Blogs

Understanding Cloud Security and GRC

9 min read

Introduction

Do you find Cloud Security daunting? Do you understand the different cloud relationships? Do you know standards that you can use as references? Do you understand Governance of Cloud Security? If you answered no to even one of these questions, this article will help you gain a better understanding of each of these areas and give you a great overview.

Cloud Security is often not treated as a priority by organizations using the cloud because there is an erroneous assumption, that cloud providers all know how to secure the data in the cloud and this is why they use cloud services so it’s one less thing to worry about. Organizations, that were not prepared for the pandemic and working remotely, rushed to cloud computing. Many of these organizations failed to consider risks or compliance with standards.

In traditional IT, the organization manages all of the levels of integration on its own. There are three main customer cloud relationships. The first is IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. These can be public or private cloud providers.

Levels of Integration

IaaS, the organization manages applications, data, runtime, middleware, and the operating system. The cloud provider manages virtualization, servers, storage, and network.
PaaS, the organization manages applications and data. The cloud provider manages runtime, middleware, operating systems, virtualization, servers, storage, and network.
SaaS, the organization manages none of the cloud computing. The cloud provider manages application, data, runtime, middleware, operating systems, virtualization, servers, storage, and network

Vulnerabilities

The National Security Agency (NSA) classified cloud vulnerabilities into four main categories: misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities.

The risks in cloud security must be managed by both the customer and the provider. Organizations that are customers can implement governance, technological, and strategic controls to mitigate risks.

Governance and Policies

Management should ensure that policies for cloud computing include guidance for implementation. Before developing and implementing the policies, risk concerns should be pondered and discussed. Examples of concerns include access to data in the cloud by cloud providers, what assets are going to be managed by the cloud provider, what processes are going to be multi-tenant, where do the cloud provider servers reside geographically, and many more. These concerns should also be managed with the cloud provider and included within contracts depending on the cloud implementation strategy that is chosen -IaaS, PaaS, and SaaS.

Controls

Organizational responsibility for data does not end when using the cloud. Some controls that should be considered and implemented include but are not limited to:

Access control for network services
Asset management including classifying information that is being stored in the cloud, and assigning responsibility for assets based on the category of cloud service that is chosen, and labelling of information.
Communications security for the network and transfer of information
Human resource security prior to employment, during employment, and when an employee changes position or is terminated.
Incident management
Information access restrictions by using controls such as password management, secure log on procedures, and privileged utility programs
Information security related to business continuity management
Key management
Management of privileged rights through authentication techniques such as multi-factor authentication
Management of secret authentication information and ensuring the cloud provider meets the requirements of the organization
Operations security such as backups, logging, and monitoring technical vulnerability management

Compliance

In addition to governance, risk, and compliance(GRC) is a must. Compliance with legal and contractual requirements is essential. These are some International Standards Organization (ISO) standards and National Institute of Standards and Technology (NIST) standards that should be considered.

ISO/IEC 17788:2014, Information technology — Cloud computing— Overview and vocabulary
ISO/IEC 17789:2014, Information technology — Cloud computing— Reference architecture
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018:2014, Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
NIST SP 500-292, Cloud computing reference architecture
NISTIR 7956, Cryptographic key management issues & challenges in cloud services

Summary

Bad actors are finding new and better ways of getting access to data and attacking clouds each year such as abuse of cloud services, account or service hijacking, cloud malware injection attacks, denial of service attacks, insider attacks, man-in-the-cloud attacks, side channel attacks, and wrapping attacks, etc. Organizations must be prepared with the better implementation and management of cloud security to deal with bad actors.

Top 3 Takeaways

There are three relationships you can have with a Cloud Provider: IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. The decision on which one to choose depends on how much you want to manage vs. having it done for you.

Even when the Cloud Provider is managing all levels of integration, there are still many controls that you should consider implementing.

Before developing your policies, a Risk Assessment should be done and controlling these risks should be managed with the Cloud Provider

In this blog

Frequently Asked Questions

What is cloud security, and why is it often misunderstood by organizations?

Cloud security encompasses the controls, policies, and technologies that protect data, applications, and infrastructure hosted in cloud environments. In practice, responsibility is shared between the provider and the customer, and that division varies significantly depending on the service model in use.

What are the three main cloud service models, and how does security responsibility differ between them?

The three primary service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). In IaaS, the customer manages security from the operating system upward. In PaaS, responsibility shifts further toward the provider, with the customer accountable for application-layer security. In SaaS, the provider manages nearly all layers, leaving the customer responsible primarily for access control and data governance.

What are the main categories of cloud vulnerabilities that organizations should address?

The NSA identifies four principal cloud vulnerability categories: misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities. Misconfiguration is among the most prevalent, often resulting from rushed deployments or inadequate governance. Each category requires distinct mitigation strategies, and responsibility for addressing them is distributed between the cloud customer and the service provider depending on the deployment model.

How should organizations approach governance and policy development for cloud security?

Cloud security governance begins with identifying which assets, processes, and data will be managed by the cloud provider and which remain under organizational control. Management should establish cloud-specific policies that address access to data, multi-tenancy risks, and provider accountability before deployment, not after. Policies should be reviewed against recognized frameworks like ISO/IEC 27001 and NIST standards to ensure they meet internal requirements and regulatory expectations.

What access controls should organizations implement in a cloud environment?

Organizations should enforce role-based access management, apply the principle of least privilege, and implement strong authentication for all cloud-hosted systems. Secure management of credentials and secret authentication information is essential, as compromised credentials remain one of the most common vectors for cloud breaches.

What compliance standards are most relevant for organizations managing cloud security risk?

ISO/IEC 27001 provides the foundational information security management framework most widely applied to cloud environments. ISO/IEC 27017 offers cloud-specific security controls, while ISO/IEC 27018 addresses the protection of personally identifiable information in public clouds. NIST publications, including the Cybersecurity Framework and relevant special publications, provide additional control guidance widely adopted across regulated industries and government-adjacent sectors.

What types of cloud-specific cyber attacks are organizations most at risk from?

Cloud environments face elevated exposure to attacks exploiting misconfigured storage buckets, unsecured APIs, and weak identity management. Supply chain attacks targeting cloud service providers pose particular risk because a compromise upstream can propagate across multiple customer environments simultaneously.

What human resource security measures are relevant to cloud computing environments?

Personnel security in cloud environments encompasses staff awareness training, clearly defined roles and responsibilities for cloud data handling, and disciplinary processes for policy violations. Organizations should ensure that employees understand the shared responsibility model and their specific obligations within it. Offboarding procedures require particular attention in cloud contexts, as departing employees may retain access to cloud-hosted systems unless access revocation is actively managed and verified.

How does GRC support cloud security risk management?

GRC provides the structured framework through which cloud security risks are identified, assessed, and controlled in alignment with regulatory and organizational requirements. A GRC approach ensures that cloud security is not treated as a standalone IT concern but is integrated into enterprise-wide risk visibility, policy management, and compliance monitoring.

What are the three most important takeaways for organizations managing cloud security risk?

Three priorities define sound cloud security risk management. Organizations must maintain their own controls regardless of provider commitments. Governance frameworks should be in place before cloud adoption expands, not built reactively after incidents occur. Aligning with established standards such as ISO 27001 and NIST gives organizations a structured baseline that reduces exposure and strengthens defensibility during audits or breach investigations.

Dr. Michael C. Redmond, PhD

Dr. Michael C. Redmond is a recognized International Trainer, Consultant, Auditor, Speaker, and Author with twenty years of experience. She is the Director for Redmond Worldwide www.redmondworldwide.org

Michael has three published books that are sold in over 35 countries: Mastering Your Introduction to Cyber Security, Mastering Business Continuity Management and Mastering Your Work Life Balance. Her book Mastering Business Continuity Management was selected for Top 16 In the field both in 2020 and in 2021.

She has been an ISO International Standards instructor for PECB for 6 years. She is also currently an Adjunct Professor for St. Thomas MBA Program in Cyber Law. She teaches Risk Management and the course covers Information/Security, Business Continuity and Disaster Recovery, and Privacy