What is a Cloud Security Framework?

Sudesh Gadewar

Oct 27, 2022 / 4 min read

Synopsys Cloud

Unlimited access to EDA software licenses on-demand

Despite the storage and computing limitations of on-premises EDA tools, many chip designers hesitate to switch to cloud-based solutions due to security concerns. Often, these concerns arise from a lack of control over the underlying cloud infrastructure and the security measures used to protect it. It can also be challenging to understand which aspects of cloud security are the end user's responsibility and which are covered by the cloud services provider. Cloud security frameworks guide providers and clients in protecting cloud resources.

What is a Cloud Security Framework?

A cloud security framework is a set of guidelines and best practices for protecting cloud resources. Some of these frameworks are broad and designed for general use, while others are industry specific (e.g., healthcare or defense).

Some popular cloud security frameworks include:

  • NIST: The National Institute for Standards and Technology (NIST) published a framework called “Guidelines on Security and Privacy in Public Cloud Computing.” These guidelines, which apply to providers and end-users in any industry, recommend strategies and tools to address key cloud security issues.
  • CSA STAR: The Cloud Security Alliance’s Security Trust Assurance and Risk (CSA STAR) framework defines cloud security best practices and validates the security posture of cloud service providers. CSA STAR includes:
    •  The Cloud Control Matrix (CCM), which outlines the best cloud-specific security controls.
    • The Consensus Assessments Initiative Questionnaire (CAIQ) provides clients with a list of questions to ask cloud providers to assess their CCM compliance.
    •  The Code of Conduct for GDPR Compliance gives guidance for complying with the General Data Protection Regulation (GDPR).
  • ISO 27001/27017: This International Organization for Standards (ISO) framework defines guidelines for information security. The original 27001 standard applies to on-premises systems whereas the 27017 update sets out new guidelines that are specific to cloud computing infrastructure.

These cloud security frameworks are designed with both providers and end-users in mind. Cloud services use the shared responsibility model, meaning providers are responsible for certain aspects of security (such as physically securing their infrastructure with door locks), and customers are responsible for the rest. 

Cloud security frameworks help providers improve their security posture and define the exact security measures they’re responsible for. The frameworks also help end-users understand which questions to ask before trusting a provider. Finally, they include recommendations for the specific policies, practices, and tools clients should use to hold up their end of the shared responsibility model.

Cloud Security Framework Best Practices

While each cloud security framework contains different standards and recommendations, there are some common best practices that all end-users should follow to protect their cloud data and applications.

 

Monitoring

Cloud security monitoring involves collecting real-time data from cloud platforms and infrastructure and analyzing that data to detect threats and vulnerabilities. Many major cloud providers offer built-in or add-on monitoring functionality for their particular platform. In a multi-cloud or hybrid cloud environment, it’s often more efficient to use a third-party, vendor-neutral monitoring solution that provides visibility into all cloud and on-premises systems from a single interface.

 

Role-Based Access Control

Role-based access control (RBAC) restricts user account privileges, so each employee only has access to the data and systems they need to perform their job function (or role). This prevents any one account from having access to too many cloud resources, limiting the damage caused if that account is compromised.

 

Data Governance

Data governance is a collection of policies, processes, and tools used to control who has access to cloud data and prevent that data from falling into the wrong hands. Data governance is a major component of cloud security frameworks for regulated industries like healthcare, finance, and defense.

 

Identity and Access Management

Identity and access management (IAM) includes policies and technologies used to control user access to business resources. An IAM solution provides critical cloud security features such as single sign-on (SSO), multi-factor authentication (MFA), and privileged access management.

 

Employee Training

Human error is responsible for up to 88% of data breaches. Employees fall for phishing scams, accidentally download malware, store passwords in insecure locations, and make other mistakes that give cybercriminals an entry point to cloud systems and data. Training employees to spot social engineering attempts and follow good security practices will improve cloud security.

Synopsys, EDA, and the Cloud

Synopsys is the industry’s largest provider of electronic design automation (EDA) technology used in the design and verification of semiconductor devices, or chips. With Synopsys Cloud, we’re taking EDA to new heights, combining the availability of advanced compute and storage infrastructure with unlimited access to EDA software licenses on-demand so you can focus on what you do best – designing chips, faster. Delivering cloud-native EDA tools and pre-optimized hardware platforms, an extremely flexible business model, and a modern customer experience, Synopsys has reimagined the future of chip design on the cloud, without disrupting proven workflows.

 

Take a Test Drive!

Synopsys technology drives innovations that change how people work and play using high-performance silicon chips. Let Synopsys power your innovation journey with cloud-based EDA tools. Sign up to try Synopsys Cloud for free!


About The Author

Sudesh Gadewar is group director of Information Security at Synopsys and leads the Information Security Architecture and Engineering team globally. Sudesh has 15+ years of experience in security where his passion is in both the offense and defense of security. Sudesh leads Synopsys' cyber security engineering and architecture efforts focused on secure architecture on on-prem, cloud security, tooling, frameworks, automation and threat intelligence.
In his spare time, he likes to educate adults and kids about security and cyber security 101. Sudesh has presented at various conferences such as Cisco Live, DEFCON, Tech Summits and Meet Up to share best practices and new analysis around threats and information security.

Continue Reading