Demystifying Cloud Security: A Practical Guide to Maturity and Best Practices

By: Jason Lam

At the recent RSA conference, I had the privilege of engaging with security leaders from various organizations to discuss the critical topic of cloud security. A prevalent theme emerged from these conversations: organizations are heavily investing in cloud security measures. However, when asked about their confidence in their environment's ability to withstand modern-day attacks, the responses were marked by uncertainty and a lack of assurance regarding the effectiveness of their security posture.

The complexity of recent cloud attacks, which often involve pivoting across multiple environments and navigating intricate authentication protocols like OAuth, poses significant challenges. The recent Microsoft compromise, allegedly perpetrated by the Russian foreign intelligence service and initially disclosed in January 2024, serves as a stark reminder of the multifaceted nature of these threats. Factors such as cloud misconfiguration, identity hygiene, and test environment isolation played crucial roles in the incident.

Organizations frequently find themselves heavily investing in specific areas of cloud security while inadvertently neglecting others. These oversights are not intentional but rather stem from historical factors and the inherent strengths and weaknesses within each organization. Unfortunately, attackers are not hindered by an organization's internal role and responsibility boundaries or the historical reasoning behind imperfect setups. When a weakness is present, they excel at exploiting it.

To assist organizations in comprehending these complex cloud security dynamics and ensure they are well-informed about the complete spectrum of cloud security, SANS has published a Cloud Security Maturity framework. This framework serves as a valuable tool for organizations to measure their progress in each of the crucial security domains.

If you are seeking guidance on how your cloud security program can encompass the entire spectrum of cloud security domains, I invite you to join us in LDR520: Cloud Security for Leaders. This course, based on the SANS Cloud Security Maturity framework, delves into the details of what each stage of maturity entails. We will share valuable tips and tricks to help you guide your organization through the maturity journey.

Download the Cloud Security Maturity Model Poster

As organizations actively migrate applications and computing environments to the public cloud, it is imperative to transform the organization’s security program to address the risk in the new paradigm. The Cloud Security Maturity Model (CSMM) poster guides organizations in this complex journey of achieving a high level of cloud security and allows them to measure their progress along the way. Download the poster for free.

New YouTube Series! Deep Dive into the CSMM

This series with Jason Lam , Principal Instructor and author of LDR520: Cloud Security for Leaders, covers the 8 Domains of the Cloud Security Maturity Model. This framework guides organizations along the complex journey of achieving a high level of cloud security with measurable progress along the way. Watch the first few parts in this series now!

Try a Free 1-Hour Demo of LDR520

To safeguard the organization's cloud environment and investments, a knowledgeable management team must engage in thorough planning and governance. Making informed security decisions when adopting the cloud necessitates understanding the technology, processes, and people associated with the cloud environment. Learn more and try the course demo here.

SANS Cybersecurity Leadership Curriculum | SANS Cybersecurity Leadership Triads | Preview SANS Courses | Join the SANS Community | Connect with our Solutions Team