This report presents four important security practices that are practical and effective for improving the cybersecurity posture of cloud-deployed information technology (IT) systems. These practices help to address the risks, threats, and vulnerabilities that organizations face in deploying or moving applications and systems to a cloud service provider (CSP). The practices address cloud security issues that consumers are experiencing, illustrated by several recent cloud security incidents. The report demonstrates the practices through examples using cloud services available from Amazon Web Service (AWS), Microsoft, and Google.
The presented practices are geared toward small and medium-sized organizations; however, all organizations, independent of size, can use these practices to improve the security of their cloud usage. The focus here is on hybrid deployments where some IT applications deploy or move to a CSP while other IT applications remain in the organization’s data center. Small and medium-sized organizations likely have limited resources; where possible, these practices describe implementation approaches that may be effective in limited-resource situations.
Publisher StatementThis material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.
This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Copyright StatementCopyright 2019 Carnegie Mellon University. All Rights Reserved.