I’ve seen several ways to come at security controls for cloud services. Firstly: use your threat modelling process (you have one of those, right?) to identify the controls that are needed. Some platform tools like Threatmodeller even let you compare the recommended controls to what’s actually implemented. Secondly: use asset management tools (generally seen as unsexy, but necessary) to report on what’s actually in place then compare with recommended best practise. Thirdly: invest in policy compliance tools which check what’s in place against the policy you thought you were implementing. If you do all three, that’s Jenga!…:
[…] In a majority of data breach scenarios, the underlying cloud infrastructure is secure, and it is the CSP customer that is not fulfilling their part of the deal. As Gartner states, “through 2022, at least 95 percent of cloud security failures will be the customer’s fault.” Appropriate use of native security controls in AWS and other CSPs is fundamental to managing cloud risk and avoiding costly breaches. However, many organizations struggle with determining when and how to use these native security controls, how to manage them consistently, and how and when to augment these controls to ensure continuous security and compliance.