Cloud Security Governance — A way to keep your cloud secure

  • Treating it like any other cyber-security project. The Cloud is a different animal and a completely new way of doing things to boot. Treating it like a project which you finish and then hand over is a sure fire way to have a data breach down the road. Treat the cloud as a separate environment as critical as your on-prem one with the same level of governance required
  • Not formalizing who is responsible for what. Many companies fail to set down who will be responsible for implementing security controls , patching , monitoring etc. in the cloud leading to ambiguities which can be disastrous. Make sure a formal and approved org chart is setup which clearly establishes who is responsible for cloud security in your organization. If your organization is planning to out-source the majority of its cloud work then make sure your org chart reflects that too.
  • Not having a roadmap / ont aligning your cloud security roadmap with the business strategy. Without a proper strategy in place you will just be buying / implementing controls with no idea of the larger picture of the problem you are trying to solve. Similarly the cloud does not exist in a bubble and has to be aligned with your overall business strategy. If the company is planning to use AWS in the next three years then maybe investing in Azure based tools is not the way to go in the long run.
  • Not informing management about the status of controls and the return on investment. A long running challenge is cyber-security is not having proper metrics to report to management. Without metrics you will not have visibility and will not able to report the status of controls to management. Without visibility management will not see return on investment and not provide future approvals for tools you will need

What is Cloud Security Governance

  • A tool or commercial product which you implement
  • A Policy which you write and then forget about after passing an audit
  • A checklist
  • A standard ( although those help ! )
  • A certification which you acquire

Key components

  • A formal Cloud Security policy approved by management
  • A cloud security roadmap or strategy to implement that policy AND align it with the larger business strategy of the company
  • A proper organizational chart formalizing who is responsible for cloud security
  • Reporting metrics for senior management visibility into cloud risks
  • What is handling cloud security in our organization ?
  • How secure is our cloud ?
  • Are our cloud security investments giving us value ?
  • What are the key risks we should know about ?




Cloud Security Expert with over 20 years experience. Loves writing and teaching about Cloud Security and Artificial Intelligence.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Good Security Protects Us From Ourselves

Man sitting in dark room looking at computer monitor.

{UPDATE} ピアノタッチ3 Hack Free Resources Generator

Sprint Notes #16

NFT Airdrop for $ANSR Token Holders

{UPDATE} Cooking Sizzle Hack Free Resources Generator

Tis the Season for Scam Artists to Surface

{UPDATE} Quiz Royal Hack Free Resources Generator


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Security Guy

Cloud Security Guy

Cloud Security Expert with over 20 years experience. Loves writing and teaching about Cloud Security and Artificial Intelligence.

More from Medium

Cloud Security Risks to focus on in 2022

Managing and Troubleshooting AWS EKS Access

Vault Part2 - Introduction to Secrets and Secrets Engines

Clouds Cast Big Shadows: Shadow IT in the Cloud