Strategy and policy

A holistic cloud security program should consider the ownership and responsibility (internal / external) of cloud security risks, protection / compliance gaps, and identify the controls necessary to evolve security and achieve desired end state.

Network segmentation

In multi-tenant environments, assess what segmentation is in place between your resources and those of other customers, as well as between your own instances. Take advantage of a zone-based approach to isolate instances, containers, applications, and entire systems from each other when possible.

Identity and access management and privileged access management

Take advantage of robust identity management and authentication processes to ensure that only authorized users have access to the cloud environment, applications, and data. Apply any privilege to restrict privileged access and harden cloud resources (for example, only expose resources to the internet when necessary and disable unnecessary capabilities / features / access). Make sure that the privileges are role-based and that the privileged access is audited and logged through session monitoring.

Discover and integrate cloud instances and assets

Once the instances, services, and cloud assets are discovered and aggregated, put them under management (i.e., manage and cycle passwords, etc.). Discovery and integration should be automated as much as possible to eliminate shadow IT.

Password control (privileged and non-privileged passwords)

Never allow the use of shared passwords. Combine passwords with other authentication systems for sensitive areas. Ensure best practices for password management.

Vulnerability management

Perform regular vulnerability scans and security audits, and remediate known vulnerabilities.


Make sure your cloud data is encrypted, at rest and in transit.

Disaster recovery

Be aware of the data backup, retention and recovery policies and processes for your cloud providers. Do they meet your internal standards? Do you have strategies and solutions in place in the event of glass breakage?

Monitoring, alerts and reports

Implement continuous security and monitoring of user activity in all environments and instances. Try to integrate and centralize your cloud provider’s data (if applicable) with data from internal solutions and other vendors, so you get a holistic picture of what’s going on in your environment.