com/searchnetworking/The-complete-Secure-Access-Service-Edge-SASE-guide"><i>SASE and its use cases, as well as benefits and issues</i></a><i> it presents for organizations.</i></p> </section> A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchcloudcomputing/definition/cloud-access-security-broker-CASB Wed, 15 Oct 2025 09:00:00 GMT <p>Moving an application to the cloud presents special challenges. There's no guarantee it will perform as it did on-premises and all its functions will work the same. Also, the cloud has its own scalability, integration and security characteristics that must be accounted for. As a result, application testing is a critical part of any cloud migration.</p> <p>A formalized framework can help IT teams build out a <a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-migration">cloud migration</a> testing strategy and ensure that an app is working as it should in the cloud. Let's go through some of the main areas to focus on, best practices to follow and problems to anticipate and resolve.</p> <section class="section main-article-chapter" data-menu-title="Why is cloud migration testing important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is cloud migration testing important?</h2> <p>Cloud migration testing helps IT teams ensure the application continues to perform as it should after moving to the cloud and also ensure that the <a href="https://www.techtarget.com/searchcio/definition/UX-user-experience">user experience</a> is better. To do this, they must gauge the app's performance on both sides of the equation: how it ran on-premises and how it works in the cloud.</p> <p>Metrics from cloud migration tests help identify and quantify any issues rather than relying on guesswork. Key metrics include application start times and response times, performance during peak demand and off-hours, and usability on various platforms, such as desktops, remote connections and mobile devices.</p> <p>Also, cloud vendors issue updates that can cause performance issues in an application. Use your testing metrics to validate the issues, and work with your cloud provider to find out what happened and what adjustments you have to make to correct the issues.</p> <p>Finally, cloud migration testing can tell IT teams where to adjust performance or UX to justify keeping the application in the cloud.</p> </section> <section class="section main-article-chapter" data-menu-title="Business benefits of cloud migration testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Business benefits of cloud migration testing</h2> <p>Besides providing users with a well-performing, modern application, a solid testing program can deliver other advantages to the business, including the following:</p> <ul class="default-list"> <li>Reduced chance of service disruptions.</li> <li>Higher customer satisfaction from smooth transitions.</li> <li>Less stress and wear on staff.</li> <li>Net cost savings after the upfront expense of the testing itself.</li> </ul> <p>While a reduction in issues is a real benefit of testing, it is often hard to quantify because issues can occur without additional testing. The odds are better with testing, however.</p> </section> <section class="section main-article-chapter" data-menu-title="How cloud migration testing differs from traditional app testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How cloud migration testing differs from traditional app testing</h2> <p>The main difference between testing applications on-premises versus apps that have moved to the cloud is that you have to accommodate the cloud's scalability and additional integrations and dependencies. Some of the integrations might be difficult to identify and understand. Your cloud testing framework might differ from an on-premises framework, and some tools might be different or not allowed, such as for load testing or <a href="https://www.techtarget.com/searchsecurity/definition/penetration-testing">penetration testing</a>. It's important to check with your cloud vendor about what testing tools are permitted.</p> <p>Keep in mind, though, that the goals of testing should not change between on-premises and the cloud. Having different goals means you're no longer testing apples to apples, so you should use many of the same steps and tools to get a clear picture of your efforts to migrate your application to the cloud. Changes to the testing framework or methodologies can skew results.</p> </section> <section class="section main-article-chapter" data-menu-title="Types of testing for a cloud migration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of testing for a cloud migration</h2> <p>The goal with cloud migration testing isn't to test every possible feature and function, but you do need a solid cross section of tests and metrics to ensure your application performs as expected. Several types of tests are especially important for a cloud migration:</p> <ul class="default-list"> <li><b>Functional validation.</b> This test confirms that the build meets requirements for component and service functionality on both sides of the cloud migration effort. Anything missing tends to jump out quickly.</li> <li><b>Performance.</b> This test spans several metrics to measure how an application performs in real-world conditions, e.g., ability to handle data volumes, capacity loads, and CPU and memory usage. It also includes the <a href="https://www.techtarget.com/searchcustomerexperience/definition/customer-experience-CX">customer experience</a> to ensure better or at least consistent performance for users.</li> <li><b>Integration.</b> Your application likely ties into other services and apps to share data in the cloud and on-premises -- and possibly both. IT teams must verify these connections still work in the cloud. This can be tricky if dependent services are in a different cloud or remain on-premises. You also need to understand and document what happens when a service goes down at each location to understand the impact it will have on customers.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Other aspects to test"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Other aspects to test</h2> <p>If the application has a dedicated portal or requires interface tweaks to run on mobile devices, test it on both Android and Apple platforms. Testing every possible device type might not be feasible, so work with your user base to determine which mobile platforms best meet their needs.</p> <p>Also, test on both cellular and Wi-Fi networks because different data speeds impact an app's behavior. Do this outside of your company's Wi-Fi network. The internal side of your network might access services differently than an external Wi-Fi network, which could cause the application to work differently or not at all.</p> <p>Finally, test for printability. People do still print, and for some, it's a critical job function. Don't underestimate this potentially challenging technical problem. Printing from a cloud-based application to a local printer can bring security and network challenges that you typically don't have on-premises.</p> </section> <section class="section main-article-chapter" data-menu-title="Security considerations for cloud migration testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Security considerations for cloud migration testing</h2> <p>You should perform a proper application security audit and make adjustments to user privileges before you begin to move an application from on-premises to the cloud. The last thing you want is to introduce additional changes that muddle or complicate your understanding of how an app works and its dependencies.</p> <p>The cloud migration testing should include a security validation that confirms the following three key factors:</p> <ol type="1" start="1" class="default-list"> <li><b>Who has access to the app?</b> Start with the accounts, features and functions that users access. Adding more variables doesn't help or speed up the testing. Users' access should mirror what they had with the app on-premises, no more and no less.</li> <li><b>How have you ensured the principle of least privilege?</b> As your data moves between different services in the cloud, what steps ensure the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a>? Cloud vendors offer services and reports to help with this; take the time to learn, document and use them.</li> <li><b>Do security changes impact the app?</b> Always rerun application testing after you make a security change, as such changes can potentially affect performance. For example, does data encryption at flight and at rest change application response time or add overhead to CPU cycles? This can be a subset of full testing, but you must revalidate that the application still works as baselined and that the security change doesn't take the application offline.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="7 common challenges in cloud migration testing -- and best practices to address them"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7 common challenges in cloud migration testing -- and best practices to address them</h2> <p>Application testing is always a challenge, and despite all the planning and testing, you will encounter issues. Nevertheless, most problems are solvable. Here's what you're likely to face and ways to address them.</p> <h3>Challenge 1: Prioritizing app testing metrics</h3> <p>An application's UX and security are important to the overall application, but ultimately, the application must work as intended. An application that lacks core functionality, even if it's absolutely secure or wonderfully streamlined for users, does no one any good.</p> <p><b>Best practice: Balance design and security with critical functionality</b></p> <p>Take the time to address all the factors -- functionality, UX and security -- early in the cloud migration process. They are not separate aspects you can work on at different stages. They're interconnected, and you have to treat them as such.</p> <h3>Challenge 2: Cutting corners just to make the app run</h3> <p>It's critical to make sure the application works properly in the cloud, but don't adopt bad habits to achieve short-term goals. IT teams might reduce or remove security controls to get an app functional in a new environment and forget to restore those safeguards afterward. That may save time initially, but it creates more work later and makes testing more difficult overall.</p> <p><b>Best practice: Plan security from the start</b></p> <p>Security permission issues often arise and can impede an app's functionality, but resist the knee-jerk reaction to make large-scale changes to get things running right away. Build time into your cloud migration plan to address these problems.</p> <h3>Challenge 3: Leaving the testing entirely up to IT</h3> <p>Cloud migrations are complex efforts that require many disciplines to ensure a migrated app works securely and at scale. IT has a major responsibility and can help lead these efforts, but you can't just forklift and focus on the technical side without a development team's expertise.</p> <p><b>Best practice: Form a diverse testing team</b></p> <p>Set up a cross-functional team to provide app support and identify possible issues. The team must be nimble, and you need subject matter experts to ensure all aspects are being looked at. Set aside certain items in meetings so you don't overburden everyone with too much information. Some attendees might get bored and tune out technobabble that's outside their expertise.</p> <h3>Challenge 4: Resisting easy updates and scope creep</h3> <p>Enabling encryption for an app that's migrating to the cloud might seem ideal and deceptively simple. But beware: Any change can unknowingly impact many other aspects of the app's operation and increase technical concerns and costs. This kind of scope or feature creep in migration testing can quickly grow to unsustainable levels.</p> <p><b>Best practice: Test and vet additional functions</b></p> <p>First, try to stick to the original plan for the application's core functionality; the testing phase isn't the time or place for feature expansion. If you must add any minor new features or functions, get everyone's buy-in, and test and vet the changes to understand their broader impacts. Be able to say no to items. It might seem easy in concept but can be quite difficult to say to some people, especially managers.</p> <h3>Challenge 5: Balancing testing cadence against competing priorities</h3> <p>Ideally, you should perform continual security testing and at least weekly testing to validate data and handle error logs. Unfortunately, money, time and shifting priorities of IT and management can overrule those plans. The cloud costs money for every second it's in use. Staff require time and money, and after an app's release, most ops and dev teams move on to other projects.</p> <p><b>Best practice: Plan around major updates and push for more</b></p> <p>IT always finds ways to fit what is required into what's available. Break down cloud migration testing into what management wants, needs and expects. Set up a testing framework for daily and weekly checks around major changes to the base application or platform. Push for more regularity if more resources are available.</p> <h3>Challenge 6: Narrowing UX testing</h3> <p>Some IT teams rely on a regular pool of users for on-premises testing or a few who are experts in the specific software. However, when you move an application to the cloud, you need a more comprehensive picture of it. That means gathering data about overall UX from multiple perspectives and not just technical ones.</p> <p><b>Best practice: Expand user test teams</b></p> <p>Coordinate user testing with a wide pool of testers from different experiences and roles. Include people who are cloud-savvy but also novices. Most users don't know or care about the cloud's inner machinery, but they see the application and have certain performance expectations. And, sometimes, they might know it a little better than you do.</p> <h3>Challenge 7: Testing metrics that overlook cloud cost concerns</h3> <p>In an on-premises migration, typically, you own all the pieces the application touches. In a cloud migration, you incur costs for every process step, every service called and every data transfer to a cache or back on-premises. There are integrations and dependencies to other cloud services -- some of which might not be obvious. You might be using cloud-based testing tools. When the bill comes due, it might come as a shock and force you to adjust the app or even reevaluate the cloud migration.</p> <p><b>Best practice: Regularly test to reveal cost trends</b></p> <p>Cost management isn't a central concern of cloud migration testing, but testing reveals exactly what an app does when it runs in the cloud. Thus, frequent cloud migration testing can help an organization get a better feel for data transfers, usage patterns and key dependencies. That means no surprises when the bill arrives.</p> </section> <section class="section main-article-chapter" data-menu-title="Creating a cloud migration testing strategy"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Creating a cloud migration testing strategy</h2> <p>When it comes to checklists and step-by-step procedures, people often focus on the things they want and skip over the things they don't like, or they assume following the steps is easy. This approach never ends well, so it's important to understand the impact and challenges of the following steps:</p> <ol class="default-list"> <li><b>Assess.</b> This is an easy one to gloss over by saying it's as simple as taking the infrastructure an application is running on and plopping it in the cloud. Local resources, such as big hard drives and massive CPUs, are fairly cheap in a local data center. That math changes in the cloud because you pay per month for everything, so you have to be clear about what you need -- not what you already have.</li> <li><b>Map.</b> It takes one simple firewall rule to disable an entire application stack or a single data share that's not configured correctly. It's crucial to remember that everything talks to each other and to know where you need additional resources to ensure the map is accurate.</li> <li><b>Select.</b> Remember that not everything is meant for the cloud. Be honest about whether an application is not the right fit or is too expensive to migrate. And, when it comes to choosing the right cloud, everything should be on the table. Don't assume you have the right answer going in.</li> <li><b>Develop.</b> Make a plan, and follow it. It helps keep the team focused and prevents project creep. Celebrate milestones when you reach them, and make sure users and managers are aware of the progress. Keep things transparent.</li> <li><b>Create.</b> This is the step people often want to skip to, but nothing should be spun up until the first steps are completed. That's because, when you skip to the fun part, you often end up redoing it because you discover you missed something that would have been identified in the planning.</li> <li><b>Replicate.</b> Don't break what is already working, and don't introduce unplanned changes to the application just because you have a chance since it hasn't gone live yet.</li> <li><b>Stage.</b> Make sure a wide range of users and devices are involved in testing the application. It's often the casual user who finds a common issue, not the power user who simply works around the issue or doesn't even notice that there's a problem.</li> <li><b>Check.</b> Technically, this is the easiest step because you have been doing security all along and can say it is already done. If you wait until the end to tighten security, you must reverify that the application still works.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/cloud_computing-cloud_migration_checklist-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/cloud_computing-cloud_migration_checklist-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/cloud_computing-cloud_migration_checklist-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/cloud_computing-cloud_migration_checklist-f.png 1280w" alt="a cloud migration checklist" height="271" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Review this checklist to coordinate cloud migration efforts, from mapping an app's integrations and dependencies to identifying security gaps and testing functionality and UX. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Key risks of cloud migration without testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key risks of cloud migration without testing</h2> <p>Testing is a difficult thing in the best scenario, and in the high-priced world of IT, it often loses out to luck or hopeful ambition. This tends to happen when management sees IT as a cost center and not an asset. From management's standpoint, the cloud is a big box they can't see into or understand, and it's just supposed to work as well as it does delivering music and entertainment to their smartphones.</p> <p>This lack of understanding is what IT project managers must counteract by communicating to stakeholders the gravity of what could happen without good cloud migration testing.</p> <p>The benefits and risks can be summarized like this. Successful testing results in the following:</p> <ul class="default-list"> <li><b>Confident staff.</b> Seeing a successful test engenders confidence in the tools, training and time frames -- all key elements of a successful migration.</li> <li><b>Cost savings.</b> Investing upfront in testing can save untold dollars on the back end.</li> <li><b>Minimized outages.</b> Planned outages are things users understand, can plan for and work with. It's the unplanned ones that get people upset.</li> </ul> <p>In contrast, poor or no cloud migration testing can lead to the following:</p> <ul class="default-list"> <li><b>Outages.</b> Feeling the rage of users complaining to management doesn't fix the issue faster and is a particular risk with unplanned outages.</li> <li><b>Need to call in consultants.</b> When you run into issues you can't immediately solve, management demands fixes ASAP. Hiring consultants becomes the only choice. The consultants know this and raise their prices accordingly.</li> <li><b>Staff burnout.</b> You need people to be at the top of their game for a migration because it isn't over in a day. Minor issues inevitably come up, and getting off on the wrong foot makes it next to impossible to right the ship.</li> </ul> <p>Cloud migration testing is optional, and there is a cost to doing it. The question becomes how much risk the organization is willing to take on by skipping it and whether it can handle the impact if a major outage is the result.</p> <p><i>Brian Kirsch, an IT architect and Milwaukee Area Technical College instructor, has been in IT for 30 years and holds multiple certifications.</i></p> </section> Follow these guidelines to craft a strategy for cloud migration testing, from key tests to common challenges and best practices -- and understand why everything involves security. https://cdn.ttgtmedia.com/rms/onlineimages/cloud_g1251263502.jpg https://www.techtarget.com/searchcloudcomputing/tip/Guide-to-creating-a-cloud-migration-testing-strategy Fri, 27 Dec 2024 09:00:00 GMT <p>Many professionals seeking a career in cloud security turn to certifications to advance their learning and prove their knowledge to potential employers. The number of cloud security certifications has increased in recent years, however, making it difficult for students and practitioners to decide which ones to pursue.</p> <p>Are you trying to parse the differences and figure out which certifications will most advance your knowledge and career? Get the lowdown on the best cloud security certifications here.</p> <section class="section main-article-chapter" data-menu-title="The importance of certifications"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The importance of certifications</h2> <p>Although the debate over the <a href="https://www.techtarget.com/searchcio/feature/Tech-pros-favor-cybersecurity-AI-certifications">value of security certification programs</a> is hotly contested, they are still one of the top ways employers screen job candidates and assess an interviewee's baseline knowledge. And the fact is that most certifications deliver more significant benefits to professionals than traditional self-study options.</p> <p>A certification, for instance, covers broader topics than those of interest to the student, which requires learning more than just the minimum around a specific topic. Skipping a few dull but important chapters isn't a wise decision if an expensive exam is coming up.</p> <p>Certification exams also force students to study the material, not just skim it. Exam dates provide a deadline to finish the material. Certificates also show employers that future employees have put significant time and money into obtaining the certificates and their associated skills.</p> <p>The infosec industry has been around for decades and has some of the best-known certifications. ISC2's CISSP, for instance, was released in 1994, and ISACA's Certified Information Systems Auditor (CISA) certification dates to 1978.</p> <p>These older, well-established certification providers have added cloud components to their material, but the depth of those add-ons can be limited -- sometimes, just a few pages in a book. Considering the importance of cloud technologies and the <a href="https://www.techtarget.com/searchsecurity/tip/Top-11-cloud-security-challenges-and-how-to-combat-them">persistent threat of cloud-specific attacks</a>, more focus is required.</p> <p>Let's look at some certification providers that have introduced dedicated, in-depth cloud security certifications, as well as what cloud security pros can expect when pursuing them.</p> </section> <section class="section main-article-chapter" data-menu-title="1. ISC2 Certified Cloud Security Professional (CCSP)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. ISC2 Certified Cloud Security Professional (CCSP)</h2> <p>The most well-known and established cloud security certification is ISC2's CCSP. Although ISC2's CISSP now contains more cloud material than in years past, the nonprofit's specialized CCSP <a target="_blank" href="https://www.isc2.org/Certifications/CCSP" rel="noopener">program</a> takes it to the next level and covers a broad range of cloud-related topics, from cloud application security to cloud platform security.</p> <p>Students should expect to invest quite a bit of time to pass this exam; self-led or instructor-led training should be used to prepare for this certification.</p> <p>Candidates must have a minimum of five years of paid work experience in IT before becoming certified. Three years must be in infosec, and one year must be in one or more of the six domains included in the CCSP Common Body of Knowledge (CBK):</p> <ol class="default-list"> <li>Cloud Concepts, Architecture and Design (17% of exam).</li> <li>Cloud Data Security (20%).</li> <li>Cloud Platform &amp; Infrastructure Security (17%).</li> <li>Cloud Application Security (17%).</li> <li>Cloud Security Operations (16%).</li> <li>Legal, Risk and Compliance (13%).</li> </ol> <p>Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge can be substituted for one year of experience in one or more of the CCSP domains. Obtaining CISSP covers all prerequisites.</p> </section> <section class="section main-article-chapter" data-menu-title="2. CSA Certificate of Cloud Security Knowledge (CCSK)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. CSA Certificate of Cloud Security Knowledge (CCSK)</h2> <p>CSA's CCSK is a lighter alternative to CCSP certification. Launched in 2010, this <a target="_blank" href="https://cloudsecurityalliance.org/education/ccsk/" rel="noopener">certificate</a> is dedicated to cloud security. Like CCSP, CCSK goes into technical details.</p> <p>CCSK is a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud data security.</p> <p>Those studying for their CCSK can use the CSA's free Prep Kit to study and prepare for the exam. The kit includes an overview of the certificate, study and knowledge guides, a course outline, sample questions and additional resources.</p> <p>CCSK v5 covers 12 domains, including Cloud Computing Concepts and Architecture, Infrastructure and Networking, Data Security and Security as a Service.</p> <p>The CCSK v5 exam bundle can be purchased online. Training options include online self-paced, online instructor-led and in-person instruction.</p> </section> <section class="section main-article-chapter" data-menu-title="3. ISACA and CSA Certificate of Cloud Auditing Knowledge (CCAK)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. ISACA and CSA Certificate of Cloud Auditing Knowledge (CCAK)</h2> <p>In March 2021, ISACA and CSA jointly released CCAK, which <a target="_blank" href="https://cloudsecurityalliance.org/education/ccak/" rel="noopener">builds on</a> and complements CCSK content. It also complements ISACA's CISA and Certified Information Security Manager certifications. Applicants are advised to achieve their CCSK prior to taking CCAK, though it is not a prerequisite.</p> <p>Assessors and auditors, compliance managers, vendor and partner program managers, security and privacy consultants, security analysts and architects could benefit from the training, which covers the following domains:</p> <ol class="default-list"> <li>Cloud Governance.</li> <li>Cloud Compliance Program.</li> <li>CCM and CAIQ: Goals, Objectives and Structure.</li> <li>A Threat Analysis Methodology for Cloud Using CCM.</li> <li>Evaluating a Cloud Compliance Program.</li> <li><a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-audit">Cloud Auditing</a>.</li> <li>CCM: Auditing Controls.</li> <li>Continuous Assurance and Compliance.</li> <li>STAR Program.</li> </ol> <p>Candidates can choose online self-paced, online instructor-led and in-person training.</p> </section> <section class="section main-article-chapter" data-menu-title="4. GIAC Cloud Security Automation (GCSA)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. GIAC Cloud Security Automation (GCSA)</h2> <p>Launched in April 2020, GIAC's GCSA certification is specifically <a target="_blank" href="https://www.giac.org/certification/cloud-security-automation-gcsa" rel="noopener">designed</a> for developers, analysts and engineers working to secure cloud and DevOps environments. It encompasses topics such as DevOps and DevSecOps fundamentals; securing cloud architecture; data and secrets protection and compliance; and security and automation related to deployment, runtime and content delivery.</p> <p>The GIAC certification is affiliated with SANS Institute's in-person or online "SEC540: Cloud Security and DevSecOps Automation" course. The SEC540 five-day <a target="_blank" href="https://www.sans.org/cyber-security-courses/cloud-security-devsecops-automation/" rel="noopener">course</a>, which includes hands-on labs, covers topics in the following five sections:</p> <ol class="default-list"> <li>DevOps Security Automation.</li> <li>Cloud Infrastructure Security.</li> <li>Cloud Native Security Operations.</li> <li>Microservice and Serverless Security.</li> <li>Continuous Compliance and Protection.</li> </ol> <p>The GIAC certification exam can be purchased by itself or at a discounted rate when bought in conjunction with the SANS training. Purchasing a certification attempt comes with practice tests, which are in the same format as the exam.</p> </section> <section class="section main-article-chapter" data-menu-title="5. GIAC Cloud Security Essentials (GCLD)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. GIAC Cloud Security Essentials (GCLD)</h2> <p>Released in April 2021, GIAC's GCLD covers how to evaluate cloud service providers and how to plan, deploy and secure single and multi-cloud environments, as well as topics such as cloud auditing, security assessments and incident response.</p> <p>Specialized for security engineers, analysts, managers and auditors, GCLD <a target="_blank" href="https://www.giac.org/certifications/cloud-security-essentials-gcld/" rel="noopener">aims to help</a> candidates prove their knowledge about how to prevent, detect and react to cloud workload security events.</p> <p>GCLD certification is affiliated with "SEC488: Cloud Security Essentials," a <a target="_blank" href="https://www.sans.org/cyber-security-courses/cloud-security-essentials/" rel="noopener">six-day course</a> with hands-on training that teaches the following:</p> <ul class="default-list"> <li>Identity and Access Management (IAM).</li> <li>Compute and Configuration Management.</li> <li>Data Protection.</li> <li>Networking and Detection.</li> <li>Compliance, Incident Response and Penetration Testing.</li> <li>CloudWars.</li> </ul> <p>The SANS training, offered online and in person, has no prerequisites, but a basic understanding of networking, security, Linux and the cloud is beneficial.</p> <p>GIAC also offers specialized certifications that could apply depending on the candidate's career path. These include the following:</p> <ul class="default-list"> <li><a target="_blank" href="https://www.giac.org/certifications/certified-web-application-defender-gweb/" rel="noopener">GIAC Certified Web Application Defender</a>, affiliated with "<a target="_blank" href="https://www.sans.org/cyber-security-courses/application-security-securing-web-apps-api-microservices/" rel="noopener">SEC522</a>: Application Security: Securing Web Apps, APIs and Microservices."</li> <li><a target="_blank" href="https://www.giac.org/certifications/public-cloud-security-gpcs/" rel="noopener">GIAC Public Cloud Security</a>, affiliated with "<a target="_blank" href="https://www.sans.org/cyber-security-courses/public-cloud-security-aws-azure-gcp/" rel="noopener">SEC510</a>: Cloud Security Controls and Mitigations."</li> <li><a target="_blank" href="https://www.giac.org/certifications/cloud-penetration-tester-gcpn/" rel="noopener">GIAC Cloud Penetration Tester</a>, affiliated with "<a target="_blank" href="https://www.sans.org/cyber-security-courses/cloud-penetration-testing/" rel="noopener">SEC588</a>: Cloud Penetration Testing."</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="6. Mile2 Certified Cloud Security Officer (C)CSO)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Mile2 Certified Cloud Security Officer (C)CSO)</h2> <p>The C)CSO certification from Mile2 consists of a five-day program that includes instructor-led sessions, self-study time and live virtual trainings. It is <a target="_blank" href="https://www.mile2.com/ccso_outline/" rel="noopener">composed</a> of 15 modules:</p> <ol class="default-list"> <li>Introduction to Cloud Computing and Architecture.</li> <li>Cloud Security Risks.</li> <li>ERM and Governance.</li> <li>Legal Issues.</li> <li>Virtualization.</li> <li>Data Security.</li> <li>Data Center Operations.</li> <li>Interoperability and Portability.</li> <li>Traditional Security.</li> <li>BCM and DR.</li> <li>Incident Response.</li> <li>Application Security.</li> <li>Encryption and Key Management.</li> <li>Identity, Entitlement and Access Management.</li> <li>Auditing and Compliance.</li> </ol> <p>It also consists of 23 labs, including PaaS in Azure and Encryption/Key Management in SaaS.</p> <p>Part of Mile2's Cloud Security and Virtualization career path, this advanced certification is ideal for professionals seeking careers in virtualization, cloud administration, auditing and compliance.</p> <p>General knowledge of cloud architectures and one year of experience in both virtualization and infosec are recommended.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Arcitura Certified Cloud Security Specialist"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Arcitura Certified Cloud Security Specialist</h2> <p>Arcitura's Certified Cloud Security Specialist certification <a target="_blank" href="https://www.arcitura.com/cert/cloud-security-specialist-certification-exam.html" rel="noopener">focuses</a> on the security threats associated with cloud platforms, cloud services and other cloud technologies, including virtualization. Geared toward IT and security professionals, as well as cloud architects, the Certified Cloud Security Specialist certification is composed of the following five modules:</p> <ol class="default-list"> <li>Fundamental Cloud Computing covers basic cloud technology topics such as cloud computing platforms, cost metrics and service-level agreement characteristics.</li> <li>Cloud Technology Concepts covers topics such as cloud service architecture and containerization.</li> <li>Fundamental Cloud Security contains training on cloud security mechanisms and threats, cloud auditing and cloud IAM.</li> <li>Advanced Cloud Security offers training on attack lifecycles, threat modeling and VM protection.</li> <li>Cloud Security Lab includes exercises on IAM in the cloud, public key infrastructure in the cloud, and cloud encryption and key management.</li> </ol> <p>The approximately 50-hour training course culminates with the Cloud Security Specialist exam and certification. A general background in IT is recommended.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/best_cloud_security_certifications-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/best_cloud_security_certifications-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/best_cloud_security_certifications-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/best_cloud_security_certifications-f.png 1280w" alt="Chart comparing cloud security certifications and exams." height="770" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use this chart to compare the top cloud security certifications. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="8. and 9. CompTIA Cloud Essentials+ and Cloud+"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. and 9. CompTIA Cloud Essentials+ and Cloud+</h2> <p>CompTIA offers two certifications that, while not security-specific, cover cloud security topics. <a target="_blank" href="https://www.comptia.org/certifications/cloud-essentials" rel="noopener">Cloud Essentials+</a> is geared toward cloud business decision-making, while <a target="_blank" href="https://www.comptia.org/certifications/cloud" rel="noopener">Cloud+</a> is more about technical cloud implementation.</p> <p>The entry-level Cloud Essentials+ certification covers cloud security concerns and measures, as well as risk assessment, cloud security policies and compliance. Six months to one year of IT business analyst experience, along with some cloud technology experience, is recommended. The more in-depth Cloud+ certification covers security configurations, access control, key and certificate management, and segmentation and microsegmentation. Two to three years of system administration or networking experience are recommended, in addition to CompTIA Network+ and Server+ certifications.</p> </section> <section class="section main-article-chapter" data-menu-title="10. Vendor-specific cloud security certifications"> <h2 class="section-title"><i class="icon" data-icon="1"></i>10. Vendor-specific cloud security certifications</h2> <p>Because many enterprises work with specific vendors and technologies, it could be fruitful for their security team members to hold certifications in those areas. Some cloud platform providers offer practical product training, including the following:</p> <ul class="default-list"> <li><a target="_blank" href="https://aws.amazon.com/certification/certified-security-specialty/" rel="noopener">AWS Certified Security - Specialty</a>.</li> <li><a target="_blank" href="https://cloud.google.com/certification/cloud-security-engineer" rel="noopener">Google Professional Cloud Security Engineer</a>.</li> <li><a target="_blank" href="https://www.ibm.com/training/certification/ibm-cloud-security-engineer-v1-specialty-S0011100" rel="noopener">IBM Cloud Security Engineer Specialty</a>.</li> <li><a target="_blank" href="https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/" rel="noopener">Certified Kubernetes Security Specialist</a>.</li> <li><a href="https://learn.microsoft.com/en-us/credentials/certifications/azure-security-engineer/?practice-assessment-type=certification" target="_blank" rel="noopener">Microsoft Certified: Azure Security Engineer Associate.</a></li> <li><a target="_blank" href="https://www.vmware.com/learning/certification/vcta-security.html" rel="noopener">VMware Certified Technical Associate - Security</a>.</li> <li><a target="_blank" href="https://www.vmware.com/learning/certification/vcp-ews.html" rel="noopener">VMware Certified Professional - Endpoint and Workload Security</a>.</li> </ul> <p><b>Editor's note:</b> <i>This article was revised in December 2024 to</i> <i>update certification information and to improve the reader experience.</i></p> <p><i>Sharon Shea is executive editor of TechTarget Security.</i></p> </section> Certifications can help security pros prove their baseline knowledge of infosec topics. Consider adding these top cloud security certifications to your arsenal. https://cdn.ttgtmedia.com/rms/onlineimages/certification_g483411626.jpg https://www.techtarget.com/searchsecurity/tip/The-best-cloud-security-certifications-for-IT-professionals Tue, 17 Dec 2024 00:00:00 GMT <section class="section main-article-chapter" data-menu-title="What is a click-wrap agreement (click-through agreement)?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a click-wrap agreement (click-through agreement)?</h2> <p>A click-wrap agreement (click-through agreement) is an online agreement in which the user signifies their acceptance by clicking a button or checking a box that states, "I agree." The purpose of a click-wrap agreement is to digitally capture acceptance of a contract.</p> <p>Click-wrap agreements permit companies to engage in a contract with customers without negotiating with each user individually. To be a considered legitimate, the contract must:</p> <ul class="default-list"> <li>Be reasonably and prominently visible to all users.</li> <li>Require active, affirmative consent.</li> <li>Be easily understood by the average user.</li> <li>Be enforceable.</li> </ul> <p>Click-wrap agreements are a digital offshoot of shrink-wrap licenses. In the last century, when most software was installed locally, shrink-wrap licenses were commonly used by software vendors to protect their intellectual property. When the customer removed the plastic shrink-wrap that protected a new software floppy disk or compact disk, they were contractually indicating they agreed with the software vendor's terms of service.</p> </section> <section class="section main-article-chapter" data-menu-title="Use cases for click-wrap agreements"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Use cases for click-wrap agreements</h2> <p>Today, online users encounter click-wrap agreements regularly. Some examples are the following:</p> <ul class="default-list"> <li>Asking website visitors to acknowledge that the website they are visiting uses cookies.</li> <li>Completing an online registration form.</li> <li>Installing a mobile app.</li> <li>Purchasing a cloud service.</li> <li>Connecting to a wireless network.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Click-wrap agreements and the law"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Click-wrap agreements and the law</h2> <p>Click-wrap contracts are often used in situations where the same boilerplate contract needs to be offered or signed hundreds, thousands or millions of times. Common uses include contracts that support online <a href="https://www.techtarget.com/whatis/definition/privacy-policy">privacy policies</a> or terms and conditions for accessing member-protected website content.</p> <p>It is a best practice to call out the existence of the contract through a pop-up window that has a checkbox and contains language such as, "I agree to the terms and conditions." There should also be a hyperlink to a webpage that documents the full agreement the user is accepting.</p> <p>Most of the time, click-wrap and shrink-wrap agreements are made and never mentioned or thought of again. If the terms of the contract are violated, however, there can be serious legal and financial consequences.</p> <p>Should there be a need to defend a click-wrap agreement in court, the entity that issued the contract needs to have sufficient documentation to prove when and where the agreement was signed. This includes an indisputable record of what version of the contract was being displayed at the time the agreement was accepted and how the website looked to the user.</p> </section> A click-wrap agreement (click-through agreement) is an online agreement in which the user signifies their acceptance by clicking a button or checking a box that states, 'I agree.' https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchcloudcomputing/definition/clickwrap-agreement-clickthrough-agreement Mon, 01 Jul 2024 09:00:00 GMT <section class="section main-article-chapter" data-menu-title="What is a virtual firewall?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a virtual firewall?</h2> <p>A virtual firewall is a firewall device or service that provides network traffic filtering and monitoring for virtual machines (<a href="https://www.techtarget.com/searchitoperations/definition/virtual-machine-VM">VMs</a>) in a virtualized environment. Like a traditional network <a href="https://www.techtarget.com/searchsecurity/definition/firewall">firewall</a>, a virtual firewall inspects <a href="https://www.techtarget.com/searchnetworking/definition/packet">packets</a> and uses <a href="https://www.techtarget.com/searchsecurity/definition/security-policy">security policy</a> rules to block unapproved communication between VMs. A virtual firewall is often deployed as software or a virtual appliance.</p> <p>Virtual firewalls are commonly used to protect virtualized environments because they're the least expensive and the most portable, due to the ease of moving a virtual firewall from cloud to cloud. A virtual firewall is also simple to upgrade and maintain.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/5geL5yHpa2Q?si=2AQNxczGutonPVrZ?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://searchcloudsecurity.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="How a virtual firewall works"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How a virtual firewall works</h2> <p>A virtual firewall, also known as a cloud firewall or a <a href="https://www.techtarget.com/searchnetworking/definition/firewall-as-a-service-FWaaS">firewall as a service</a>, operates like a physical firewall but does so in a virtualized environment.</p> <p>A virtual firewall works in two modes -- bridge mode and <a href="https://www.techtarget.com/searchitoperations/definition/hypervisor">hypervisor</a> mode. Similar to a traditional firewall system, bridge mode works by diagnosing and monitoring all of a VM's incoming and outgoing traffic. In hypervisor mode, the virtual firewall operates in isolation from the physical network, residing in the core hypervisor kernel and managing the incoming and outgoing traffic of the VM. The following is an overview of the functions of a virtual firewall:</p> <ul class="default-list"> <li><b>Packet inspection.</b> A virtual firewall is an application or cloud network firewall service that provides <a href="https://www.techtarget.com/searchnetworking/definition/packet-filtering">packet filtering</a> within a virtualized environment. When data packets traverse the virtualized network, the virtual firewall intercepts them and examines their headers for various attributes, such as <a href="https://www.techtarget.com/searchnetworking/tip/Introduction-to-IP-addressing-and-subnetting">source and destination IP addresses</a>, ports, protocols and <a href="https://www.techtarget.com/searchsecurity/definition/payload">payload</a> content. This interception enables the firewall to either block the packets or let them pass through the network. Many complex virtual firewalls also come with <a href="https://www.techtarget.com/searchnetworking/definition/deep-packet-inspection-DPI">deep packet inspection</a> features that are used to analyze packet contents and detect <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> agents.</li> <li><b>Traffic management.</b> A virtual firewall manages and controls incoming and outgoing traffic. It works in conjunction with switches, routers and servers similar to a physical firewall. Virtual firewalls can identify anomalies and potential security threats by <a href="https://www.techtarget.com/searchnetworking/feature/Network-traffic-analysis-best-practices-Assess-and-repeat">analyzing network traffic patterns and behaviors</a>.</li> <li><b>Prevention of unauthorized access.</b> A virtual firewall prevents an unauthorized user from accessing and transmitting data and files and stops an organization's employees from transferring any sensitive data or documents.</li> <li><b>Logging and reporting.</b> Virtual firewalls log information about enabled and blocked traffic, as well as any security incidents or detected anomalies. These logs are beneficial for troubleshooting, security analysis and compliance reporting.</li> <li><b>Network segmentation.</b> By <a href="https://www.techtarget.com/searchnetworking/tip/How-to-implement-network-segmentation-for-better-security">dividing the network into separate segments</a> or zones, virtual firewalls create barriers that <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-and-detect-lateral-movement-attacks">restrict the lateral movement of threats</a>. This containment strategy helps mitigate security incidents and limit their effects on the overall network.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/how_a_firewall_as_a_service_works-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/how_a_firewall_as_a_service_works-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/how_a_firewall_as_a_service_works-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/how_a_firewall_as_a_service_works-f.png 1280w" alt="A diagram showing how a virtual firewall works." height="324" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>A firewall-as-a-service configuration houses virtual firewalls in either a cloud service provider's or a managed service provider's facility. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Benefits of virtual firewalls"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of virtual firewalls</h2> <p>A virtual firewall serves many different purposes, especially in modern network security and <a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-computing">cloud computing</a>. The benefits of virtual firewalls include the following:</p> <ul class="default-list"> <li><b>Enable optimization for specific network requirements.</b> Virtual firewalls can be customized to meet specific network requirements. For example, administrators can define rules inside these firewalls to govern how traffic is inspected, filtered and controlled. They can also undergo performance tuning and seamlessly integrate with the existing security infrastructure and security services.</li> <li><b>Provide flexibility and scalability.</b> Virtual firewalls scale and adapt to changing network requirements as they can dynamically allocate resources based on network demand. This scalability ensures that virtual firewalls remain effective in meeting the evolving needs of the network.<span style="display: none;">Top of Form</span></li> <li><b>Permit north-south traffic inspection.</b> Cloud-based resources extend beyond the conventional corporate network perimeter, making them directly reachable from the public internet. To safeguard these cloud-based resources from compromise and possible data leaks, a virtual firewall appliance must be deployed to analyze and filter incoming and outgoing traffic.</li> <li><b>Allow east-west traffic inspection.</b> <a href="https://www.techtarget.com/searchnetworking/definition/east-west-traffic">East-west data flow</a> refers to the movement of data between servers, devices or services within the same network or data center. When cybercriminals breach an organization's network, they often move laterally to access sensitive resources and accomplish their goals. As more sensitive data and functionalities are hosted in the cloud, it's crucial to inspect content and enforce security policies on east-west traffic flows to safeguard cloud-based resources. This highlights the necessity of a virtual firewall.</li> <li><b>Provide full visibility.</b> Virtual firewalls provide full visibility into network traffic by inspecting packets, generating logs, analyzing traffic patterns, integrating with security tools, offering centralized management and providing customizable dashboards and reports. Also, advanced virtual firewalls seamlessly integrate with public clouds, incorporating <a href="https://www.techtarget.com/whatis/definition/metadata">metadata</a> for enhanced context. They achieve this by employing a tag-based policy model, which is a method of applying security policies and rules to resources in a cloud environment based on metadata tags assigned to those resources. Virtual firewalls also provide other capabilities such as tight integration with major cloud service providers and offering a flexible policy framework that can adapt to dynamic environments.</li> <li><b>Offer ease of deployment.</b> Deploying virtual firewalls is easy due to their software-based design and compatibility with popular virtualization platforms, including <a href="https://www.techtarget.com/searchitoperations/answer/Hyper-V-vs-VMware-comparison-What-are-the-differences">VMware and Microsoft Hyper-V</a>. They can be quickly deployed as virtual appliances onto existing infrastructure without specialized hardware and with preconfigured templates or virtual machine images. Integration with automation tools further enhances deployment efficiency, minimizing manual intervention and the risk of errors.</li> <li><b>Provide cost-effectiveness.</b> Virtual firewalls are less expensive to upgrade and maintain compared to traditional hardware firewalls, making them a cost-effective option for protecting virtualized environments and cloud resources.</li> <li><b>Offer compatibility with any cloud infrastructure. </b>Virtual firewalls aren't tied to a specific cloud provider and can operate seamlessly across different public cloud environments, including Amazon Web Services (<a href="https://www.techtarget.com/searchaws/definition/Amazon-Web-Services">AWS</a>), Microsoft Azure, <a href="https://www.techtarget.com/searchcloudcomputing/definition/Google-Cloud-Platform">Google Cloud</a>, Oracle Cloud and Alibaba Cloud. This flexibility enables organizations to deploy virtual firewalls consistently regardless of their chosen cloud infrastructure, promoting interoperability and ease of management across diverse cloud environments.</li> <li><b>Enable private cloud deployments.</b> Virtual firewalls are helpful tools for private cloud environments. They offer features including scalability, automated deployment and dynamic object and policy administration that facilitate private cloud deployment and security.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Virtual firewalls vs. physical firewalls"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Virtual firewalls vs. physical firewalls</h2> <p>Both virtual and physical firewalls serve the same fundamental purpose of protecting networks from unauthorized access and security threats. However, they differ in their characteristics and how they are deployed.</p> <p>The following are some pros and cons as well as differences between physical and virtual firewalls:</p> <h3>Physical firewalls</h3> <ul class="default-list"> <li>A physical firewall -- sometimes known as a hardware firewall -- is a network firewall deployed in a real-world security appliance or as part of a routing device that's situated at the edge of the network or between environments.</li> <li>A physical firewall connects to the protected internal network and the public internet -- or some other unprotected or external network -- over dedicated network interfaces. It consists of servers and switches and works outside an operating system as opposed to being built-in. The servers are connected to designated switches and then routed to the firewall.</li> <li>One of the benefits of using a hardware or physical firewall is that it's situated between the server and the internet, and it's the only way for network traffic to pass to and from the protected network. Without passing traffic through the network interfaces, the hosts, servers and other devices on the internal protected network won't be able to communicate or exchange data with any hosts, servers or other devices on the public internet. Threats are reduced because all data exchanges go through the firewall before they can be completed.</li> <li>Another advantage of using physical firewalls is that hardware security appliances are designed to handle heavier traffic loads and have faster response times. <a target="_blank" href="https://media.techtarget.com/searchSecurity/downloads/Life_at_the_edge.pdf?track=L2A" rel="noopener">Network perimeters </a>can also be strengthened using a physical firewall, improving network security.</li> <li>A physical firewall is easier to manage because it's an isolated network component and doesn't affect the performance of other applications, as it might in a virtualized environment. A hardware firewall can also be shut down, moved or reconfigured with little effect on network connectivity or performance.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/how_a_traditional_firewall_works-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/how_a_traditional_firewall_works-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/how_a_traditional_firewall_works-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/how_a_traditional_firewall_works-f.png 1280w" alt="A diagram showing the setup of a traditional firewall." height="324" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>This configuration shows a firewall in a traditional physical network. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Virtual firewalls</h3> <ul class="default-list"> <li>In contrast to physical firewalls, virtual firewalls are deployed as software appliances running within virtualized environments. A virtual firewall monitors and protects network traffic by transiting <a href="https://searchservervirtualization.techtarget.com/definition/virtual-switch">virtual switches</a> and other virtual machines.</li> <li>Virtual switches link systems and applications across logical partitions and a hypervisor manages the virtualized environment. When virtual firewalls are installed on individual servers, they can be configured and set up more easily.</li> <li>Virtual firewalls can also be less expensive than physical firewalls, but the cost of purchasing and deploying a large number of virtual firewalls can still be significant. However, virtual firewalls reduce operational costs, since they eliminate the necessity for physical upgrades or maintenance.</li> <li>Virtual firewalls also deliver a fraction of the network <a href="https://www.techtarget.com/searchnetworking/definition/throughput">throughput</a> dedicated physical firewalls can provide, which can create bottlenecks throughout the network and reduce business agility and performance.</li> <li>Another advantage of virtual firewalls over hardware-based firewalls is that they can be centrally administered, while hardware firewalls often need IT and network support staff to install, administer and support them on-site.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Security and virtual firewall"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Security and virtual firewall</h2> <p>Using a virtual firewall in the cloud can help protect an organization's cloud infrastructure and services by running in a virtual data center on an organization's servers in an <a href="https://www.techtarget.com/searchcloudcomputing/definition/Infrastructure-as-a-Service-IaaS">infrastructure as a service</a> or <a href="https://www.techtarget.com/searchcloudcomputing/definition/Platform-as-a-Service-PaaS">platform as a service</a> model. This type of firewall application runs on a virtual server and protects traffic going to, from and between applications in the cloud.</p> <p>A cloud-based virtual firewall can meet several network and cybersecurity requirements in the cloud, including the following:</p> <ul class="default-list"> <li><b>Policy-based filtering.</b> A virtual firewall secures the virtual data center using policy-based filtering and managing traffic flowing to or from the internet, between virtual networks or between tenants.</li> <li><b>Securing connectivity between cloud and physical infrastructure. </b>Virtual firewalls secure the physical data center by extending it to the cloud. This is especially applicable to organizations migrating applications to the cloud that need secure connectivity between the cloud and their local infrastructures.</li> <li><b>Securing remote access.</b> Virtual firewalls <a href="https://www.techtarget.com/searchsecurity/Ultimate-guide-to-secure-remote-access">secure remote access</a> by offering the advanced access policy, filtering and connection management needed to provide clients with access to the cloud.</li> <li><b>Consistent data protection.</b> Virtual firewalls ensure that all data is subject to the same protective measures as on-premises, hardware-based firewalls.</li> <li><b>Integration with service providers.</b> Virtual firewalls maintain the integrity and confidentiality of applications and data by integrating with access control providers and offering a wide variety of granular, policy-based filtering tools.</li> <li><b>Rapid response to changing security requirements.</b> Virtual firewalls protect applications and assets in their virtualized environments, as well as respond rapidly when network security requirements change in <a href="https://www.techtarget.com/whatis/definition/remote-office-branch-office-ROBO">remote or branch offices</a>, as well as accommodate temporary staff deployments.</li> <li><b>IoT security features.</b> Many high-end, <a href="https://www.techtarget.com/searchsecurity/definition/next-generation-firewall-NGFW">next-generation firewalls</a> also offer internet of things (<a href="https://www.techtarget.com/iotagenda/definition/Internet-of-Things-IoT">IoT</a>) security features specifically designed for IoT environments. These features provide visibility into unmanaged devices, detect behavioral anomalies and offer risk-based policy recommendations.</li> <li><b>Additional networking functions.</b> Some virtual network firewalls integrate additional networking functions, such as site-to-site and remote access <a href="https://www.techtarget.com/searchnetworking/definition/virtual-private-network">virtual private networks</a>, <a href="https://www.techtarget.com/searchunifiedcommunications/definition/QoS-Quality-of-Service">quality of service</a> and URL filtering.</li> <li><b>Content-based decision-making.</b> Virtual firewalls can examine the content of applications and decide which requests, regardless of port number, should be permitted. This functionality empowers organizations to thwart a wide array of attacks including <a href="https://www.techtarget.com/searchsecurity/definition/distributed-denial-of-service-attack">distributed denial-of-service</a> attacks, HTTP floods and <a href="https://www.techtarget.com/searchsoftwarequality/definition/SQL-injection">SQL injections</a>.</li> <li><b>Malware protection.</b> By using different methods of analysis, such as machine learning (<a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-ML">ML</a>) and dynamic analysis, virtual firewalls can detect and mitigate certain file-based threats. This can also involve signature-based detection methods to defend against emerging threats.</li> <li><b>Domain name systems (DNS) security.</b> Virtual firewalls can employ <a href="https://www.techtarget.com/searchbusinessanalytics/definition/predictive-analytics">predictive analytics</a> and ML to prevent attacks that exploit <a href="https://www.techtarget.com/searchnetworking/definition/domain-name-system">DNS</a>.</li> </ul> <p><i>Learn about evolving cloud-based attacks as more and more businesses store critical data on the cloud. Use </i><a href="https://www.techtarget.com/searchsecurity/tip/Use-cloud-threat-intelligence-to-protect-critical-data-and-assets"><i>cloud threat intelligence to stay aware of </i><i>potential</i><i> attacks</i></a><i> and protect assets from attackers who are always changing their attack tactics.</i></p> </section> A virtual firewall is a firewall device or service that provides network traffic filtering and monitoring for virtual machines (VMs) in a virtualized environment. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/searchsecurity/definition/virtual-firewall Thu, 23 May 2024 09:00:00 GMT <section class="section main-article-chapter" data-menu-title="What is the Cloud Security Alliance?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the Cloud Security Alliance?</h2> <p>The Cloud Security Alliance (CSA) is a nonprofit organization that promotes research into best practices for securing cloud computing and the use of cloud technologies to secure other forms of computing. CSA uses the expertise of industry practitioners, associations and governments, as well as its corporate and individual members, to offer research, education, certification, events and products specific to cloud security.</p> <p>The organization's activities, knowledge and extensive network benefit the entire cloud community, including cloud service providers (CSPs), customers, entrepreneurs and governments. CSA also <a href="https://cloudsecurityalliance.org/circle/" target="_blank" rel="noopener">offers a forum</a> through which all parties can work together to create and maintain a trusted cloud ecosystem.</p> <p>The industry group provides security education and guidance to companies in different stages of cloud adoption and helps CSPs address security in their software delivery models. CSA membership is available to any interested parties with the expertise to contribute to the security of cloud computing.</p> </section> <section class="section main-article-chapter" data-menu-title="Cloud Security Alliance research areas"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud Security Alliance research areas</h2> <p>CSA leads a number of ongoing research initiatives through which it provides white papers, tools and reports to help companies and vendors secure cloud computing services.</p> <p>CSA working groups target 32 cloud security domains and address almost every aspect of cloud security. These include the following:</p> <ul class="default-list"> <li>The CSA IoT Working Group develops relevant use cases for internet of things (<a href="https://www.techtarget.com/iotagenda/definition/Internet-of-Things-IoT">IoT</a>) implementations and establishes actionable guidance to enable security practitioners to secure their deployments.</li> <li>The CSA Application Containers and Microservices Working Group conducts research on application <a href="https://www.techtarget.com/searchitoperations/definition/container-containerization-or-container-based-virtualization">containers</a> and <a href="https://www.techtarget.com/searchapparchitecture/definition/microservices">microservices</a> security. It is charged with publishing guidance and best practices for the secure use of application containers and microservices.</li> <li>The CSA SaaS Governance Working Group encourages and defines mechanisms to promote cooperation and helps vendors and customers work closely together to manage <a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">software-as-a-service</a> risks and guarantee the security of customer data and the resilience of the SaaS cloud infrastructure.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="CSA programs and partnerships"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CSA programs and partnerships</h2> <p>CSA offers numerous programs and partnerships, such as CSA Security, Trust &amp; Assurance Registry (STAR), which is a program for security assurance in the cloud. STAR incorporates the principles of transparency, rigorous auditing and the harmonization of standards. The STAR program offers several benefits, including "indications of best practices and validation of security posture of cloud offerings," according to the CSA website.</p> <p>CSA Code of Conduct for GDPR Compliance offers a consistent and comprehensive framework to help companies comply with the European Union's General Data Protection Regulation. CSA Code of Conduct offers a <a href="https://www.techtarget.com/searchdatamanagement/definition/compliance">compliance</a> tool to achieve GDPR compliance, as well as transparency guidelines regarding the level of data protection offered by a cloud service provider.</p> </section> <section class="section main-article-chapter" data-menu-title="CSA membership"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CSA membership</h2> <p>Cloud Security Alliance offers three membership options:</p> <ul class="default-list"> <li>Corporate Membership for Solution Providers offers a venue for members to learn about the latest developments in the cloud, showcase their expertise to a global audience and connect with users.</li> <li>Corporate Membership for Enterprises provides information, tools and guidance to help members realize the benefits of their cloud investments.</li> <li>Individual Membership offers any individual with an interest in cloud computing and the expertise to help make it more secure a complimentary individual membership based on a minimum level of participation.</li> </ul> <p>CSA currently has 90,000 individual members, 80 global chapters and 400 corporate members.</p> </section> <section class="section main-article-chapter" data-menu-title="Cloud Security Alliance certifications"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud Security Alliance certifications</h2> <p>Cloud Security Alliance also offers professional cloud security certifications, such as the following:</p> <ul class="default-list"> <li>CSA STAR Certification is a rigorous, third-party, independent assessment of the security of a CSP. STAR Certification is based on achieving ISO/IEC 27001, as well as the specified set of criteria detailed in the Cloud Controls Matrix. Achieving the STAR Certification means that cloud providers will be able to offer prospective customers a greater understanding of their level of security control.</li> <li><a href="https://cloudsecurityalliance.org/education/ccsk/" target="_blank" rel="noopener">CSA CCSK</a> (Certificate of Cloud Security Knowledge) is a web-based examination of a person's competency in the primary cloud security issues. The CCSK aims to provide an understanding of security issues and best practices over a range of cloud computing domains. Recommended for IT auditors, the CCSK is required for portions of the CSA STAR program.</li> </ul> <p><i>This article was written by Linda Rosencrance in 2018. TechTarget editors revised it in 2024 to improve the reader experience.</i></p> </section> The Cloud Security Alliance (CSA) is a nonprofit organization that promotes research into best practices for securing cloud computing and the use of cloud technologies to secure other forms of computing. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchsecurity/definition/Cloud-Security-Alliance-CSA Tue, 30 Apr 2024 13:31:00 GMT <p>More data than ever before is being put into cloud-based storage repositories. Leading cloud providers offer an array of storage options, yet databases remain the most common choice in today's enterprises. Because databases are updated so frequently, it's important to review their security controls regularly.</p> <p>When it comes to <a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-database">cloud databases</a>, organizations have two options: run their own in the cloud or use a cloud provider's managed database services.</p> <p>For organizations running their own database servers in the cloud, all standard security recommendations apply: patch, limit database permissions, restrict database access, use limited privilege service accounts, and enable database-specific and OS <a href="https://www.techtarget.com/searchsecurity/feature/Types-of-cybersecurity-controls-and-how-to-place-them">security controls to protect data</a>.</p> <p>For those companies that don't want to run their own cloud database, there are numerous cloud database services to choose from, offered both by cloud platform providers and other database vendors that run their software on a provider's infrastructure. Many of these database as a service (<a href="https://www.techtarget.com/searchdatamanagement/definition/database-as-a-service-DBaaS">DBaaS</a>) offerings have strong security capabilities and controls built in by default. They might also include limited user security responsibilities, compliance and audit attestation features, and service-level agreements for uptime and performance that could exceed a company's own.</p> <section class="section main-article-chapter" data-menu-title="Why is effective cloud database security important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is effective cloud database security important?</h2> <p>As more database implementations move to the cloud, keeping security configuration and access controls in mind is critical for a number of reasons. These include the following:</p> <ul class="default-list"> <li><b>Data privacy.</b> Given that cloud databases can reside in a wide variety of geographic locations, it's likely that any personal or sensitive data might fall under the purview of <a href="https://www.techtarget.com/searchsecurity/tip/State-of-data-privacy-laws">local or country-specific data privacy laws</a>. Depending on the types of data involved, security and privacy teams should take deployment location into account, as well as monitoring and oversight capabilities in the provider environment that accommodate privacy reporting.</li> <li><b>Data classification and protection.</b> Many data types might require encryption or other security controls to meet compliance or internal requirements. While encryption is generally standard in most leading cloud databases, it's important to ensure that encryption standards are met, as well as key rotation and other accompanying controls.</li> <li><b>APIs and integration.</b> As with many other cloud services, cloud databases of all types are often interconnected to a wide range of other services in use within the provider ecosystem -- monitoring, application components and workloads, for example. They also offer a number of APIs that can be used to import and export data, synchronize data sets and make configuration changes. All of these connectivity areas can be potentially abused or exposed, so they need to be carefully configured.</li> <li><b>Role-based access.</b> Along with the APIs and integration just mentioned, cloud databases often have a number of identity policies assigned, allowing access from both human and cloud accounts. It's very easy to assign excessive privileges to cloud resources quickly, and cloud databases are no exception.</li> <li><b>Cloud velocity.</b> Cloud databases aren't exempt from the rapid pace of updates that occur in cloud deployments. Both development and infrastructure operations tend to experience more dynamic, fast-paced updates than traditional environments, which can often lead to mistakes or misconfiguration.</li> </ul> <p>While these certainly aren't the only drivers to develop a sound, maintainable cloud database configuration and security standard, they're some of the most prevalent and broad in scope.</p> </section> <section class="section main-article-chapter" data-menu-title="Common threats to cloud databases"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Common threats to cloud databases</h2> <p>Cloud databases are targets for attackers if they aren't properly secured. For example, in May 2021, security analytics software vendor Cognyte exposed 5 billion data records -- ironically, containing information on <a href="https://www.techtarget.com/searchsecurity/feature/10-biggest-data-breaches-in-history-and-how-to-prevent-them">previous data breaches</a> at other organizations -- due to a cloud database with weak authentication controls <a target="_blank" href="https://www.comparitech.com/blog/information-security/breach-database-leak/" rel="noopener">discovered</a> by a security researcher. In late 2023, Microsoft AI researchers accidentally exposed 38 TB of personal data and other sensitive information in a database due to improperly configured permissions. Cloud service hosting provider Zenlayer exposed more than 380 million records in early 2024, primarily customer contact details and some technical attributes related to customer accounts.</p> <p>There are numerous threats to cloud databases, with the most common types including the following:</p> <ul class="default-list"> <li><b>Data exposure.</b> If cloud databases are poorly secured, it's likely the data in them could be exposed to the internet or other cloud resources. Attackers actively looking for exposed databases can take advantage of this and exfiltrate data for financial gain or other purposes.</li> <li><b>Exposed APIs.</b> Many cloud databases offer a wide variety of APIs for administration, integration and synchronization with other data stores. If these APIs are exposed publicly, or poorly secured and left unmonitored, attackers could access and manipulate database content and configurations.</li> <li><b>Cloud workload hijacking.</b> Cloud database workloads can run in containers or virtual servers. As a result, databases that aren't properly secured could be exploited by attackers who then compromise the underlying container or OS runtime. This could lead to lateral movement by the attackers and other cloud services also being disrupted, exposed or compromised.</li> <li><b>Application exploits.</b> Cloud databases are potentially susceptible to common attacks, such as <a href="https://www.techtarget.com/searchsoftwarequality/definition/SQL-injection">SQL injection</a>, which can lead to application compromises, escalation of access privileges for user and service accounts and exposure of database details. In that way, attackers might be able to expand compromises of cloud environments through traditional application-centric attacks.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Challenges for organizations on cloud database security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges for organizations on cloud database security</h2> <p>Organizations planning to implement cloud databases, as well as those with cloud databases already deployed, will commonly face a number of challenges in configuring and monitoring them. Some of the most common include the following:</p> <ul class="default-list"> <li><b>Configuring and maintaining access controls.</b> Unless explicitly set up to be public-facing, no cloud database should be visible directly to the internet. Security teams need to maintain vigilance to ensure no existing or new database services or instances are configured to allow public access, and threat modeling should be performed regularly to ensure all data and network access to all databases is as restricted as possible. In large environments, this can be a constant challenge.</li> <li><b>Managing encryption.</b> While database encryption is usually set automatically, cloud tenants should enable customer-managed encryption keys wherever possible to enact better control over how and where encryption is applied, as well as key rotation and oversight. Encryption might need to be managed for connectivity, particularly for certain databases in Microsoft Azure where <a href="https://www.techtarget.com/searchsecurity/definition/Transport-Layer-Security-TLS">TLS</a>&nbsp;requirements need to be set and maintained.</li> <li><b>Managing logging and database events.</b> Cloud databases should have logging enabled, but this comes at a cost -- most generate staggering numbers of events that need to be managed. Security operations teams often find the volume of cloud database logs to be somewhat overwhelming, so they'll need to spend time familiarizing themselves with the types of events that are important and building detection and response workflows from these.</li> <li><b>Classifying and tracking data.</b> Particularly as it relates to privacy requirements, classifying data in cloud databases and tracking it across different cloud regions and availability zones can be a major headache, and this is only compounded with multiple cloud services in use.</li> <li><b>Enforcing privileges and permissions.</b> Fortunately, many leading cloud databases start with a minimal set of privileges associated with them, but this quickly changes as application architectures are deployed and connect to them.</li> </ul> <p>Admittedly, many of the most common challenges related to cloud database security align with the top overall challenges in cloud security, such as security visibility for logging and monitoring, controlling user access and permissions, and protecting data anywhere in the cloud environment.</p> </section> <section class="section main-article-chapter" data-menu-title="Cloud database security best practices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud database security best practices</h2> <p>Regardless of which cloud database service is employed, be sure to follow these best practices:</p> <ul class="default-list"> <li><b>Change any default logins or credentials to the cloud databases.</b> This prevents common <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute-force attacks</a> that use these default credentials to expose databases. Such attacks are simple to execute, even by unskilled adversaries.</li> <li><b>Employ customer-managed keys versus cloud provider keys where possible.</b> Generating your own keys lets you have more control over the cryptographic strength of the keys, as well as permissions and the key management lifecycle. Removing cloud providers from involvement in key management and use is a good way to reduce risk related to third-party access to cloud database resources.</li> <li><b>Use cloud identity and access management to the utmost for privilege minimization.</b> <a href="https://www.techtarget.com/searchsecurity/tip/Top-cloud-IAM-best-practices-to-implement">Cloud IAM is highly capable today</a>, and granular least-privilege policies can be created and applied in all areas of cloud deployments. By prioritizing strong IAM, the threat surface of cloud databases can be significantly reduced.</li> <li><b>Enable full logging capabilities for all databases.</b> Logs can be sent to a central security event management system for monitoring and incident response related to suspicious or malicious access attempts.</li> <li><b>Enable encrypted database access wherever possible.</b> Encryption can help protect sensitive data and other cloud data assets from accidental exposure and illicit access by attackers who don't have the needed decryption keys.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/best_practices_for_managing_cloud_database_security-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/best_practices_for_managing_cloud_database_security-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/best_practices_for_managing_cloud_database_security-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/best_practices_for_managing_cloud_database_security-f.png 1280w" alt="Cloud database security best practices" height="275" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Now let's take a look at some of the <a href="https://www.techtarget.com/searchdatamanagement/tip/Cloud-database-comparison-AWS-Microsoft-Google-and-Oracle">cloud database services</a> from the top three cloud platform providers and their built-in security controls.</p> </section> <section class="section main-article-chapter" data-menu-title="Amazon DynamoDB"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Amazon DynamoDB</h2> <p>DynamoDB is a managed <a href="https://www.techtarget.com/searchcloudcomputing/tip/Compare-NoSQL-database-types-in-the-cloud">NoSQL database service</a> within the AWS cloud. It offers a number of security features, including the following:</p> <ul class="default-list"> <li><b>Automatic backups.</b> These are possible using a specific template in AWS Data Pipeline, another data management service for moving data between different AWS cloud services. Full and incremental backups can then be used for disaster recovery and continuity.</li> <li><b>Automated 256-bit AES encryption.</b> DynamoDB is the first AWS service to automatically encrypt data.</li> <li><b>AWS IAM permissions.</b> Such permissions control who can use the DynamoDB services and API. These can be permissions to items (rows) and attributes (columns), which enables fine-grained access control.</li> <li><b>Cryptographically signed requests.</b> Requests in the DynamoDB service must include a valid <a href="https://www.techtarget.com/searchsecurity/definition/Hash-based-Message-Authentication-Code-HMAC">Hash-based Message Authentication Code</a> SHA-256 signature to access stored data; otherwise, the request is rejected.</li> <li><b>SSL/TLS-encrypted endpoints. </b>DynamoDB is accessible via SSL/TLS-encrypted endpoints.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Amazon RDS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Amazon RDS</h2> <p>Amazon Relational Database Service (RDS) is a more traditional service that offers a choice of different relational database engines. It includes MySQL, Oracle, SQL Server, Amazon Aurora, MariaDB or PostgreSQL as options. Its security features include the following:</p> <ul class="default-list"> <li><b>DB security groups.</b> Similar to AWS security groups, DB security groups are network ingress controls that can be enabled by authorizing IP ranges or existing security groups. They only allow access to necessary database port(s) and don't require a restart of running database instances.</li> <li><b>IAM permissions.</b> These are used to control which RDS operations users can call.</li> <li><b>Encryption. </b>RDS supports Transparent Data Encryption for SQL Server and Oracle. MySQL encryption must be enabled by cloud clients within their applications.</li> <li><b>SSL/TLS connections.</b> SSL/TLS can be enabled between RDS instances and applications running elsewhere in AWS.</li> <li><b>Automated backups and patching. </b>Amazon RDS automatically backs up data and patches vulnerabilities by default.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Other options from AWS, Azure and Google Cloud"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Other options from AWS, Azure and Google Cloud</h2> <p>Amazon Redshift, a petabyte-scale SQL <a href="https://www.techtarget.com/searchdatamanagement/tip/On-premises-vs-cloud-data-warehouses-Pros-and-cons">cloud data warehouse</a>, offers logging, automatic patching, encryption with strong multi-tiered key management and encrypted network connectivity.</p> <p>Microsoft's Azure cloud also has a variety of database services, including Azure Table storage. This is essentially a NoSQL data store that is now part of the Azure Cosmos DB database service via a Table API. They both support automated Storage Service Encryption by default and strong role-based access.</p> <p>Microsoft also offers SQL Server PaaS capabilities as part of its Azure SQL Database service, which offers numerous data protection options. Column and cell encryption can be enabled with <a href="https://www.techtarget.com/searchdatamanagement/definition/T-SQL">Transact-SQL</a>, which supports built-in functions to encrypt data with symmetric or asymmetric keys, or the public key of a certificate. Azure SQL Database also offers Always Encrypted <a target="_blank" href="https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver16" rel="noopener">mode</a>, in which entire columns of data can be automatically encrypted in applications before they are stored in the databases.</p> <p>Google Cloud offers several databases, including Cloud SQL, which is a managed SQL database service for PostgreSQL, MySQL and SQL Server that has automated encryption and secure connectivity. Google's Spanner is a fully managed SQL database offering customer-managed encryption keys, logging, identity permissions and data-layer encryption. Bigtable is a NoSQL database that has customer-managed encryption, logging and strong access controls.</p> <p><strong>Editor's note:</strong> <em>This article was updated to include information on cloud database security challenges.</em></p> <p><i>Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.</i></p> </section> If your company is using a cloud database, it's critical to stay on top of security. Review the security features offered by top cloud providers, plus some best practices. https://cdn.ttgtmedia.com/rms/onlineimages/cloud_g512105921.jpg https://www.techtarget.com/searchsecurity/tip/Evaluate-cloud-database-security-controls-best-practices Wed, 10 Apr 2024 09:00:00 GMT <section class="section main-article-chapter" data-menu-title="What is a cloud audit?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a cloud audit?</h2> <p>A cloud audit is an assessment of a <a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-computing">cloud computing</a> environment and its services, based on a specific set of controls and <a href="https://www.techtarget.com/searchsoftwarequality/definition/best-practice">best practices</a>. The audit is typically conducted by an independent third-party auditor on behalf of an organization that uses the cloud services. In some cases, a cloud audit might be carried out by the organization's own IT professionals.</p> <p>When conducting a cloud audit, the auditor assesses the environment for issues such as performance, security, <a href="https://www.techtarget.com/searchdatamanagement/definition/compliance">compliance</a> or other concerns. The auditor then documents the results of that assessment and provides this information to the organization, along with recommendations for addressing any issues.</p> <p>The goal of such an audit is to determine how well the service provider is adhering to the specified controls and best practices. To help with this process, the Cloud Security Alliance (<a href="https://www.techtarget.com/searchsecurity/definition/Cloud-Security-Alliance-CSA">CSA</a>) provides auditing documents, guidelines and controls that auditors can use when examining cloud environments. Auditors commonly rely on CSA resources for their auditing tools when performing their audits.</p> <p>Discussions around cloud auditing often focus only on <a href="https://www.techtarget.com/searchcio/definition/security-audit">security audits</a>. This is because security audits can be extremely valuable in helping an organization ensure that its data is fully protected from unauthorized access and cyberthreats. However, there are numerous other types of cloud audits as well, such as performance, compliance or infrastructure audits. In some cases, an auditor will perform multiple types of audits at the same time.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/hpNGxrPtBGU?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://searchcloudsecurity.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="How to conduct a cloud audit"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to conduct a cloud audit</h2> <p>Auditing a cloud environment is similar to an <a href="https://www.techtarget.com/searchcio/definition/IT-audit-information-technology-audit">IT audit</a> in many ways. Both examine a variety of operational, administrative, security and performance controls. However, a cloud audit must also take into account the unique <a href="https://www.techtarget.com/searchcloudcomputing/feature/7-key-characteristics-of-cloud-computing">characteristics of a cloud environment</a>. For example, cloud platforms rely heavily on <a href="https://www.techtarget.com/searchitoperations/definition/virtualization">virtualization</a>, <a href="https://www.techtarget.com/whatis/definition/multi-tenancy">multi-tenancy</a> and <a href="https://www.techtarget.com/whatis/definition/distributed-computing">distributed computing</a> resources, including data <a href="https://www.techtarget.com/searchstorage/definition/storage">storage</a>. In addition, resources and infrastructure continuously evolve, with new elements constantly added or removed.</p> <p>Cloud vendors also vary in terms of the type and number of services they offer, with services generally falling into one of three categories: infrastructure as a service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Infrastructure-as-a-Service-IaaS">IaaS</a>), platform as a service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Platform-as-a-Service-PaaS">PaaS</a>) or software as a service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">SaaS</a>). A provider might offer any mix of these, and an organization might take advantage of any or all of them. At the same time, auditors might not be able to access certain information or resources because of the types of <a href="https://www.techtarget.com/searchcio/definition/IT-controls">controls</a> that providers put on their cloud environments.</p> <p>Despite these challenges, a carefully conducted cloud audit can still help assure that services are delivered with the appropriate attention to specific controls, especially those involving <a href="https://www.techtarget.com/searchsecurity/definition/security-policy">security policies</a> and <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management</a>. Cloud audits look for evidence that the service provider is using best practices, complies with appropriate standards and meets certain <a href="https://www.techtarget.com/searchcio/definition/benchmark">benchmarks</a> in delivering its services.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/7_key_steps_for_a_cloud_audit-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/7_key_steps_for_a_cloud_audit-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/7_key_steps_for_a_cloud_audit-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/7_key_steps_for_a_cloud_audit-f.png 1280w" alt="7 key steps in a cloud audit diagram" height="330" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Find out the seven steps involved in an effective cloud audit. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The exact approach that an auditor or IT professional takes when auditing a cloud environment depends in part on the type of audit being performed. Other factors might also come into play, such as the type of services being consumed or the organization's specific requirements. However, most cloud audits generally follow the same basic steps:</p> <ol class="default-list"> <li><b>Gather evidence.</b> Collect relevant documents and other information to help understand the environment and delivered services. The evidence might include data, reports, screenshots, observations, test results or any other information useful to the investigation.</li> <li><b>Interview provider.</b> Interview cloud vendor personnel about how the provider operates and delivers its services. The CSA offers cloud <a href="https://www.techtarget.com/searchcloudcomputing/tip/What-should-be-on-your-cloud-audit-checklist">auditing questions and checklists</a> that can be useful to both external and internal auditors. The CSA has partnered with <a href="https://www.techtarget.com/searchcio/definition/ISACA">ISACA</a> to define what constitutes relevant cloud audit knowledge and to provide accreditation resources for auditors and IT professionals.</li> <li><b>Analyze collected data.</b> Carefully review and assess all the collected information and interviews. Evaluate how well the cloud environment aligns with CSA and ISACA controls.</li> <li><b>Compile results.</b> Combine the results of the analysis with the collected information (documentation and interviews) into a working structure that can be used to prepare a final report and recommendations.</li> <li><b>Prepare final report.</b> Create the final report based on the compiled information and make recommendations based on those results.</li> <li><b>Submit final report.</b> Submit the final report to the organization's management or other representatives. This is often done at the same time the auditor conducts a formal briefing about the audit's findings.</li> <li><b>Take action.</b> Management develops an initial plan and timeframe for responding to the audit report and then assigns a team to respond to the report's recommended actions.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Cloud auditing tools from the CSA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud auditing tools from the CSA</h2> <p>The CSA provides multiple tools and guidelines for auditors and IT professionals who plan to perform cloud audits. The table below describes many of these resources and where to find them.</p> <table style="width: 100%;" class="main-article-table"> <thead> <tr> <td style="width: 23.3634%;"><strong>Resource</strong></td> <td style="width: 46.8397%;"><strong>Description</strong></td> <td style="width: 29.5711%;"><strong>Link</strong></td> </tr> </thead> <tbody> <tr> <td style="width: 23.3634%;">Cloud Controls Matrix (CCM) v4</td> <td style="width: 46.8397%;">Cybersecurity control framework for cloud computing aligned with CSA best practices</td> <td style="width: 29.5711%;">CCM and Consensus Assessment Initiative Questionnaire (CAIQ) v4 (<a href="https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4" target="_blank" rel="noopener">downloadable document</a>)</td> </tr> <tr> <td style="width: 23.3634%;">Security, Trust, Assurance and Risk (STAR) security questionnaire</td> <td style="width: 46.8397%;">Checklist tool to ask cloud vendors about security controls</td> <td style="width: 29.5711%;">STAR Level 1 Security Questionnaire (<a target="_blank" href="https://cloudsecurityalliance.org/artifacts/star-level-1-security-questionnaire-caiq-v4" rel="noopener">downloadable document</a></td> </tr> <tr> <td style="width: 23.3634%;">STAR Registry</td> <td style="width: 46.8397%;">List of cloud vendors' security and regulatory compliance postures</td> <td style="width: 29.5711%;">STAR Registry (<a target="_blank" href="https://cloudsecurityalliance.org/star/registry" rel="noopener">web listing</a>)</td> </tr> <tr> <td style="width: 23.3634%;">CSA best practices</td> <td style="width: 46.8397%;">Guidance on cloud security, performance and auditing</td> <td style="width: 29.5711%;">CSA Security Guidance (<a target="_blank" href="https://cloudsecurityalliance.org/research/guidance" rel="noopener">downloadable document</a>)</td> </tr> <tr> <td style="width: 23.3634%;">Mapping to other standards</td> <td style="width: 46.8397%;">Mapping CCM v4 to other industry standards, such as the International Organization for Standardization 27000 series and Payment Card Industry Data Security Standard</td> <td style="width: 29.5711%;">Included in CCM and CAIQ v4</td> </tr> <tr> <td style="width: 23.3634%;">Controls Applicability Matrix</td> <td style="width: 46.8397%;">Help for auditors to decide the most appropriate controls to use for a specific vendor</td> <td style="width: 29.5711%;">Included in CCM and CAIQ v4</td> </tr> <tr> <td style="width: 23.3634%;">CCM Metrics</td> <td style="width: 46.8397%;">Compendium of security metrics for clouds to support governance, risk and compliance activities</td> <td style="width: 29.5711%;">Included in CCM and CAIQ v4</td> </tr> <tr> <td style="width: 23.3634%;">CCM v4 Implementation Guidelines</td> <td style="width: 46.8397%;">Guidelines for using the CCM v4 audit standards</td> <td style="width: 29.5711%;">Included in CCM and CAIQ</td> </tr> <tr> <td style="width: 23.3634%;">Continuous Audit Metrics Catalog</td> <td style="width: 46.8397%;">Guidance to plan and implement continuous cloud audit activities</td> <td style="width: 29.5711%;">Continuous Audit Metrics (<a target="_blank" href="https://cloudsecurityalliance.org/artifacts/the-continuous-audit-metrics-catalog" rel="noopener">downloadable document</a>)</td> </tr> <tr> <td style="width: 23.3634%;">CCM v4 Auditing Guidelines</td> <td style="width: 46.8397%;">Guidance for planning, organizing and conducting a cloud audit engagement using CCM v4</td> <td style="width: 29.5711%;">CCM Auditing Guidelines (<a target="_blank" href="https://cloudsecurityalliance.org/artifacts/ccm-v4-0-auditing-guidelines" rel="noopener">downloadable document</a>)</td> </tr> </tbody> </table> </section> <section class="section main-article-chapter" data-menu-title="Cloud audit professional credentials"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cloud audit professional credentials</h2> <p>In 2021, the CSA and ISACA jointly launched the Certificate of Cloud Auditing Knowledge (CCAK), a vendor-neutral technical credential for auditing cloud environments. The CCAK builds on the CSA's Certificate of Cloud Security Knowledge (CCSK). The CCSK provides a widely recognized standard for expertise in cloud security, while promoting an understanding of how to secure cloud data. A CCSK certificate is often the first step an auditor takes in preparing for cloud auditing.</p> <p>The CCAK expands on the CCSK by providing a set of essential principles for auditing cloud computing systems. The CCAK helps to prepare IT and security professionals for conducting audits so they can better ensure that internal requirements are fulfilled and appropriate controls are in place. To this end, the CCAK trains these professionals in how to objectively evaluate critical cloud assurance issues.</p> <p>The CCAK complements ISACA's <a href="https://www.techtarget.com/searchdatacenter/definition/ANSI">ANSI-</a>accredited certifications, which include the Certified Information Systems Auditor (<a href="https://www.techtarget.com/searchsecurity/definition/Certified-Information-Systems-Auditor-CISA">CISA</a>). Together with the CCSK, the CCAK provides evidence of an auditor's knowledge of cloud infrastructure and systems, including security and vulnerabilities. It also demonstrates that the auditor knows how to conduct a cloud audit.</p> <p><i>Explore </i><a href="https://www.techtarget.com/searchsecurity/tip/10-cybersecurity-certifications-to-boost-your-career-in-2021"><i>10 cloud security certifications (including CCAK and CCSK)</i> </a><i>to boost your career. See how to </i><a href="https://www.techtarget.com/searchcloudcomputing/tip/How-to-approach-cloud-compliance-monitoring"><i>approach cloud compliance monitoring</i></a><i>.</i></p> </section> A cloud audit is an assessment of a cloud computing environment and its services, based on a specific set of controls and best practices. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/searchcloudcomputing/definition/cloud-audit Mon, 04 Mar 2024 09:00:00 GMT <section class="section main-article-chapter" data-menu-title="What is SOC 2 (System and Organization Controls 2)?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is SOC 2 (System and Organization Controls 2)?</h2> <p>SOC 2 (System and Organization Controls 2), pronounced "sock two,"<b> </b>is a voluntary <a href="https://www.techtarget.com/searchdatamanagement/definition/compliance">compliance</a> standard for ensuring that service providers properly manage and protect the sensitive data in their care. SOC 2 offers a structure for <a href="https://www.techtarget.com/searchcio/definition/compliance-audit">auditing</a> and reporting on the internal controls that an organization has put into place to ensure the <a href="https://www.techtarget.com/searchsecurity/definition/security">security</a>, availability, processing integrity, confidentiality and <a href="https://www.techtarget.com/searchcio/definition/data-privacy-information-privacy">privacy</a> of the data.</p> <p>The SOC 2 standard was developed by the American Institute of Certified Public Accountants (AICPA). The standard defines a set of principles -- the Trust Services Principles -- that provide a foundation for evaluating an organization's internal controls. Each principle is associated with a set of criteria that specify what it takes for an organization to be in compliance with the standard, based on the organization's own stated objectives.</p> <p>To achieve SOC 2 compliance, an organization must be audited by a third-party CPA firm that verifies whether the organization's controls meet the SOC 2 criteria. After completing the evaluation, the firm produces a comprehensive report about the audit's findings. Auditors can create two types of reports:</p> <ol class="default-list"> <li><b>SOC 2 Type 1.</b> Evaluates how well an organization has designed and implemented its internal controls at a specific point in time. This is the simpler and quicker of the two report types.</li> <li><b>SOC 2 Type 2.</b> Evaluates how well an organization has designed and implemented its internal controls and applied them over a period of time. This type of report is more complex and takes longer to produce but provides more assurance of the controls' effectiveness.</li> </ol> <p>The auditor's report also indicates whether the organization has passed or failed the audit. If the organization passed, the auditor certifies that the organization has achieved SOC 2 compliance, specifying either Type 1 or Type 2. This compliance helps to assure clients, customers, partners and other interested parties that the organization can be trusted with their data, at least to the extent covered by the SOC 2 assurances.</p> </section> <section class="section main-article-chapter" data-menu-title="What are the Trust Services Criteria?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the Trust Services Criteria?</h2> <p>At the heart of the SOC 2 standard is the Trust Services Criteria (TSC), an extensive set of criteria that expands on each Trust Services Principle. According to the AICPA: "The TSC are control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems (a) across an entire entity; (b) at a subsidiary, division or operating unit level; (c) within a function relevant to the entity's operational, reporting or compliance objectives; or (d) for a particular type of information used by the entity."</p> <p>AICPA classifies the TSC into five broad categories, which provide a structure for understanding the general nature of the underlying criteria:</p> <ul class="default-list"> <li><b>Security.</b> Systems are protected against unauthorized access or disclosure of sensitive information, as well as against system damages that could compromise data availability, integrity, confidentiality or privacy.</li> <li><b>Availability.</b> The protected systems and information meet the availability and use requirements defined by the organization's objectives.</li> <li><b>Processing integrity.</b> Processing operations are complete, accurate, timely and secure, as required by the organization's objectives.</li> <li><b>Confidentiality.</b> Systems and <a href="https://www.techtarget.com/searchitoperations/definition/IT-operations">operations</a> meet the confidentiality requirements defined by the organization's objectives.</li> <li><b>Privacy.</b> All <a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">personally identifiable information</a> meets the collection, usage, retention, disclosure and disposal requirements defined by the organization's objectives.</li> </ul> <p>The five categories provide a way for organizations to understand the scope of SOC 2 auditing and reporting and to get a sense of how auditors approach their evaluations. However, the actual organization of the TSC in the SOC 2 standard is far more complex.</p> <p>The bulk of the standard is made up of the TSC, which are organized into 13 trust categories: five core categories, four supplemental categories and four specialty categories. Each category includes multiple Trust Services Principles, and each principle includes a set of related criteria.</p> <p>For example, the first trust category is Control Environment (Trust ID CC1). The <a href="https://www.techtarget.com/whatis/definition/Common-Criteria-CC-for-Information-Technology-Security-Evaluation">Common Criteria</a> 1 (CC1) trust category contains five principles. The first principle, CC1.1, states that the "entity demonstrates a commitment to integrity and ethical values."</p> <p>The CC1.1 principle includes five criteria, which are referred to as the <i>points of focus</i>. The first criterion is concerned with the overall tone: "The board of directors and management, at all levels, demonstrate through their directives, actions and behavior the importance of integrity and ethical values to support the functioning of the system of internal control."</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/soc_2_trust_services_criteria_tsc-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/soc_2_trust_services_criteria_tsc-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/soc_2_trust_services_criteria_tsc-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/soc_2_trust_services_criteria_tsc-f.png 1280w" alt="Trust Services Criteria (TSC) categories for SOC 2" height="380" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Trust Services Criteria (TSC) are at the heart of the SOC 2 compliance standard. They are organized into 13 trust categories: five core categories (left) plus supplemental categories and specialty categories (right). </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The core and supplemental trust categories are numbered consecutively -- CC1 through CC9 -- and often grouped together:</p> <ul class="default-list"> <li><b>Control Environment (CC1).</b> The criteria focus on the organization's commitment and efforts to carry out its objectives and support the functioning of internal controls.</li> <li><b>Communication and Information (CC2).</b> The criteria are concerned with the organization's ability to gather, disseminate and communicate information relevant to meeting its objectives.</li> <li><b>Risk Assessment (CC3).</b> The criteria address the organization's ability to identity, assess and <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">manage the risks</a> associated with meeting its objectives.</li> <li><b>Monitoring Activities (CC4).</b> The criteria are concerned with the organization's ability to select, implement and manage internal controls and respond to control deficiencies in a timely manner.</li> <li><b>Control Activities (CC5).</b> The criteria focus on how the organization selects, develops and deploys control activities and on its ability to put policies into action.</li> <li><b>Logical and Physical Access Controls (CC6).</b> The criteria address the organization's ability to implement software and infrastructure controls over protected assets and to manage user access to protected data.</li> <li><b>System Operations (CC7).</b> The criteria focus on the organization's ability to monitor and detect <a href="https://www.techtarget.com/whatis/definition/vulnerability">vulnerabilities</a>, configuration changes and anomalous behavior and to respond to security incidents.</li> <li><b>Change Management (CC8).</b> The criteria are concerned with the organization's ability to design, document and implement changes in data, software, infrastructure and procedures.</li> <li><b>Risk Mitigation (CC9).</b> The criteria address the organization's ability to identify, select and develop <a href="https://www.techtarget.com/searchdisasterrecovery/definition/risk-mitigation">risk mitigation</a> activities.</li> </ul> <p>The core trust categories include the first five in the list, and the supplemental categories include the last four. In addition to these categories, the SOC 2 standard defines four supplemental trust categories that focus specifically on availability, processing integrity, confidentiality and privacy.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/-Yd3gXb35kU?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://searchcloudsecurity.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p><em>See also: <a href="https://www.techtarget.com/searchsecurity/definition/SOC-1-System-and-Organization-Controls-1">SOC 1</a> and <a href="https://www.techtarget.com/searchsecurity/definition/Soc-3-Service-Organization-Control-3">SOC 3</a>.</em></p> </section> SOC 2 (System and Organization Controls 2), pronounced "sock two," is a voluntary compliance standard for ensuring that service providers properly manage and protect the sensitive data in their care. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/searchsecurity/definition/Soc-2-Service-Organization-Control-2 Thu, 03 Aug 2023 09:00:00 GMT <h3>What is SOC 3 (System and Organization Controls 3)?</h3> <p>A System and Organization Controls 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality and <a href="https://www.techtarget.com/searchcio/definition/data-privacy-information-privacy">privacy</a>. These five areas are the focuses of the American Institute of Certified Public Accountants' (AICPA) Trust Services Criteria (TSC).</p> <p>SOC 3 reports are public and part of the voluntary SOC compliance reports, which includes <a href="https://www.techtarget.com/searchsecurity/definition/Soc-2-Service-Organization-Control-2">SOC 2</a> and SOC 1 financial reporting audits as well.</p> <p>User entities or potential clients of an organization most often request a SOC 3 audit. Businesses that offer <a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">software as a service</a>, cloud computing or data center storage -- or ones that handle sensitive customer data or personal data -- are more likely to have a <a href="https://www.techtarget.com/searchcio/definition/compliance-audit">compliance audit</a> done. They are conducted by a certified public accountant (CPA) or an accredited third-party auditor.</p> <p>SOC 3 audits provide a high-level overview of an organization's controls and security risks designed for a general audience. Because of this, organizations hire CPA firms to do the audits and reports, and they often post the results on their websites and distribute them through marketing campaigns to show clients they take <a href="https://www.techtarget.com/searchsecurity/Data-security-guide-Everything-you-need-to-know">data security</a> seriously.</p> <p>Tech companies most often need these reports. However, many other industries require similar <a href="https://www.techtarget.com/searchcio/definition/regulatory-compliance">regulatory compliance</a>; companies in industries such as finance, healthcare, <a href="https://www.techtarget.com/searchcio/definition/e-commerce">e-commerce</a> and government also use SOC 3 reports.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/4oQjPlS2gSg?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://searchcloudsecurity.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <h3>Why is SOC 3 compliance important?</h3> <p>SOC 3 compliance is important for the following reasons:</p> <ul class="default-list"> <li><strong>Brand reputation.</strong> SOC 3 reports assure clients that an organization's controls and processes pertaining to the <a href="https://www.techtarget.com/searchsecurity/feature/The-importance-of-data-security-in-the-enterprise">protection of sensitive customer data</a> are up to industry standards. SOC 3 shows a company invests in security and is <a href="https://www.techtarget.com/whatis/definition/transparency">transparent</a> about its security processes. Though SOC 3 reports are voluntary, many organizations use them. Freely distributed SOC 3 reports are an effective way of retaining customers, keeping stakeholders informed and strengthening a brand.</li> <li><strong>Marketable.</strong> Because they are made public, SOC 3 reports help businesses attract potential customers. The reports show potential clients that an organization has the appropriate, secure controls in place for managing and protecting their data and that it invests in complying with industry standards.</li> <li><strong>Risk management.</strong> SOC 3 standards help organizations assess their own <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management</a> processes and optimize their <a href="https://www.techtarget.com/searchnetworking/answer/What-are-the-5-different-types-of-network-management">network management controls</a>. This enables organizations to understand how vulnerable they are to potential security breaches and which areas of risk they might need to address compared to competitor SOC 3 reports. The SOC 3 audits have the added benefit of possibly reducing costs associated with security breaches.</li> <li><strong>Regulatory compliance.</strong> SOC 3 are similar to other legal regulations, such as the EU's General Data Protection Regulation (<a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">GDPR</a>) and the Health Insurance Portability and Accountability Act (<a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">HIPAA</a>). Compliance with SOC 3 standards is another way of proving compliance with industry standards.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/5_types_of_data_compliance_standards-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/5_types_of_data_compliance_standards-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/5_types_of_data_compliance_standards-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/5_types_of_data_compliance_standards-f.png 1280w" alt="Data compliance chart" height="290" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>SOC is one of many data compliance standards enterprises use. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>SOC 2 vs. SOC 3: What are the differences?</h3> <p>SOC 2 and SOC 3 audits are similar in many ways. Both are conducted by third-party auditors and evaluate a service organization's controls and security risks for customer data security and availability. Both of them also are based on the AICPA's TSC standards and include an auditor's approval of compliance. However, there are several differences between them as well.</p> <h4>SOC 2</h4> <p>SOC 2 audits have the following characteristics:</p> <ul class="default-list"> <li>They provide restricted-use reports that are intended only for the service organization's management, stakeholders and the client that requested the audit.</li> <li>They can be either Type I or Type II SOC reports. Type II reports generally evaluate an organization over a year and are more rigorous in their evaluations than Type I.</li> <li>They might have confidential information relating to the client and the organization's security and <a href="https://www.techtarget.com/searchsecurity/definition/cybersecurity">cybersecurity</a></li> <li>They include the auditor's report and detailed information about the list of controls the auditor used in their testing.</li> </ul> <h4>SOC 3</h4> <p>Soc 3 audits have the following characteristics:</p> <ul class="default-list"> <li>They are general-use reports intended for public use and distribution.</li> <li>They are Type II by default; there is no Type I option.</li> <li>They include a high-level overview about the effectiveness of a company's controls and no confidential or detailed information about those processes.</li> <li>They don't include auditor's report or the list of controls auditor used.</li> </ul> <table style="width: 100%;" class="main-article-table"> <thead> <tr> <td colspan="2" style="text-align: center; width: 99.887%;" width="623">Differences between SOC 2 and SOC 3</td> </tr> <tr> <td style="text-align: center; width: 49.9435%;" width="312">SOC 2</td> <td style="text-align: center; width: 49.9435%;" width="312">SOC 3</td> </tr> </thead> <tbody> <tr> <td style="width: 49.9435%;"> <p><span class="hotkey-layer "><span class="hotkey-layer preview-overlay is-preview-sidebar-visible">A detailed look at an organization's controls</span></span></p> </td> <td style="width: 49.9435%;"> <p>High-level overview showing a company's controls</p> </td> </tr> <tr> <td style="width: 49.9435%;" width="312"> <p>Restricted-use report only for the organization and client requesting it</p> </td> <td style="width: 49.9435%;" width="312"> <p>General-use reports for public distribution</p> </td> </tr> <tr> <td style="width: 49.9435%;" width="312"> <p>Type I or Type II reports</p> </td> <td style="width: 49.9435%;" width="312"> <p>Type II report</p> </td> </tr> <tr> <td style="width: 49.9435%;" width="312"> <p>Has confidential information about the organization's security processes</p> </td> <td style="width: 49.9435%;" width="312"> <p>Has no confidential information</p> </td> </tr> <tr> <td style="width: 49.9435%;" width="312"> <p>Includes the auditor's report and list of controls used in the testing</p> </td> <td style="width: 49.9435%;" width="312"> <p>Does not include auditor's report or list of controls</p> </td> </tr> </tbody> </table> <h3>Who does SOC 3 compliance apply to?</h3> <p>SOC 3 compliance generally applies to any service provider. Though SOC 3 compliance is voluntary, it is useful for all businesses and other organizations that handle sensitive customer data and want to prove compliance with strong industry standards.</p> <figure class="main-article-image half-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/datamanagement-key_components_to_a_data_privacy_program-h.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/datamanagement-key_components_to_a_data_privacy_program-h_half_column_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/datamanagement-key_components_to_a_data_privacy_program-h_half_column_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/datamanagement-key_components_to_a_data_privacy_program-h.png 1280w" alt="List of components in data privacy program" height="279" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>A strong data privacy program is one of the most important aspects SOC 3 reports evaluate. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The types of organizations most likely to seek out SOC 3 compliance include the following:</p> <ul class="default-list"> <li>cloud service providers</li> <li>financial institutions</li> <li>healthcare providers</li> <li>retail and e-commerce businesses</li> <li>government agencies</li> </ul> <h3>SOC 3 audit process</h3> <p>The following four steps are part of a SOC 3 audit process:</p> <ol class="default-list"> <li><strong>Auditor.</strong> The first step in conducting a SOC 3 audit is to <a href="https://us.aicpa.org/forthepublic/findacpa" target="_blank" rel="noopener">hire an auditor</a>, usually a CPA firm certified by the AICPA.</li> <li><strong>Assessment.</strong> The auditor evaluates the effectiveness of a service organization's security controls and risk management program based on the AICPA's TSC standards. This process can include on-site inspections, systems testing, interviews with employees, document requests and review of documentation. The controls and policies an auditor evaluates often include security protocols, such as encryption, <a href="https://www.techtarget.com/searchsecurity/definition/access-control">access controls</a>, disaster recovery, <a href="https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system">intrusion detection</a>, multifactor authentication, firewalls, structured and <a href="https://www.techtarget.com/searchdatabackup/tip/Unstructured-data-not-exempt-from-compliance-requirements">unstructured data protection</a>, and performance monitoring.</li> <li><strong>Attestation report.</strong> Once the evaluation is complete, the auditor prepares an attestation report that summarizes the results of the assessment, containing only information that can be publicly disclosed. The auditor issues a statement of assurance, stating that the organization has met the standards of data confidentiality, access and integrity.</li> <li><strong>Publication.</strong> An organization is free to post its SOC 3 audit report on its website or include it in marketing or advertising campaigns.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/data_management-data_protection.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/data_management-data_protection_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/data_management-data_protection_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/data_management-data_protection.png 1280w" alt="Chart of data management and protection components" height="241" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>There are several components involved in managing and protecting data. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>SOC 3 compliance best practices</h3> <p>There are several <a href="https://www.techtarget.com/searchsoftwarequality/definition/best-practice">best practices</a> service organizations can follow to ensure they pass a SOC 3 audit:</p> <ul class="default-list"> <li><strong>Develop a strong data security program based on the AICPA's TSC.</strong> This includes establishing clear policies and procedures for how data is collected, stored and processed based on the AICPA's TSC standards and other industry regulations, such as GDPR or HIPAA. These regulations include data access controls, <a href="https://www.techtarget.com/searchitoperations/definition/IT-incident-management">IT incident management</a> systems, regular reviews, monitoring and testing of controls, encryption requirement, and software update and employee training protocols.</li> <li><strong>Select the controls to be audited.</strong> In addition to data security, organizations can choose to have other internal controls audited. For instance, a company might add audits of its disaster recovery and quality assurance controls; ensuring these additional controls are up to date and secure strengthens the overall SOC 3 audit.</li> <li><strong>Conduct readiness assessment.</strong> Companies sometimes run their own version of a SOC 3 audit in preparation for the real one. A readiness assessment helps organizations identify what to address before being officially audited.</li> <li><strong>Find the right auditor.</strong> Organizations should vet potential auditors, looking for affiliation with the AICPA, experience with SOC audits and recent peer reviews.</li> </ul> <p><em>SOC 3 is all about assessing the effectiveness of an organization's data security compliance. Learn about the </em><a href="https://www.techtarget.com/searchdatamanagement/tip/10-key-elements-to-follow-data-compliance-regulations"><em>10 key elements of data compliance regulations</em></a><em>.</em></p> A System and Organization Controls 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality and privacy. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchsecurity/definition/Soc-3-Service-Organization-Control-3 Wed, 08 Feb 2023 09:00:00 GMT <h3>What is a software-defined perimeter?</h3> <p>A software-defined perimeter, or SDP, is a security technique that controls access to resources based on identity and forms a virtual boundary around networked resources. By establishing a perimeter via software versus hardware, an SDP can hide an organization's infrastructure -- regardless of where it is located -- from outsiders. SDP architectures can help reduce the attack surface and mitigate internal and external network security attacks.</p> <p>The framework is based on the U.S. Department of Defense's Defense Information Systems Agency's (DISA) need-to-know model from 2007, in which all endpoints attempting to access a given infrastructure must be authenticated and authorized prior to entrance. In 2014, the Cloud Security Alliance (<a href="https://www.techtarget.com/searchsecurity/definition/Cloud-Security-Alliance-CSA">CSA</a>) released its SDP working group guidance, which incorporated elements of DISA's work with security standards from the National Institute of Standards and Technology (<a href="https://www.techtarget.com/searchsoftwarequality/definition/NIST">NIST</a>) and other organizations. The CSA released version 2.0 of its SDP framework in 2022, which addressed component onboarding and using SDP for nonhuman entities, as well as expanded on SDP's role in <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero trust</a>.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/J5psYRB-cJM?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://searchcloudsecurity.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <h3>What is the purpose of an SDP?</h3> <p>SDPs provide secure access to network-based services, applications and systems deployed in public and private clouds and on premises. The SDP approach is sometimes said to create a <em>black cloud</em> because it obscures systems by cloaking them within the perimeter so outsiders can't observe them.</p> <p>SDP software is purpose-built to give medium and large organizations the perimeter security model needed for zero-trust applications and workload-centric network connectivity. In addition to <a href="https://www.techtarget.com/searchsecurity/tip/How-to-get-started-with-attack-surface-reduction">reducing the attack surface</a>, an SDP's virtual boundary around the network layer also eliminates vendor chaos by allowing for installation on any host without network reconfiguration or appliance lock-in.</p> <p>An SDP integrates security at the network, transport, session, presentation and application layers.</p> <h3>How does an SDP work?</h3> <p>The SDP cybersecurity approach mitigates common network attacks, protecting all classification levels of legacy information technology (IT) assets, regardless of whether they are in the cloud, on premises, in a <em>perimeter network</em>, or on a data center or application server.</p> <p>The SDP concept combines standards from NIST and the Organization for the Advancement of Structured Information Systems -- including public key infrastructure (<a href="https://www.techtarget.com/searchsecurity/definition/PKI">PKI</a><span>)</span>, Transport Layer Security (TLS), IPsec and Security Assertion Markup Language (<a href="https://www.techtarget.com/searchsecurity/definition/SAML">SAML</a>) -- with security concepts, such as federation, device attestation and geolocation.</p> <p>An SDP functions as a broker between internal applications and users that can only provide access to services if the correct authentication and authorization criteria are met. As a need-to-know framework, an SDP only provides the information a user or device needs and nothing further. Therefore, an SDP does not share domain name system (DNS) information, internal Internet Protocol (IP) addresses or internal network port information.</p> <div class="extra-info"> <div class="extra-info-inner"> <h4>For more on the zero-trust security model, read the following articles:</h4> <p><a href="https://www.techtarget.com/searchsecurity/tip/Perimeter-security-vs-zero-trust-Its-time-to-make-the-move">Perimeter security vs. zero trust: It's time to make the move</a></p> <p><a href="https://www.techtarget.com/searchsecurity/answer/Whats-the-difference-between-zero-trust-vs-defense-in-depth">Zero trust vs. defense in depth: What are the differences?</a></p> <p><a href="https://www.techtarget.com/searchsecurity/answer/Zero-trust-vs-zero-knowledge-proof-Whats-the-difference">Zero trust vs. zero-knowledge proof: What's the difference?</a></p> <p><a href="https://www.techtarget.com/searchnetworking/tip/How-to-build-and-manage-a-zero-trust-network">How to build a zero-trust network in 4 steps</a></p> <p><a href="https://www.techtarget.com/searchsecurity/tip/How-to-conduct-a-cybersecurity-audit-based-on-zero-trust">How to conduct a cybersecurity audit based on zero trust</a></p> <p><a href="https://www.techtarget.com/searchsecurity/tip/Why-zero-trust-requires-microsegmentation">Why zero trust requires microsegmentation</a></p> </div> </div> <h3>SDP use cases</h3> <p>One of the main benefits of an SDP is that it lowers the chances of successful network threats, including denial-of-service (<a href="https://www.techtarget.com/searchsecurity/definition/denial-of-service">DoS</a>) attacks, man-in-the-middle (<a href="https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM">MitM</a>) attacks, brute-force attacks, port scanning, server vulnerabilities and lateral movement attacks, such as <a href="https://www.techtarget.com/searchsoftwarequality/definition/SQL-injection">Structured Query Language (SQL) injection</a> or cross-site scripting (<a href="https://www.techtarget.com/searchsecurity/definition/cross-site-scripting">XSS</a>).</p> <p>SDP use cases also include the following:</p> <ul class="default-list"> <li><strong>SDPs support a variety of devices.</strong> The virtual perimeter can authenticate laptops and personal computers, as well as mobile and <a href="https://www.techtarget.com/iotagenda/definition/IoT-device">internet of things (IoT) devices</a>. SDPs ensure connections can't be initiated from unauthorized or invalid devices.</li> <li><strong>SDPs restrict broad network access</strong>. Individual entities aren't granted broad access to network segments or subnets, so devices can only access the specific services and hosts permitted by policy. This minimizes the <a href="https://www.techtarget.com/whatis/definition/network-attack-surface">network attack surface</a> and prohibits port and vulnerability scanning by malicious users or malicious software.</li> <li><strong>SDPs support a broader risk-based policy.</strong> SDP systems make access decisions based on numerous risk criteria, including threat intelligence, malware outbreaks and new software.</li> <li><strong>SDPs can be used to connect anything.</strong> SDP technology enables connectivity to only the IT resources needed by employees without cumbersome management requirements or mounting hardware costs.</li> <li><strong>SDPs enable control of services, applications and access.</strong> SDPs can control which applications and devices can access specified services. This limits the attack surface and stops malicious users or malware from connecting to resources.</li> <li><strong>SDPs are instrumental to application isolation.</strong> An SDP deployed within an enterprise data center isolates mission-critical application infrastructure and data from unauthorized users. Hackers are unable to find or infiltrate these applications because they are cloaked by the SDP.</li> <li><strong>SDPs help secure hybrid and private clouds.</strong> SDPs enable enterprises to hide not only public SaaS, IaaS and PaaS cloud instances, but also hybrid cloud environments that use both public and private cloud.</li> </ul> <h3>SDP architecture</h3> <p>SDP technology creates a secure perimeter based on policies used to isolate services from unsecured networks. These policies use the access control principle of least privilege to secure devices, giving users and devices only the access they require to perform the task at hand.</p> <p>An SDP framework provides an on-demand, dynamically provisioned, <a href="https://www.techtarget.com/whatis/definition/air-gapping">air-gapped</a> network -- a segmentation of network resources that mirrors a physically defined network perimeter but operates in software rather than via an appliance -- by authenticating users and devices before authorizing the user/device combination to securely connect to the isolated services. Unauthorized users and devices cannot connect to the protected resources.</p> <p>When authentication is completed, trusted devices are given a unique and temporary connection to the network infrastructure. The SDP framework enables companies to streamline operations when it comes to user authentication and application security.</p> <p>SDP architectures are made up of two main components: SDP controllers and SDP hosts. An SDP controller determines which SDP hosts can communicate with each other. An SDP host can be either initiating or accepting. An initiating SDP host communicates with an SDP controller to determine which hosts they can connect to. An accepting SDP host only accepts allowed communications and connections from an SDP controller. Some SDP architectures use gateways that act as the accepting host between the two connecting devices/users.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_1.jpg"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_1_mobile.jpg" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_1_mobile.jpg 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_1.jpg 1280w" alt="Software-defined architecture components include SDP hosts and SDP controllers" data-credit="Cloud Security Alliance" height="372" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The SDP architecture consists of two components: SDP hosts and SDP controllers. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Encrypted connections -- often virtual private network (VPN) tunnels -- between controllers, hosts and gateways keep all communications and users/devices secure.</p> <h3>SDP deployment models and workflows</h3> <p>SDP deployment models can be characterized by the way they structure interactions among clients, servers and gateways. The primary SDP approaches include the following:</p> <p><strong>Client-to-gateway deployments</strong> position servers behind an accepting host, which acts as a gateway between the protected servers and the initiating hosts. The client-to-gateway SDP can be deployed inside a network to reduce lateral movement attacks, such as operating system (OS) and application vulnerability exploits, MitM attacks and server scanning. It can also be deployed directly on the internet in order to segregate protected servers from unauthorized users and mitigate attacks. This model is well suited for organizations using cloud-based applications, as well as those that want to secure on-premises legacy applications.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_2.jpg"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_2_mobile.jpg" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_2_mobile.jpg 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_2.jpg 1280w" alt="Software-defined perimeter architecture workflow" data-credit="Cloud Security Alliance" height="287" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Workflow of the SDP architecture. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><strong>Client-to-server deployments</strong> are similar to client-to-gateway deployments except that the server being protected by the SDP is the system that runs the accepting host software instead of the gateway. Deciding between the client-to-gateway and the client-to-server deployment is usually based on a number of factors, including analysis of load-balancing needs, the servers' elasticity -- how adaptable the cloud server is to changes in workloads -- and the number of servers an enterprise needs to protect behind the SDP. This model is useful for organizations with cloud-based applications.</p> <p><strong>Server-to-server deployments</strong> protect servers that offer representational state transfer (REST) services, Simple Object Access Protocol (<a href="https://www.techtarget.com/searchapparchitecture/definition/SOAP-Simple-Object-Access-Protocol">SOAP</a>) services, a remote procedure call (<a href="https://www.techtarget.com/searchapparchitecture/definition/Remote-Procedure-Call-RPC">RPC</a>) or any kind of application programming interface (API) over the internet from all unauthorized hosts on the network. With this model, the accepting host would be the server with REST, SOAP, RPC or API. This model is applicable to organizations with cloud-based IoT and/or virtual machine (VM) environments.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_3.jpg"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_3_mobile.jpg" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_3_mobile.jpg 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_3.jpg 1280w" alt="Client-to-gateway software-defined perimeter model illustration" data-credit="Cloud Security Alliance" height="350" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>In the client-to-gateway SDP model, one or more servers are protected behind the gateway. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><strong>Client-to-server-to-client deployments</strong> depend on a peer-to-peer (P2P) relationship between the clients. In this deployment, the SDP obfuscates the IP addresses of the connecting clients, with the server acting as the intermediary for both clients. This model is well suited for organizations using applications such as chat, video conferencing and IP telephony.</p> <p><strong>Client-to-gateway-to-client deployments</strong> are variations of the client-to-server-to-client model. This model also supports P2P, with each client acting as an initiating host, accepting host or both when connecting with each other.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_4.jpg"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_4_mobile.jpg" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_4_mobile.jpg 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/SDP_figure_4.jpg 1280w" alt="Client-to-gateway-to-client software-defined perimeter model illustration" data-credit="Cloud Security Alliance" height="445" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The client-to-gateway-to-client SDP model is used to secure client-to-client communications. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><strong>Gateway-to-gateway deployments</strong> involve one or more servers sitting behind an accepting host, with the accepting host thereby acting as the gateway. Additionally, one or more clients sit behind an initiating host, using the initiating host as a gateway. This model is curated for networked and IoT devices on which SDP clients cannot be installed, such as printers, scanners and smart sensors.</p> <h3>SDP vs. VPN: What are the differences?</h3> <p>The most common benefit of a VPN is its ability to provide users and third parties remote access to isolated networks. Yet the following two security risks make VPNs an inappropriate method for providing remote access to isolated networks and applications:</p> <ul class="default-list"> <li><strong>Credential theft. </strong>This risk is doubly impactful to VPNs because people tend to use the same username and password across numerous websites. Because it is possible the credentials people use to access their social media accounts are the same as their remote access VPN accounts, credential theft is the most common and most effective network attack vector.</li> <li><strong>Excessive access. </strong>A VPN provides a user a <em>slice of the network</em> with wide and often excessive access to network resources, including the infrastructure Dynamic Host Configuration Protocol (DHCP), DNS, switches and routers. Not only does this provide a large attack surface for a bad actor, but it also gives legitimate users access to far more than the one or two applications they really need.</li> </ul> <p>Administrators should complement their VPN infrastructure with SDP tools. Together, they can navigate security challenges, including those in hybrid and multi-cloud deployments, reducing potential attack surfaces and protecting key data. With SDP software, network administrators can dynamically deploy highly available microperimeters for hybrid and <a href="https://www.techtarget.com/searchsecurity/feature/The-risks-of-multi-cloud-security-compared-to-single-cloud">multi-cloud environments</a> to isolate services for fine-grained user access.</p> <p>A compromised device is the biggest challenge of using a mobile phone or tablet as a VPN access device. Any device that accesses an isolated network via a VPN presents the risk of bringing malware to that environment. Nothing in the VPN connection process assesses the state of a device. If <a href="https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them">any type of malware</a> is on an access device, the malicious software could propagate across the VPN into the broader isolated network -- creating untold havoc, for example, in ransomware situations. With an SDP, end devices are inherently considered untrustworthy.</p> <h3>How SDP and zero trust relate</h3> <p>While some experts use the terms SDP and zero trust interchangeably, the two have differences.</p> <p>SDP is a way to implement zero trust at the network level. It is an effective architecture for adopting the zero-trust security model, with zero trust often labeled as the philosophy behind the SDP architecture. SDP controllers know the zero-trust policies for authentication and authorization, while SDP gateways and accepting hosts enforce them.</p> <p>The zero-trust network security model assumes all users, devices and transactions may be compromised, regardless of location. Therefore, the model's basis is to trust no one. Like an SDP, the zero-trust model functions on the basis that traditional perimeter-based security is ineffective.</p> <p>Zero trust is a wider concept of which SDP is a part. Zero trust often includes other elements not required in an SDP deployment. The basic concepts of SDP and zero trust, however, <a href="https://www.techtarget.com/searchsecurity/tip/The-5-principles-of-zero-trust-security">follow the same basic tenet</a> that a person's or device's identity must be verified, regardless of where it is.</p> <p>Deploying SDP and zero trust in tandem will ensure the network and its resources are cloaked via SDP, while authentication measures are followed via zero trust.</p> A software-defined perimeter, or SDP, is a security technique that controls access to resources based on identity and forms a virtual boundary around networked resources. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchcloudcomputing/definition/software-defined-perimeter-SDP Thu, 29 Sep 2022 21:00:00 GMT <h3>What is SOC 1 (System and Organization Controls 1)?</h3> <p>System and Organization Controls 1, or SOC 1 (pronounced "sock one"), aims to control objectives within a SOC 1 process area and documents <a href="https://searchcompliance.techtarget.com/definition/internal-control">internal controls</a> relevant to an <a href="https://searchcompliance.techtarget.com/definition/compliance-audit">audit</a> of a user entity's <a href="https://www.techtarget.com/searcherp/definition/financial-reporting">financial statements</a>.</p> <h3>What is a SOC 1 report?</h3> <p>A SOC 1 report evaluates service organization controls that are applicable to a user entity's internal control over financial reporting. It is specially designed to meet the needs of user entities and the accountants who audit their financial statements and is essentially an evaluation of the effectiveness of a service organization's internal controls.</p> <p>There are two types of SOC 1 reports:</p> <ol class="default-list"> <li><strong>SOC 1 Type 1.</strong> The SOC 1 Type 1 report concentrates on the service organization's system, the suitability of the system controls for achieving control objectives and the description on a specified date.<br> <br> These reports are often restricted to user entities, auditors and managers, typically those who belong to the service organization. A service auditor performs SOC 1 reports that cover the requirements of Statement on Standards for Attestation Engagements No. 16 (<a href="https://searchcloudsecurity.techtarget.com/definition/SSAE-16">SSAE 16</a>).</li> <li><strong>SOC 1 Type 2.</strong> The SOC 1 Type 2 report has the same analysis and opinions found in a Type 1 report but also includes views on the operating effectiveness of preestablished controls designed to achieve all related <a href="https://searchcompliance.techtarget.com/definition/control-framework">control objectives</a> established in the description over a specified period.<br> <br> In this report type, control objectives address potential risks that internal controls intend to mitigate. The report's scope includes all of the relevant control domains and provides reasonable assurances that internal control over financial reporting is restricted to only authorized individuals. It also ensures that they are limited to performing only appropriate and authorized actions.<br> <br> The object auditor works closely with management to identify control objectives that best address the potential risks taken by users of the system. These control objectives are supported by controls within any given <a href="https://www.techtarget.com/searchcio/definition/business-process">process</a>, and each objective must have several controls designed to operate effectively and make the control objective statement.<br> <br> However, the auditor is not required to provide absolute assurance that the entity will meet all control objectives. This is because control in different areas may fail, and management can still set up other controls to meet reasonable assurances.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/six_principles_of_a_cloud_governance_framework-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/six_principles_of_a_cloud_governance_framework-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/six_principles_of_a_cloud_governance_framework-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/six_principles_of_a_cloud_governance_framework-f.png 1280w" alt="cloud governance" height="470" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Why do you need a SOC 1 report?</h3> <p>When enterprises depend on the controls at a service organization to accomplish effective control over their financial reporting process, as in the case of a company that relies on a <a href="https://www.techtarget.com/searchhrsoftware/tip/5-of-the-latest-trends-in-payroll-management-HR-should-know">payroll provider</a> for payroll processing and management, they want to see their SOC 1 reports for evidence of their operating effectiveness.</p> <p>The SOC 1 report was previously known as the <a href="https://www.colocationamerica.com/data-center-certifications/sas70-compliance" target="_blank" rel="noopener">Statement on Auditing Standards No. 70</a>. This report was eventually replaced by SSAE 16.</p> <p>Although there are no formal requirements for SOC examinations, businesses increasingly demand them. The primary purpose of a SOC audit is to ascertain the effectiveness of a company's internal safeguards and controls with independent and actionable feedback.</p> <p>A SOC 1 report also helps financial statement auditors minimize audit processes. Sophisticated service organizations also rely on them to confirm that all <a href="https://www.techtarget.com/searchsecurity/Data-security-guide-Everything-you-need-to-know">data</a> and systems are secure and protected.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/BqdPuwvwPk4?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://searchcloudsecurity.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <h3>What is SOC 1 compliance?</h3> <p>SOC 1 <a href="https://www.techtarget.com/searchdatamanagement/definition/compliance">compliance</a> describes the process of maintaining all SOC 1 controls included within a SOC 1 report over a predefined period of time. In this scenario, SOC 1 compliance ensures the operating effectiveness of SOC 1 controls. These SOC 1 controls are often business process controls and <a href="https://searchcompliance.techtarget.com/definition/IT-controls">IT general controls</a> used to provide reasonable assurance regarding the control objectives. SOC 1 may be required as part of compliance requirements if the organization is a publicly traded company.</p> <h3>What is SOC 1 certification?</h3> <p>SOC 1 certification is required when an entity's services impact a user entity's financial reporting. For example, if a manufacturer uses a component that Company ABC has in its product, Company ABC's business impacts financial reporting. SOC 1 certification is also necessary when an organization demands the right to audit before engaging an organization.</p> <p><em>See also: </em><a href="https://www.techtarget.com/searchcio/answer/What-tactics-can-organizations-adopt-to-drive-cloud-security-practices"><em>tactics organizations can adopt to drive cloud security practices</em></a><em>, </em><a href="https://www.techtarget.com/searchdatamanagement/tip/10-key-elements-to-follow-data-compliance-regulations"><em>key elements to follow data compliance regulations</em></a><em> and </em><a href="https://www.techtarget.com/searchcloudcomputing/tip/How-to-approach-cloud-compliance-monitoring"><em>how to approach cloud compliance monitoring</em></a><em>.</em></p> System and Organization Controls 1, or SOC 1 (pronounced "sock one"), aims to control objectives within a SOC 1 process area and documents internal controls relevant to an audit of a user entity's financial statements. https://cdn.ttgtmedia.com/visuals/digdeeper/4.jpg https://www.techtarget.com/searchsecurity/definition/SOC-1-System-and-Organization-Controls-1 Tue, 05 Apr 2022 09:00:00 GMT <p>More cloud means many things, including more opportunity and flexibility. But it also means more headaches for IT.</p> <p>Services and data managed by modern IT departments is quite different from just a few years ago. Most companies have workloads, applications and services that exist on premises and in the cloud -- or even multiple clouds. Employees work wherever they have internet access. Asset protection gets more challenging as users have an evergrowing list of access methods. <a href="https://www.techtarget.com/searchwindowsserver/tip/Using-Azure-AD-conditional-access-for-tighter-security">Azure Active Directory (Azure AD) conditional access</a> can give IT a way to maintain control over their expanding IT real estate through creating a set of policies that require users to perform approved actions to gain access to an application. Azure AD also decides, based on a combination of factors, when to require more login checks. Building policies with several conditions give administrators a layered approach for added security.</p> <h3>Changing times require updated security practices</h3> <p>It is no longer acceptable to rely on simple assumptions to grant access to resources. For example, you can't block all access from countries in the Asia-Pacific region. Companies need more flexibility to handle more unique login combinations.</p> <p>The company may require a different authentication level when a user logs in from their phone versus the corporate laptop. For compliance reasons, the executive team may be subject to more stringent controls than frontline workers. Access attempts from known good networks can still be a threat due to <a href="https://www.techtarget.com/searchsecurity/tip/Nine-email-security-features-to-help-prevent-phishing-attacks">phishing and compromised credentials</a>.</p> <p>These factors add up to dynamic environments that don't allow for a simple set of rules to govern access. Organizations must determine if a login attempt is legitimate or a threat as it happens, and Azure AD conditional access policies give enterprises real-time analysis of logins to stop potential threats.</p> <h3>What is Azure AD conditional access?</h3> <p>Azure AD conditional access is a set of policies that layer on top of an already successful access attempt. Policies are a set of requirements that grant or deny access. The policies use "signals" from many sources as part of the process to allow access, require more stringent access controls, such as two-factor authentication, or deny access. Signals are common criteria, such as user and group membership in Azure AD and the application being accessed, but also rely on other data, such as public IP location or the device type.<br><br>Conditional access policies use real-time risk intelligence data in Azure AD Identity Protection and the <a href="https://www.techtarget.com/searchwindowsserver/tip/Microsoft-Cloud-App-Security-aims-to-expand-your-defenses">Microsoft Defender for Cloud Apps, formerly known as Microsoft Cloud App Security</a>, to determine the risk level for each access attempt. If the risk threshold is met, Azure AD will require extra login information or deny the connection.</p> <h3>How to understand how conditional access policies work</h3> <p>To envision how these policies work, think of an if-then statement used in programming. If a user wants to access a resource, then they must complete an approved action and/or meet a set of conditions. For example, you can limit access to an HR application to HR staff who are using Azure AD-joined devices. You can limit access to a payroll application from known corporate IP ranges and require multifactor authentication (MFA). There are many combinations of requirements for a single user or application. You can also apply more than one policy to each cloud-based resource.</p> <p>Besides these rules, <a href="https://www.techtarget.com/searchwindowsserver/tip/Azure-AD-Premium-P1-vs-P2-Which-is-right-for-you">Azure AD also enforces MFA for attempts</a> that raise a security red flag. For example, if I normally log in from an addresses in the U.S., Azure AD may require additional security prompts if it sees an access attempt from another country. Azure AD may outright deny a login attempt from an IP of a known bad actor.</p> <h3>How to develop a conditional access policy in Azure AD</h3> <p>The console to configure a conditional access policy is simple to understand.</p> <p>First, create a policy and select options, also called assignments, with the requirements the policy will enforce. Some options, such as "Users and Groups," have the option to include or exclude specific users, groups and roles, and cover guests and external users. You can assign a policy to a single application, a group of applications or all applications in your Azure AD tenant.</p> <p>From there, the choices get interesting.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_1.jpg"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_1_mobile.jpg" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_1_mobile.jpg 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_1.jpg 1280w" alt="Azure AD Conditional Access section" height="391" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Azure AD Conditional Access section in the portal offers different rules and requirements that must be satisfied to grant access. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Setting up the conditions in a policy</h3> <p>Conditional access policies have several unique options you set in place as requirements for access or to deny a login attempt. In the assignment portion of the policy, you can set several specific conditions.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_2.jpg"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_2_mobile.jpg" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_2_mobile.jpg 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_2.jpg 1280w" alt="conditions to control access" height="388" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The conditions in a policy consist of several parameters, including user risk and locations. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>For example, the policy can use "user risk" and "sign-in risk" conditions to determine the probability of a safe connection. Sign-in risk uses several signals in its analysis, including anonymous IP address information such as VPN or <a href="https://www.techtarget.com/searchnetworking/opinion/What-are-some-VPN-alternatives-for-remote-access">the Onion Router (Tor) network</a>, malware-linked IP detection, suspicious browser clients and sign-in properties that don't match the characteristics of previous attempts.</p> <p>Microsoft determines user risk based on leaked credentials and Azure AD threat intelligence. Assigning a user-risk or sign-in requirement breaks down to low, medium and high categories. A setting of high would enforce a policy if the user risk and/or the sign-in risk are high.</p> <p>Policies can be for all device platforms or set to block a specific platform. Azure AD conditional access supports policy checks for Android, iOS, Windows phones, Windows and macOS devices via user-agent strings. User agent strings can be customized, so work in this area needs to be thorough and coupled with <a href="https://www.techtarget.com/searchwindowsserver/tip/SCCM-vs-Intune-A-closer-look-at-the-capabilities-of-each">Intune device compliance</a> for best results.</p> <p>Location is another compliance check option. Locations refer to public IPv4 address information, GPS coordinates, countries and regions or unknown regions. For an organization with several field offices, you could limit logins to known corporate IPs.</p> <h3>Filter access to privileged resources</h3> <p>A new feature called <a href="https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices" target="_blank" rel="noopener">"filter for devices"</a> creates policies to allow or block specific devices based on detailed criteria related to devices in the organization, which could be ideal for scenarios to restrict access to sensitive applications.</p> <p>The following screenshot shows a policy that allows only one machine to connect to a specific application. It's one example of how granular the policy can be to protect certain assets.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_3.jpg"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_3_mobile.jpg" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_3_mobile.jpg 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_3.jpg 1280w" alt="filter by devices policy" height="258" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>This device policy restricts access to an application by limiting it to one machine. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>The Azure AD portal offers extensive filtering capabilities</h3> <p>For most organizations, conditional access policies will be a retrofit option because many will already be using several cloud applications, such as Office 365, Salesforce and Workday.</p> <p>A little perspective here may help: My organization has more than 700 cloud applications and 20,000 users. We use conditional access extensively, but to get started we had to set up many policies, test the impact and then scale up. We now have about 25 conditional access policies to cover the range of applications we protect.</p> <p>The Azure AD portal has extensive abilities to determine conditional access policies applied for login attempts. Microsoft captures detailed login information for each user and device, including what occurred and at what time. Comprehensive filtering and sorting capabilities find a range of activities, including login attempts for users, time ranges, applications, IP address information, login success and failures, with little effort.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_4.jpg"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_4_mobile.jpg" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_4_mobile.jpg 960w,https://searchcloudsecurity.techtarget.com/rms/onlineimages/kanakos_azureadconditionalaccess_4.jpg 1280w" alt="Azure AD login attempt filtering" height="219" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Azure AD portal gives IT a granular way to check login attempts with its extensive filtering capabilities. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Don't let security lag after a move to the cloud</h3> <p>Conditional access policies give administrators an array of options previously unavailable in traditional on-premises networks. Conditional access help IT enforce compliance for logins to much higher standards. By utilizing the range of features -- MFA, real-time risk analysis, extensive logging, filtering for devices -- admins will have some peace of mind knowing they have done their utmost to <a href="https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" target="_blank" rel="noopener">protect the company</a>.</p> The rapid pace of change in the modern workplace requires new methods to control who has access to what. This Azure Active Directory feature can help IT meet those security goals. https://cdn.ttgtmedia.com/rms/onlineimages/keys_a408418016.jpg https://www.techtarget.com/searchwindowsserver/tutorial/Build-your-knowledge-of-Azure-AD-conditional-access-policies Thu, 17 Feb 2022 11:11:00 GMT <p>Administrators should start prepping for changes coming next year that affect a business-critical Microsoft utility to avoid a disruption for organizations that rely on Office 365/Microsoft 365.</p> <p>Approximately more than 1 million companies worldwide depend on Microsoft's cloud-based suite of applications for email, file storage and collaboration needs. Quite a few of those organizations still have a significant on-premises footprint, which includes using Active Directory on Windows Server. Administrators of these systems <a href="https://www.techtarget.com/searchwindowsserver/tip/Explore-the-benefits-of-Azure-AD-vs-on-prem-AD">rely on the Azure Active Directory (Azure AD) Connect</a> application to synchronize user identities from on-premises Active Directory to Azure AD. But by August 2022, many organizations using an Azure AD Connect v1 version should upgrade to the latest v2 version to continue to receive support on the platform and eliminate potential access problems.</p> <h3>What does Azure AD Connect do?</h3> <p>Azure AD Connect syncs computer and user accounts between the on-premises Active Directory server and the <a href="https://www.techtarget.com/searchwindowsserver/tip/Azure-AD-Premium-P1-vs-P2-Which-is-right-for-you">cloud-based Azure AD</a>, which supports the authentication needs to access Office 365 workloads. Without Azure AD Connect, administrators would not have single sign-in access and would need to maintain user accounts in two places, which would inconvenience workers and add to IT's overall management burden.</p> <p>Azure AD Connect installs in the on-premises environment to access the domain controller to read Active Directory objects. Azure AD Connect gives administrators the flexibility to define what objects, such as users, groups and resources, should be synced with Office 365. IT uses Azure AD Connect to define the sync schedule and upload new data to the Azure Active Directory.</p> <h3>What's new in Azure AD Connect v2?</h3> <p>As with any product Microsoft makes, Azure AD undergoes frequent software updates and upgrades to improve the application and correct bugs. But the main reason to upgrade is the impending retirement of some of the components used in Azure AD Connect v1 versions.</p> <p>Microsoft plans to deprecate several subcomponents of Azure AD Connect v1 versions in 2022. SQL Server 2012 LocalDB leaves extended support in July 2022. The <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Azure-Active-Directory-Authentication-Library-ADAL">Azure Active Directory Authentication Library</a> (ADAL) will be deprecated in June 2022; Azure AD Connect v2 uses the Microsoft Authentication Library (MSAL) as its replacement. Administrators will also need to adjust the Transport Layer Security (TLS) protocols from 1.0 or 1.1 to 1.2 as Microsoft plans to deprecate the earlier versions on Jan. 31, 2022.</p> <h3>What do administrators need to do to use an Azure AD Connect v2 version?</h3> <p>An upgrade to Azure AD Connect v2 might require some organizations to make several infrastructure changes.</p> <p>Azure AD Connect v2 versions <a href="https://www.techtarget.com/searchwindowsserver/news/252436473/IT-shops-find-their-reasons-to-upgrade-to-Windows-Server-2016">run on Windows Server 2016</a> or newer, SQL Server 2019 LocalDB, TLS 1.2 on the server and the Microsoft Visual C++ 2014 Redistributable Package required by SQL Server 2019. <a href="https://www.techtarget.com/searchwindowsserver/Comprehensive-PowerShell-guide-for-new-and-seasoned-admins">PowerShell 5.0</a>, included with Windows Server 2016, is another requirement.</p> <p>IT should plan for this upgrade or new installation ahead of the 2022 deadlines. This work should include any server license purchases and installation tests.</p> <h3>What would happen if you don't update Azure AD Connect V1.0?</h3> <p>While most components in Azure AD Connect will continue to work past the deadline to upgrade, such as the SQL Server 2012 components, IT may face technical difficulties once Microsoft deprecates the ADAL authentication library in June 2022.</p> <p>A functioning authentication library is necessary to keep AD object syncing operational; otherwise, users will experience problems and open the organization up to a security risk until the upgrade to Azure AD Connect v2.</p> <h3>What is the upgrade process for Azure AD Connect v2?</h3> <p>The latest version of Azure AD Connect is available from Microsoft at <a href="https://www.microsoft.com/en-us/download/details.aspx?id=47594" target="_blank" rel="noopener">the following link</a>. At the time of this article's publication, the latest release is version 2.0.28.0. Administrators with an existing Azure AD Connection installation have two options: in-place upgrade on the same server or a swing migration, in which the new version of Azure AD Connect is installed on a new server then the old server is decommissioned once the new server synchronizes to Azure AD.</p> <p>During the in-place upgrade, <a href="https://www.techtarget.com/searchwindowsserver/tip/Understanding-what-Azure-AD-federation-really-means">synchronization to Azure AD</a> pauses. IT needs to reenable sync after the upgrade completes. Any default changes to the synchronization rules will trigger a complete import and synchronization process, which could take several hours, so administrators should plan the upgrade when it will affect the least number of users.</p> <p>Utilities such as Azure AD Connect are crucial for many businesses that still host Active Directory in their data centers and need to authenticate users with Office 365 services. The upgrade to Azure AD Connect v2 does not add any functionality, but it does improve in security in the application and the infrastructure that supports it. For example, Microsoft resolved an authentication bypass vulnerability in the utility in <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36949" target="_blank" rel="noopener">August 2021</a>. Azure AD Connect is critical to many organizations, which should encourage administrators to plan ahead and prepare for this upgrade.</p> Administrators who rely on an Azure AD Connect v1 version for hybrid identity with Office 365 should prepare for the impending retirement of several technologies in the utility. https://cdn.ttgtmedia.com/rms/onlineimages/toolGearArrow_g140057613.jpg https://www.techtarget.com/searchwindowsserver/tip/Why-you-should-plan-to-upgrade-to-Azure-AD-Connect-v2-soon Mon, 06 Dec 2021 18:22:00 GMT <p>The business and technological impacts of the COVID-19 pandemic continue to reverberate around the world. As shutdowns loomed, organizations hurriedly rolled out remote work amid steadily increasing cloud adoption trends -- and increasing COVID-19-related ransomware and phishing attacks. The changing digital and threat landscape thrust <a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">identity and access management</a> to the forefront due to its ability to enable remote access and ensure security in complex cloud environments.</p> <p>IAM capabilities include <a href="https://www.techtarget.com/searchsecurity/tip/How-to-implement-least-privilege-access-in-the-cloud">identity management</a>, which is the process of creating, deleting or modifying an identity, and access management, which is authorizing an identity's access to appropriate resources. The same level of security IAM provides, traditionally orchestrated on premises, must now be achieved in complex cloud environments -- and often through a third party.</p> <p><a href="https://searchcloudsecurity.techtarget.com/tip/Organize-a-cloud-IAM-team-to-secure-software-defined-assets">IAM teams</a> are fighting an <a href="https://www.techtarget.com/searchsecurity/tip/Top-cloud-IAM-best-practices-to-implement">uphill security battle</a>. Among the most common attack vectors in the breaches analyzed in Verizon's "<a href="https://www.techtarget.com/searchsecurity/news/252500769/Verizon-DBIR-shows-sharp-increase-in-ransomware-attacks">2021 Data Breach Investigations Report</a>" were stolen credentials and brute forcing.</p> <p>To contend with the sophisticated threat landscape, security and IAM teams need to be at the top of their game. To reinforce knowledge of security fundamentals, as well as emerging technology and threats, individuals may pursue <a href="https://www.techtarget.com/searchsecurity/tip/Comparing-top-identity-and-access-management-certifications">IAM certification</a>, enroll in a training program or engage in self-study.</p> <p>This cloud IAM quiz is developed to measure and reinforce comprehension of cloud security and IAM topics. In taking the quiz, infosec pros can build their IAM knowledge base and provide more value to their organization's security program.</p> <p> <script src="https://cdn.ttgtmedia.com/rms/editorial/sCS_6221_Quiz.js"></script> </p> <div id="quiz-wrapper"></div> Remote work and increased cloud adoption have dramatically changed identity and access management. Take this cloud IAM quiz for infosec pros to see if your knowledge is up to date. https://cdn.ttgtmedia.com/rms/onlineimages/telecommunications_g1220129100.jpg https://www.techtarget.com/searchsecurity/quiz/Try-this-cloud-identity-and-access-management-quiz Tue, 25 May 2021 09:00:00 GMT <p>Whether it's deploying cloud security services to better protect systems and data, or using cloud workloads to improve accessibility, scalability, communication and collaboration between employees and partners, the cloud has been integral to digital transformation in today's enterprises.</p> <p>But with countless buzzwords and <a href="https://searchcloudsecurity.techtarget.com/tip/All-about-cloud-native-application-protection-platforms">acronyms to remember</a>, there's a lot for security teams to be aware of when it comes to cloud computing. From privacy-preserving machine learning and multi-cloud security to secure access service edge (<a href="https://www.techtarget.com/searchnetworking/definition/Secure-Access-Service-Edge-SASE">SASE</a>) and cloud access security brokers (<a href="https://searchcloudsecurity.techtarget.com/definition/cloud-access-security-brokers-CABs">CASBs</a>), things can quickly get confusing.</p> <p>Plus, the cloud is often accompanied by security challenges that must be addressed. For example, did you know that 70% of organizations using public clouds have experienced a security incident? Or that 66% of organizations make configuration errors that leave backdoors for attackers to exploit?</p> <p>Don't let your company fall victim to one of the many preventable security challenges inherent in the cloud. Take this cloud security quiz to test your knowledge and help further your understanding of the tools, techniques and products that will keep your systems and information safe.</p> <script src="https://cdn.ttgtmedia.com/rms/editorial/091520_sCloudSecurity_quiz.js"></script> <script src="https://cdn.ttgtmedia.com/quiz/quiz.js"></script> As companies migrate to the cloud to improve accessibility and scalability, there are many aspects of security to consider. Test your cloud security knowledge with this quiz. https://cdn.ttgtmedia.com/visuals/German/article/cloud-service-outage-adobe.jpg https://www.techtarget.com/searchsecurity/quiz/Cloud-computing-security-technology-quiz Tue, 15 Sep 2020 16:00:00 GMT <p>Today, it's the rare organization that hosts all its applications on premises. The emergence of cloud applications has helped companies of all shapes and sizes reduce costs, improve collaboration and ensure scalability. However, along with the appealing benefits comes a major challenge: security.</p> <p>Securing applications in the cloud isn't the same as securing them on premises. Methods including <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust networking</a> and <a href="https://www.techtarget.com/searchcloudcomputing/definition/confidential-computing">confidential computing</a> may be the same, but there are also cloud-specific tools and measures, such as cloud access security brokers (<a href="https://searchcloudsecurity.techtarget.com/definition/cloud-access-security-brokers-CABs">CASBs</a>) and security as a service (<a href="https://www.techtarget.com/searchsecurity/definition/Security-as-a-Service">SECaaS</a>) offerings, to keep in mind.</p> <p>Security admins, IT teams and app developers must make special considerations to ensure their networks and confidential data aren't attacked via the gaps in cloud security. After all, Gartner <a href="https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/" target="_blank" rel="noopener">predicted</a> that 99% of cloud security failures will be the customer's fault through 2025 -- not the provider's.</p> <p>Ready to tackle cloud app security? Just looking for more info about how to protect cloud apps? Get a baseline of your knowledge by taking this cloud security quiz. All the answers can be found across TechTarget's vast array of advice and best practices.</p> <script src="https://cdn.ttgtmedia.com/rms/editorial/sCSec_Quiz_0728.js"></script> <script src="https://cdn.ttgtmedia.com/quiz/quiz.js"></script> Think you know all there is to know about securing apps in the cloud? Test your grasp of cloud application security best practices with this quiz. https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Clouds.jpg https://www.techtarget.com/searchsecurity/quiz/Cloud-security-quiz-Application-security-best-practices Wed, 29 Jul 2020 09:00:00 GMT <p>Microsoft's&nbsp;Azure Cloud Services is a&nbsp;PaaS where customers can deploy, manage and run scalable applications in the cloud without managing the servers themselves.</p> <p>When working with the cloud platform, there are two Azure service roles on which an application can be installed: web roles or worker roles. The main difference between the two is how the <a href="https://searchservervirtualization.techtarget.com/definition/virtual-machine">VM</a> is hosted:</p> <ul class="default-list"> <li>A <strong>web role</strong> is a Microsoft server VM running&nbsp;Internet Information Services (<a href="https://www.techtarget.com/searchwindowsserver/definition/IIS">IIS</a>).</li> <li>A <strong>worker role</strong> is a Microsoft server VM not running IIS.</li> </ul> <p>Essentially, the web role has IIS installed, and workers run the application. To get a little more specific, web roles deploy and host applications through IIS. Therefore, they use programming languages supported by IIS, such as ASP, ASP.NET and PHP. An example of a web role is a simple application serving a website.</p> <p>Worker roles run stand-alone applications that are not on IIS. These Windows Server executables perform tasks such as processing, running scripts or compressing images, as well as supporting background processes and service-level tasks that don't use IIS.</p> <p>It is important to note that an application can use web roles and worker roles simultaneously in the same <a href="https://www.techtarget.com/searchcloudcomputing/tip/Find-the-best-Azure-instance-types-for-your-workloads">Azure instance</a>. A web role, for example, may collect end-user requests and then pass them to a worker role to process.</p> <h3>Choosing, scaling and managing roles in Azure</h3> <p>Deciding which role to use within an architecture depends on the application and how it is being used. For example, if the front-end application needs its own application server, then systems to support the web role in the worker role are needed. All application servers run in the same cloud instances, but they are used with different functions. Since&nbsp;Azure Cloud Services&nbsp;is a PaaS offering, you must select a mode in which to run it, and that decision should be based only on the application, not the OS being used.</p> <p>While web roles and worker roles&nbsp;<a href="https://docs.microsoft.com/en-us/visualstudio/azure/vs-azure-tools-azure-project-create?view=vs-2019" target="_blank" rel="noopener">are selected</a>&nbsp;during install, they can be adjusted or added during the process. You can scale up the platform if more resources are needed from a web or worker role -- simply request more VMs, and Azure will create them. If the load decreases, VMs can be deprovisioned.</p> <p>With Azure service roles, you're not installing OSes; you're installing applications. Take advantage of the staging environment during quality assurance to decide if the application is working as expected before deploying it into production.</p> <p>The platform is managed by Azure. Your applications' specific web and worker roles can be monitored through Azure Cloud Services and the <a href="https://www.techtarget.com/searchcloudcomputing/feature/5-tips-that-can-lead-to-Azure-cloud-management-success">Azure portal</a>. Additional security and management software may also be required in certain deployments, so assess your organization's management and security needs pre-adoption.</p> What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. https://cdn.ttgtmedia.com/visuals/searchCloudSecurity/architecture/cloudsecurity_article_001.jpg https://www.techtarget.com/searchsecurity/answer/The-differences-between-web-roles-and-worker-roles-in-Azure Thu, 23 Apr 2020 09:00:00 GMT <p>The cloud has been -- and continues to be -- a challenge area for many security teams. It's a continual struggle to validate and onboard new providers, particularly given the rapid pace at which business and technology teams adopt and incorporate new cloud services.</p> <p>Fortunately, free resources from the Cloud Security Alliance (<a href="https://searchcloudsecurity.techtarget.com/definition/Cloud-Security-Alliance-CSA">CSA</a>) continue to provide value when it comes to securing those services. Let's take a closer look at those resources and how they can be applied to help shore up enterprise cloud security, as well as how recent updates to these documents ensure they stay current.</p> <h3>CSA Security Guidance</h3> <p>The "flagship" CSA document continues to be <a href="https://cloudsecurityalliance.org/research/security-guidance/" target="_blank" rel="noopener">CSA Security Guidance</a>. Now in its fourth major version, the guidance is a distillation of input from CSA members and lessons learned from experts working on other CSA initiatives, such as the CSA Governance, Risk Management and Compliance Stack. This document is organized by cloud domain -- i.e., with each section outlining key goals and objectives aligned by topic. It contains governance-level guidance, as well as technical guidance on implementation, so unless the CEO and CFO of your organization have considerable technical knowledge, many of those domains -- other than the first few -- will be most appropriate for a director-level audience, i.e. those directly responsible for the technical aspects of cloud adoption, including risk assessment and audit.</p> <p>The completeness of this document -- and the level to which it is targeted -- makes it a great starting point for professionals who want to learn more about cloud security considerations or who wish to dive deep on a particular topic area. That said, the length and detail of the document -- the 4.0 version of the document is 152 pages -- make it a little unwieldy to use directly as source material for evaluating a service provider. This is where the supporting documents come in -- specifically, the Cloud Controls Matrix (<a href="https://searchcloudsecurity.techtarget.com/definition/Cloud-Controls-Matrix">CCM</a>) and the Consensus Assessments Initiative Questionnaire (<a href="https://searchcloudsecurity.techtarget.com/definition/CAIQ-Consensus-Assessments-Initiative-Questionnaire">CAIQ</a>).</p> <h3>Overview of the CSA CAIQ</h3> <p>Service providers and cloud customers have one big challenge area in common: the security questionnaire. Enterprise customers obviously seek to ensure service providers adhere to a minimum baseline of security controls. The most common approach to do that? A questionnaire. But, for most organizations, there's not just one provider in the mix. There may be dozens -- even hundreds or thousands, in some cases -- meaning that obtaining completed questionnaires from every provider is a difficult, time-consuming logistical exercise.</p> <p>Now, consider it from a provider's point of view: Each customer it takes on might have its own unique questionnaire to complete, including questions that require input from multiple teams to run to ground. If a provider has hundreds or thousands of customers, imagine the volume of work required to address these.</p> <p>The Consensus Assessments Initiative Questionnaire was designed to help with this. The CAIQ consists of a set of questions, presented in spreadsheet form, that a company can ask its vendors before signing up for a cloud service. The questions are categorized by control domain and then mapped to major compliance and regulatory standards, like <a href="https://www.techtarget.com/searchsecurity/definition/COBIT">COBIT</a>, HIPAA, PCI DSS and FedRAMP (Federal Risk and Authorization Management Program), along with many others. These questions can be technical in nature -- for example, question MOS-11.1 is "<em>Does your mobile device policy require the use of encryption for either the entire device or for data identified as sensitive enforceable through technology controls for all mobile devices?</em>" -- or related to overarching business processes -- question STA-05.3, for example, is "<em>Does legal counsel review all third-party agreements?</em>"</p> <p>A company can use the information collected from the CAIQ for a number of different purposes, each of which can save it time. First, an organization can build a request for proposal and verify that the answers the vendor gives during the RFP review interview are valid.</p> <p>Organizations can also use the CSA CAIQ themselves as a mechanism for collecting the data that they're interested in from their service providers. From a service provider point of view, a consistent artifact from its customer base can help it streamline the collection of answers -- and assist greatly with ensuring they stay current and accurate.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineImages/cloud_security-csa_ caiq_mapping-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineImages/cloud_security-csa_ caiq_mapping-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineImages/cloud_security-csa_ caiq_mapping-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineImages/cloud_security-csa_ caiq_mapping-f.png 1280w" alt="Sample CSA CAIQ mapping" height="532" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Basics of the CSA Cloud Controls Matrix</h3> <p>Going deeper still, organizations can use the CSA Cloud Controls Matrix to build a detailed list of requirements and controls they want their cloud service provider to implement. The CCM complements the CAIQ because it uses the same control area and control ID categorizations, enabling cloud customers to quickly move back and forth between the documents and build a customized set of controls and validating questions for their prospective providers.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Organizations can use the CSA Cloud Controls Matrix to build a detailed list of requirements and controls they want their cloud service provider to implement. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Each control is mapped to where it is architecturally relevant and what service model -- SaaS, PaaS or IaaS -- it applies to, as well as other standards and frameworks that align with it. For example, a control such as STA-04 -- "<em>The provider shall perform annual internal assessments of conformance to, and effectiveness of, its policies, procedures and supporting measures and metrics</em>" -- applies to all architectural areas and service models and aligns to PCI DSS v3.2 control 12.1.1 and COBIT 5 MEA (Monitor, Evaluate and Assess) 01 and 02, among others.</p> <p>One of the most useful aspects of the CSA Cloud Controls Matrix is the control harmonization. The fact that it is mapped to so many other industry standards and controls frameworks can help enable compliance efforts, streamline alignment between internal policy mandates and desired security measures from service providers, and organize areas for evaluation and vetting in subsequent analysis by the potential customer. The fact that the mapping is so exhaustive means that, regardless of what industry sector an organization is in, the list is relevant. For example, the CCM covers HIPAA/HITECH; ISO/IEC 27001-2013; NIST SP800-53 R3; PCI DSS 3.2; generally accepted privacy principles, or GAPP, (August 2009); and Jericho Forum requirements.</p> <figure class="main-article-image full-col" data-img-fullsize="https://searchcloudsecurity.techtarget.com/rms/onlineImages/cloud_security-csa_cloud_controls_matrix-f.png"> <img data-src="https://searchcloudsecurity.techtarget.com/rms/onlineImages/cloud_security-csa_cloud_controls_matrix-f_mobile.png" class="lazy" data-srcset="https://searchcloudsecurity.techtarget.com/rms/onlineImages/cloud_security-csa_cloud_controls_matrix-f_mobile.png 960w,https://searchcloudsecurity.techtarget.com/rms/onlineImages/cloud_security-csa_cloud_controls_matrix-f.png 1280w" alt="Sample CSA CCM mapping" height="494" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Why you should use both</h3> <p>When used together, the CSA CAIQ and CSA CCM represent a solid starting point for an organization to determine which controls it needs from its cloud provider. The documents also provide a way to normalize an RFP for those controls, as well as to normalize information requests from service providers. Both documents, but especially the CCM, provide detailed mapping to major compliance initiatives, enabling companies that must comply with certain requirements to quickly determine which controls are non-negotiable when contracting with a provider. Once a list of controls has been built using the CCM as a guide, the company can use the controls assertion questions in the CAIQ to validate that the provider has those controls in place.<br><br>Overall, the CSA's CCM and CAIQ help provide a solid foundation for assessing the cloud provider risk models and controls, making them well worth a read -- not only for reference, but also as an active part of an enterprise security program's cloud tool set.</p> Uncover how the CSA Cloud Controls Matrix and CSA CAIQ can be used to assess cloud providers' controls and risk models, ensure cloud compliance and more. https://cdn.ttgtmedia.com/visuals/searchCloudComputing/applications/cloudcomputing_article_001.jpg https://www.techtarget.com/searchsecurity/feature/Understanding-the-CSA-Cloud-Controls-Matrix-and-CSA-CAIQ Tue, 21 Jan 2020 09:00:00 GMT 60 webmaster@techtarget.com