Cloud Security

Policy Template
Creating a cloud security policy is a best practice. An essential part of your cloud security strategy, this policy
helps your organization properly store and protect your critical data assets. It shows who is responsible for
each aspect of cyber security, details your approach to cloud services and provides written evidence of your
commitment to protecting enterprise data. Moreover, a documented cloud security policy document is a re-
quirement of some compliance regulations.

A cloud security policy is not a stand-alone document. You must link it to other security policies developed
within your organization, such as your data security and privacy policies.

The cloud security policy template below provides a road map of recommended key sections, with descriptions
and examples. Adapt it to meet your organization’s unique legal and regulatory requirements.

2
1. Purpose

The purpose section contains the reasons for developing and maintaining the policy. Example:

This policy ensures the confidentiality, integrity and availability of data stored, accessed and manipulated
using cloud computing services. It establishes a framework of responsibility and actions required to meet
regulatory requirements and security guidelines for cloud computing.

2. Scope

This section explains where the policy applies. It can include sections that call out specific groups, services or
locations. Example:

This policy covers systems handling data within the “3.1. Information Types” section of this document.
All services within the cloud environment that fall into this category will be subject to the requirements
specified within this policy. Therefore, it applies to every server, database and other IT system that handles
such data, including any device that is regularly used for email, web access or other work-related tasks. The
requirements apply to new and existing installations. Every user who interacts with company IT services is
also subject to this policy. The security control requirements are product agnostic and applicable for all
approved cloud systems.

3
2.1. Information Types

Provide a list of information types covered by this policy. Use data classification best practices to label the data
your organization stores and processes. Example:

This policy applies to all customer data, personal data and other company data defined as sensitive by the
company’s data classification policy. The sensitive data types covered by this policy include:

Identity and authentication data:

ƒ Passwords
ƒ Cryptographic private keys
ƒ Hash tables

Financial data:

ƒ Invoices
ƒ Payroll data
ƒ Revenue data
ƒ Accounts receivable data

Proprietary data:

ƒ Software test and analysis

ƒ Research and development

Employee personal data:

ƒ Names and addresses

ƒ Social Security numbers
ƒ State-issued driver’s license number
ƒ State-issued identification card number
ƒ Financial account numbers, including security code, access code or password admitting access to the account
ƒ Medical and/or health insurance information

4
3. Ownership and Responsibilities

In this section, list all roles related to cloud security actions, controls and procedures. Examples can include
cloud security administrators, data owners, users and cloud providers. Describe each role and the associated
responsibilities for safe cloud usage and security maintenance.

To compile this list, consider the following questions:

ƒ Who is using the cloud?

ƒ Who is responsible for maintaining the cloud service on the organizational end and the provider end?

ƒ Who is responsible for maintaining cloud security?

ƒ Who is responsible for selecting new cloud solutions?

ƒ Who is responsible for making significant decisions?

Example:

Cloud Security Administrator

The person ultimately responsible for implementation, configuration and maintenance of cloud services
security. This person shall address the following:

ƒ Implementing security for new services

ƒ Customizing the configuration of the cloud service security settings
ƒ Maintaining access control and permissions management for each cloud service provided
ƒ Retiring terminated services

Service Level Manager

The person ultimately responsible for managing service-level agreements and acting as liaison with the
cloud provider to negotiate SLA contracts and ensure the provider meets all the terms of those contracts.

5
4. Secure Usage of Cloud Computing Services

This section defines the requirements for acceptable use of cloud services. Example:

All cloud-based services must be approved prior to acquisition and deployment. To ensure secure adoption
and usage of cloud services, the following steps must be taken:

ƒ Define organizational needs and priorities.

ƒ Define service users, both internal and external.
ƒ Determine the type of cloud service to be adopted, including the physical and operational characteristics for
SaaS, PaaS and IaaS solutions.
ƒ Define the data types to be stored.
ƒ Determine the security solutions and configurations required for encryption, monitoring, backups, etc.
ƒ Generate a list of past security incidents involving this cloud provider.
ƒ Request available security certifications.
ƒ Obtain copies of agreements with the provider, including SLAs.

4.1. Inventory

Describe how your organization will track what cloud services it is using and keep that inventory current.
Example:

The cloud security administrator and IT security manager must perform an inventory of cloud services in
use at least quarterly.

6
4.2. Approved Services

Provide a synopsis of your cloud-based infrastructure with a list of approved services. Example:

The organization has a central headquarters and several offices located across the U.S. Some employees
access services remotely from mobile devices. Each department — such as human resources, sales and
project management — uses one or more cloud services. All departments must maintain a list of authorized
cloud vendors and services that align with the overall cloud security policy.

The list of approved services includes:

ƒ Hardware layer: <Indicate data centers>

ƒ Infrastructure layer: <Example: Amazon EC2>
ƒ Platform layer: <Example: Microsoft Azure, Google App Engine, Amazon SimpleDB/S3>
ƒ Application layer: <Example: business applications, web services, multimedia>

4.3. Unauthorized Services

In this section, explain what cloud-based services are not permitted. Example:

Only the cloud-based solutions on the list of approved services specified in Section 2 of this document may
be used. The installation of unauthorized software on organizationally owned or managed user end-point
devices (e.g., workstations, laptops and mobile devices) and IT infrastructure network and systems compo-
nents is restricted. The cloud security administrator must provide authorization for any third-party cloud
service before it is placed into use. The introduction of any unauthorized cloud service will immediately
generate a notification for IT security and block the service from use.

7
5. Risk Assessment

Use this section to integrate your cloud security policy with the organization’s risk assessment policy. Define the
scope and schedule for risk assessments. Example:

Data from the “Sensitive” tier of the Data Classification Policy shall be available at all times, per regulations,
for discovery and audit. Cloud providers shall conform to these compliance requirements.

The Cloud Security Administrator and the IT Security team shall conduct a risk assessment at the following
times:

ƒ Upon the implementation of a new cloud service

ƒ After major upgrades or updates to an existing cloud service
ƒ After any changes to the configuration of a cloud service
ƒ When following up on a security event or incident
ƒ Quarterly for all existing cloud services

The cloud security risk assessment shall include the following:

ƒ Audit results, both internal and external (cloud provider system security audit results)
ƒ Threat and vulnerability analysis
ƒ Regulatory compliance

8
6. Security Controls

The cloud security policy specifies the various security components available and in use by the organization. It should
include both internal controls and the security controls of the cloud service provider, breaking out specific groups
of requirements, including technical and control requirements, mobile security requirements, physical security re-
quirements and security controls assurance practices. Example:

At the time of cloud service implementation and quarterly after that, the Cloud Security Administrator shall review
each service-level agreement, as well as request and analyze the cloud provider’s security audits.

6.1. Technical Security Controls Requirements

This section specifies all requirements for technical controls for access management. For example:

The organization shall put into place tools for centralized visibility of the cloud service infrastructure, such
as cloud workload protection (CWP) tools. The tools shall offer traffic analysis, configuration monitoring and
assessment, and alerts for configuration issues.

Access control methods to be used shall include:

ƒ Auditing of attempts to log on to any device on the company network

ƒ Windows NTFS permissions to files and folders
ƒ Role-based access model
ƒ Server access rights
ƒ Firewall permissions
ƒ Network zone and VLAN ACLs
ƒ Web authentication rights
ƒ Database access rights and ACLs
ƒ Encryption at rest and in flight
ƒ Network segregation

9
 Access controls apply to all networks, servers, workstations, laptops, mobile devices, cloud applications and websites,
cloud storages, and services.

Identity and access controls include authentication, data access standards, credential lifecycle management and
access segmentation.

Auditing includes configuration and change auditing.

Data protection includes encryption, data remediation, data erasure, and data recovery.
Other technical controls include network security and wireless security (such as VPNs and firewalls).

6.2. Mobile Security Requirements

This section should include controls for configuring mobile access, generating a robust identity, device
monitoring, employing anti-malware solutions and mobile device management. Example:

Cloud security shall include mobile security controls to prevent malware infection on company mobile de-
vices and privately owned devices used to access the organization’s cloud services. Any device found without
anti-malware protection shall be quarantined.

6.3. Physical Security Requirements

Include in the policy the reasons for designing and applying countermeasures against damage to physical
access and equipment. Highlight protection of power, temperature, water and other utilities at the data center
location. Physical security also covers issues from natural and human-made disasters, such as the process for
disaster recovery. Example:

The company shall monitor the interior temperature of the data center. Ensure that the owner of physical
security receives an immediate notification if the temperature varies more than 5 degrees from the baseline.

10
6.4. Security Controls Assurance

This section defines how often security controls should have a regular IT health check. Example:

Monthly, the Cloud Security Administrator shall perform an assessment of security control configurations
and all failed attempts of unauthorized access.

7. Security Incident Recovery

This section contains rules for determining the areas for assessment in the event of a security incident and sets
priorities for cloud service and data recovery. Example:

In the event of a data breach, both the cloud provider and the cloud security administrator shall perform an
assessment of the systems and users that are directly or indirectly involved in the incident to determine the method
of access, such as physical, via software/malware or through human error.

Reporting requirements:

ƒ Daily incident reports shall be produced and handled by the IT Security Department or the Incident Response
Team.
ƒ Weekly reports detailing all incidents shall be produced by the IT Security Department and sent to the IT Manager
or Director.
ƒ High-priority incidents discovered by the IT Security Department shall be immediately escalated; the IT Manager
should be contacted as soon as possible.
ƒ The IT Security Department shall also produce a monthly report showing the number of IT security incidents and
the percentage that were resolved.

11
 Priorities for data recovery:

ƒ All non-archived data classified as Sensitive is considered to have a priority of High.

ƒ All archived data classified as Sensitive is considered to have a priority of Moderate.
ƒ All data classified as Internal is considered to have a priority of Moderate.
ƒ All data classified as Public is considered to have a priority of Low.

8. Awareness-Raising

This section spells out how often the organization should perform security training, who must pass the training and
who is responsible for conducting the training. Example:

The IT Security Management office shall provide quarterly security training to all users of cloud services. All users of
cloud services must pass security training to maintain permissions and access to the service.

9. Enforcement

This part details the penalties for policy violations and how they will be enforced. Example:

Employees who attempt to use unauthorized services shall have their permissions revoked until they pass security
training.

12
10. Related Documents

This section lists all documents related to the cloud security policy and procedures. Example:

ƒ Data Protection Policy

ƒ Data Classification Policy
ƒ Password Policy
ƒ Risk Assessment Policy
ƒ Encryption Policy
ƒ Workstation Security Policy
ƒ Incident Response Policy
ƒ Data Processing Agreement

11. Revision History

Maintain a history of the policy document, with entries for the original implementation and each time it is changed.
Example:

Version Revision Date Author Description

1.0 02/01/2020 Elaine Parker, Cloud Security Admin Initial Version

1.1 06/01/2020 Elaine Parker, Cloud Security Admin Updates to training frequency

13
Conclusion
Using this cloud computing security policy example, you can develop a solid cloud security policy for your organization
that enables you to protect sensitive data. Make the policy robust and feasible, and ensure it is accessible, concise
and easy to understand at every level of the company.

14
Ensure the Security of Your
Microsoft 365 Environment
with Netwrix Solutions
Accurately identify sensitive information in the cloud
and automatically reduce its exposure

Harden security by seeing through the tangled

permissions structure of cloud-based systems and
spotting broken inheritance

Know right away about changes to configuration and

permissions that could compromise security

Detect even the most clever threat actors with

advanced user behavior analytics

Troubleshoot incidents quickly with Google-like search

of audit data

Download Free 20-Day Trial

 About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim
control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000 organi-
zations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise
content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.
For more infroamtion, visit www.netwrix.com.

Next Steps
Free trial — Set up Netwrix in your own test environment: netwrix.com/freetrial

In-Browser Demo — Take an interactive product demo in your browser: netwrix.com/browser_demo

Live Demo — Take a product tour with a Netwrix expert: netwrix.com/livedemo

Request Quote — Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539 16