Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Cloud Security 101: What are Cloud Security Controls?


This is the ninth blog of a series that provides the basics of information security in the cloud. In this series, we will provide definitions and best practices for many of the elements that should be considered as part of a cloud security program. In addition to a blog, each topic will also have a short video, providing some additional information on the subject.  The previous blog and video discussed the topic: "What is Data Protection?" In this installment, we will be discussing the topic: "What are Cloud Security Controls?"

Once a company has decided on an information security vision, they must test the implementation of that vision against a set of criteriaClouSec 101 Series.jpg (often called controls) to determine if that vision has been implemented correctly and is solving for their security concerns.

When a company decides on a cloud solution, extending those controls to that cloud solution becomes an important part of what kind of solution the company adopts.

Cloud Security controls, then, are the sets of standards that an enterprise uses to evaluate the effectiveness of the security policies and procedures implemented in their cloud environment to mitigate risk and reduce security vulnerabilities.

When a company decides on a cloud solution, it is important to understand how the sets of security controls that they have already implemented previously migrate to their cloud environment. For example, it is extremely important to be able to map previous audit engagements and controls to a new environment. A company may also have regulatory requirements to address, and it must be understood how those requirements will be handled in the cloud environment.

Most of the top tier cloud providers offer a set of standard security controls for their customers. It is incumbent on the customer to evaluate these controls, and make a risk decision on how these controls map to existing processes. Some cloud providers will adapt their controls to customer policies and procedures, while some provide a basic set of controls to the customer, and require the customer to either adopt those controls or create additional compensating controls to address any gaps.

 Apart from the regulatory compliance concerns, there are also controls specifically designed for cloud computing environments. Cloud Compliance.jpgThe Cloud Security Alliance has created a Cloud Control Matrix to evaluate cloud specific security considerations. Many of the big auditing firms have also developed a subset of cloud security controls to evaluate their customers. Finally, the federal government has revised their FedRAMP and FISMA standards to take cloud security into account as part of their overall evaluation and certifications.

Cloud security controls – and specifically how a company’s existing controls map to the cloud solution – should be one of the primary factor when selecting a cloud infrastructure solution. Understanding how the cloud security controls align and will be evaluated is a critical component of any cloud infrastructure decisions. Regardless of the vendor an enterprise chooses as their cloud provider, properly addressing how the security controls for the environment will be implemented as part of their cloud solution will ensure that security considerations are appropriately addressed.

For the next blog in this series, we will discuss the cloud security topic: "What is Risk Management in the Cloud?" To learn more about hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security. To find the additional parts, please search for Cloud Security 101. 

Download the whitepaper 




0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

Doug Perkins

Does this guide apply to consumer based cloud storage, private cloud / media server software like younity or tonido? Or is it more based on B2B, enterprise-centric cloud storage security? 


@Doug Perkins we are working on getting you an answer to your question. You'll hear from us soon. 


Doug - sorry for the delay in response.  The CSA control matrix is a set of controls designed and approved to assess the overall security of a potential cloud provider.  They are a basic set of controls, and should not be viewed as the complete, all-encompassing set that any business may need.  

As with all security controls, it is important that the controls meet the security considerations of the business.  For example, a small manufacturing company may not have anything near the controls that a large financial institution may have. But the basic, barebones controls should remain somewhat the same.

I hope this helps.  Feel free to ping me or we can set up a quick call to discuss.

See posts for
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates/locations
Reimagine 2018
Join us at one of the Reimagine 2018 stops and see how we Simplify Hybrid IT, innovate at the Intelligent Edge and bring it all together with HPE Poin...
Read more
View all