Top of Page

Cloud Insights Banner

(ISC)²'s bi-monthly e-newsletter Cloud Security INSIGHTS, delivers timely, must-read original articles for the professional development of infosecurity practitioners focused on cloud security.

Issue: 2020 November

Practical Advice to Harden Multi-Cloud Environments

By Paul South

Jeremy Snyder traveled the globe for several years learning how companies large and small secured their multi-cloud environments. The result of this international listening tour? A list of 10 recommendations for how to improve your multi-cloud security posture—a goal that’s now more important than ever with the shift to remote work and bad actors seeking novel ways to infiltrate public, private and hybrid cloud infrastructures accessed from so many more entry points. Read More

Issue: 2020 September

The Evolution of Vulnerability Management on Cloud Endpoints

By Oscar Monge España, CISSP, CCSP

One of the most common challenges when securing the cloud is not having full visibility of all resources deployed. This exponentially increases the exposure factor, which could lead to a possible breach.

Six to eight years ago, when organizations started moving to the cloud, the main goal was a smooth transition in order to quickly reap the benefits of cloud to deploy workloads and reduce capital expenditures. Security came later. Read More

Issue: 2020 July

Is It Time to Buy into Cloud Security Posture Management?


Mistakes happen. When it comes to cloud services, it’s important to know who is responsible when a mistake causes financial and reputational damage. With so many “shared responsibility models” currently being rewritten, now is an opportune time to consider the liabilities from cloud misconfigurations and technical solutions to help minimize them. Read More

Issue: 2020 May

Survey: Security Lags as Cloud Use Rapidly Grows More Complex



Offering flexibility, convenience and speed to drive business initiatives, the cloud continues to present unrivaled opportunities for innovation—if it can be properly secured. Unfortunately, security efforts are still coming up short in many environments.

“Between the use of multiple cloud platforms and heterogeneous security solutions, to the lack of qualified personnel needed to implement and manage them, enterprises find themselves compromising security to achieve their business objectives,” according to FireMon’s The 2020 State of Hybrid Cloud Security survey of 522 IT and security professionals. Read More

Issue: 2020 March

Building a Hardened Container Infrastructure—In and Outside of the Cloud


Bank vaults, mainframes and mountain fortresses are desirable for their lack of subtlety. Protection of their contents is ensured by sheer heft, so proprietors can focus elsewhere.

That calculus changes when low overhead is paramount. For instance, Linux containers epitomize lightweight, ephemeral infrastructure. And workloads that by design exist with only fleeting ties to physical systems must rely elsewhere for protection.   Read More

Issue: 2020 January

Bringing PKI to the Cloud May Be Easier than You Think—And Already Happening

Most cybersecurity professionals are familiar with public key infrastructure (PKI) as it relates to creating and managing digital identities for people, platforms and devices across an enterprise. That increasingly includes building or outsourcing PKI within the cloud.

“We have always consumed PKI in the cloud, we just haven’t called it that because we have gone out and bought SSL certs that are publicly-rooted from the vendors,” explained Chris Hickman, the chief security officer for PKI-as-a-service provider Keyfactor, during an (ISC)2 roundtable discussion. “If we look at the history of certificates and how they were used, one could easily argue that PKI was actually one of the first applications in the cloud, by virtue of needing a certificate to protect my e-commerce website or my website. In general, that was what I did: I went out and bought a cert. That cert was from somebody who was providing PKI in the cloud. It is actually not a new concept.” Read More

Issue: 2019 November

In Cloud We Trust (Mostly), According to New Survey


Since organizations began digital transformations en masse, a perennial question has been: Is data safer in the cloud or on-premises? A new survey shed some insight on how both are currently perceived by cybersecurity executives.

To measure the use of cloud services—now a $325 billion global market—and the level of trust in them, Nominet Cyber Solutions queried 274 C-level and other high-ranking cybersecurity professionals in the United States and United Kingdom.  Read More

Issue: 2019 September

Minimizing Exposures Associated with Free Cloud Services


Free and low-cost public cloud services such as email and storage drops have democratized IT disruption. One result is an extended attack surface, affecting companies large and small.

Verizon’s 2019 Data Breach Investigations Report finds that compromised cloud-based email accounts now comprise  60% of web application hacks. Likewise, improper configuration of cloud-based file storage is leading to massive data exposure, accounting for 21% of breaches caused by errors. Read More

Issue: 2019 July

Forecast Looking Good for Cloud Security Solutions


Organizations are embracing the deployment of mission-critical workloads to the public cloud at an unprecedented rate, driving the global cloud security solutions market to an estimated $12.7 billion by 2023.

That’s according to Forrester’s Cloud Security Solutions Forecast, 2018 to 2023. The same analysis noted more than half (54%) of global infrastructure decision makers have implemented, or are expanding, their use of the public cloud, up from 25% in 2015. Read More

Issue: 2019 May

Turning to History to Build Trust in the Cloud Era


Amin Vahdat, a Google Fellow and technical lead for the company, is a student of history. The internet’s history, to be more precise.

In the early days of distributed systems, trust was implicit, he recalled. Protocols for routing and the like were not built with an adversarial mindset. Malware, phishing scams and state-sponsored cyber threats were rarely considered (at least publicly). Read More

Issue: 2019 March

Managing the Potholes and Possibilities During Cloud Migrations


Sometimes the journey to the cloud means pedal-to-the-metal driving on a smooth track. Other times, the road is rife with potholes to be avoided. Knowing when to press forth and when to maneuver around a pockmarked path will depend on how each organization selects, deploys and maintains cloud-related services. Read More

Issue: 2019 January

More Security Coming from Cloud Platform Providers


Cloud security has come a long way in the last decade. With cloud service providers building more protections into their platforms, some information security professionals now see cloud security on par with, and possibly better than, on-premises environments. That viewpoint, however, is far from universal. Read More

Issue: 2018 November 

How National Gypsum Is Leveraging Its Digital Transformation to Improve Data Security

By Paul South

Sometimes, it takes some nudging to get a company to embrace new technology, especially when that technology involves moving secured on-premises data into the cloud. For century-old National Gypsum, that push came in part due to expenses generated by lawsuits. Read More

Issue: 2018 September

Is It Time for You to Fully Embrace Cloud Services?

By Wesley Simpson

In case you are one of the last holdouts on moving to the cloud, I applaud your risk tolerance for keeping your company safe and secure. But in reality, in order to stay competitive, there is no better time than now to fulfill a digital transformation, including fully embracing cloud services. Read More

Issue: 2018 July

A False Sense of Security: 10 Controls That May Be Missing in Your Cloud Architecture

By Shawna McAlearney

Cloud services offer numerous cost benefits, business efficiencies and competitive advantages to organizations of all sizes. Despite advances, the cloud remains vulnerable to a host of security issues, most particularly data breaches and denial of service attacks. Fortunately, measures can be taken to set a foundation for a zero-trust implementation. Predrag “Pez” Zivic, CISSP, recently discussed 10 controls to architect strong security... Read More

Issue: 2018 May

Leveraging the Cloud to ‘Transform’ Cybersecurity at the Toronto Stock Exchange

By James Hayes

Bobby Singh, CISO and Global Head of Infrastructure Services at TMX Group, the technology provider at the heart of the Toronto Stock Exchange, is responsible for corporate IT systems and services, as well as all aspects of security, governance, risk and compliance. His role includes delivery of secure and highly available technology services across the organization, and as a member of its executive leadership team, he defines TMX Group’s cybersecurity vision and strategy. Read More

Issue: 2018 March

Again: Who’s Responsible for Vulnerability Management in the Cloud?

By Shawna McAlearney

The debate about who is responsible for security in the cloud, ongoing since the earliest days of cloud computing, has now been tested, thanks to Spectre and Meltdown. Users may not like the answers they are getting from their cloud providers.

The new year ushered in not just one but two incredibly serious hardware vulnerabilities that posed both an immediate threat and long-term implications to cloud computing. These vulnerabilities, resident in many different vendors’ processors and operating systems, could be used to compromise most computer chips to read sensitive information stored in a computer’s memory, including account numbers and passwords. Read More

Issue: 2018 January

Customers Have a Role in Reducing the Deluge of Cloud Breaches

By Teri Radichel

As the number of companies moving to the cloud increases, so do cloud breaches. In 2017, a variety of attacks on cloud systems occurred at major corporations and government agencies around the world. One of the most prevalent forms of cloud data leaks stemmed from improperly configured Amazon Web Services (AWS) S3 buckets. Organizations such as Verizon and Booz Allen Hamilton exposed credentials and sensitive data that existed in AWS storage buckets lacking proper configuration. These customers also failed to correctly encrypt the data. Read More

Issue: 2017 November

Managing Cloud Data-Loss Risk in a ‘Cloud First’ World

By Alexander Getsin

Cloud adoption and services remain among the top trends and IT strategies, as does cybersecurity. As a result, enterprises, federal agencies and startups alike are adopting a “cloud first” policy in their IT spending and plans. It is imperative for them to do so if they are to compete effectively and provide adequate services to their markets. Yet, chief among these same companies’ concerns is the risk of data loss, particularly the loss of data confidentiality. That’s why it is increasingly important to understand the loss of data confidentiality risk and how to mitigate it. Read More

Issue: 2017 September

Dispelling Myths About FedRAMP

By Abel Sussman, CISSP, CCSP, PMP, CRISC

Cloud computing is having a substantial and growing impact on U.S. government agencies’ work to bring efficiency, agility and innovation to citizen services. This trend shows few signs of slowing; the Federal Cloud Computing Strategy, published in 2011 by then U.S. Chief Information Officer Vivek Kundra, estimated the federal cloud computing market to be valued at $20 billion, offering significant opportunity to cloud service providers (CSPs). But to be able to tap into this market, they first must meet specific cybersecurity requirements. Read More

Issue: 2017 July

Malware in the Cloud 101

By Todd Clarke

Companies have underestimated the scope of cloud adoption by nearly 10x. Its rapid rise has created a new effect: a “cloud attack fan-out.” With so many devices now connected to the cloud, this has increased the attack surface. Sync and share activities have increased data velocity in the cloud, so now the propensity for and the severity of malware attacks have intensified. Read More

Issue: 2017 May

Is It Time to Add a CASB to Your Toolbox?

By Anita J. Bateman, CISSP

According to a recent survey by the Cloud Security Alliance, 64.9 percent of IT leaders think the cloud is “as secure or more secure” than on-premises software. However, the same survey revealed that one in three enterprises do not have a process to onboard cloud services, and the most common reasons for rejecting cloud requests are related to trust, encryption and data loss prevention. Read More

Issue: 2017 March

7 Ways to Build Cloud Resilience within Your Organization

By Duncan Greaves

Cloud computing is here to stay. The amount of infrastructure, applications and storage being used continues to grow rapidly. The provision of infrastructure, platform and software services has not only revolutionized where computing is being carried out, but it is also changing the face of systems management and security.

The very size of cloud data storage makes it a potential target for a really large breach. A great deal of investment has been made to protect cloud systems against attack. It is essential for cloud security suppliers to provide customers confidence in uploading their information. Read More

Issue: 2017 January

How to Secure Data Destruction in the Cloud

By Colleen Frye

Like a classic horror film that has you believing the monster is dead, only to roar back to life, will the data you thought was securely deleted from the cloud come back to haunt you-and possibly put you at risk for a breach?

It's a huge issue, says Johannes Ullrich, director of the Internet Storm Center at the SANS Technology Institute. "You cannot securely delete anything in the cloud; you don't control the medium. Read More

Issue: 2016 November

Using the Cloud for Disaster Recovery Requires Different Skills

By Crystal Bedell

It wasn't long ago that business continuity/disaster recovery (BC/DR) was reserved for the privileged few. Only the largest enterprises had the resources to build and maintain a secondary site, so only the largest enterprises had the peace of mind that comes with BC/DR capability. Today, however, that has changed. Cloud computing has democratized BC/DR, making it available to virtually any organization. The concern now is how to use cloud-based BC/DR securely.

According to analyst firm Enterprise Strategy Group (ESG), the number one planned use case for cloud computing is improving data backup and archive. BC/DR comes in second, and has for two years in a row, says Jason Buffington, a senior analyst for ESG. Read More

Debut Issue: 2016 September

Wrangling in the Cloud: Tactics for Avoiding a Data Stampede

By Paul South

In television's early days, cowboy shows like Rawhide galloped across a black and white landscape. Every third episode or so featured a stampede, triggered most often by a gunshot at a rattlesnake, an unexpected thunderstorm or a disgruntled cowhand.

And it was left to the cowboys to wrangle in the wayward herd. Read More