homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. How to Build a Successful Cloud Security Program
Ryan Davis

How to Build a Successful Cloud Security Program

December 17, 2019

Every organization's cybersecurity program is unique. This comes as no surprise since every enterprise has a distinct IT architecture and uses different types of applications.

At the same time, businesses with comprehensive cybersecurity programs tend to embrace many of the same underlying principles that ensure effectiveness. Businesses with strong cybersecurity understand where their sensitive data lives and who can access it, continue to evaluate security controls to ensure compliance and enhance security, and leverage machine learning and automation tools to quickly access important information.

Here, we'll explore four foundational elements of a successful cloud security program and discuss how organizations can best align with these initiatives in 2020.

1. Create an accurate and up-to-date inventory of applications and data.

    An essential first step when developing a cloud security program is to establish an accurate and up-to-date inventory of applications and data. This is often easier said than done.

    In a cloud environment, legacy approaches like active discovery can have a negative impact on system performance. It's important to investigate cloud-native alternatives that passively discover and classify assets and devices on the network.

    2. Gain visibility into all encrypted traffic.

      As early as 2016, NSS Labs predicted that 75% of web traffic would be encrypted by 2019. With more and more enterprises adopting stronger SSL encryption, IT teams are struggling to strike a balance between security and visibility.

      Stronger encryption often makes it more difficult to monitor network and application performance in secure areas of your IT architecture. Read the white paper, "Encryption vs. Visibility: Why SecOps Must Decrypt Traffic for Analysis," to learn about current methods of decryption available for the hybrid enterprise.

      3. Conform to leading security frameworks.

        Even if your organization has created a security strategy that aligns with leading frameworks like MITRE ATT&CK or CIS Top 20 Controls, there's no guarantee that it will work in a cloud or hybrid environment. Once workloads are migrated to the cloud, enterprises often lose visibility into them.

        Solutions that support passive monitoring of application traffic enable enterprises to conform to security frameworks-even if their IT landscape is cloud-based. For instance, passive monitoring products support:

        • Asset inventories which are covered in CIS Controls 1 and 2, as well as MITRE ATT&CK T1133
        • Internal visibility and lateral movement detection, which are covered in MITRE ATT&CK TA0008
        • Resource hijacking in the cloud, which is covered in MITRE ATT&CK T1496

        4. Leverage machine learning for more efficient security teams and fewer false positives.

        Cloud migration-when and how to migrate, along how best to handle post-migration growing pains-is still an ongoing conversation for many organizations, and the transition to cloud-based systems seems unlikely to slow down.

        One major source of stress for security teams during this process is the fact that developers can move incredibly quickly in the cloud, and security teams don't necessarily have the resources to keep up. Tools with advanced machine learning capabilities can help detect real threats faster, automate much of the investigation process, and can even help to automate response.

        Read this blog for information on how to apply machine learning to specific cybersecurity use cases like automated threat prioritization, prescriptive next steps, and more.

        Share:
        TwitterLinkedInFacebook
        Copy url Url was copied to clipboard
        Subscribe to SANS Newsletters
        Receive curated news, vulnerabilities, & security awareness tips
        United States
        Canada
        United Kingdom
        Spain
        Belgium
        Denmark
        Norway
        Netherlands
        Australia
        India
        Japan
        Singapore
        Afghanistan
        Aland Islands
        Albania
        Algeria
        American Samoa
        Andorra
        Angola
        Anguilla
        Antarctica
        Antigua and Barbuda
        Argentina
        Armenia
        Aruba
        Austria
        Azerbaijan
        Bahamas
        Bahrain
        Bangladesh
        Barbados
        Belarus
        Belize
        Benin
        Bermuda
        Bhutan
        Bolivia
        Bonaire, Sint Eustatius, and Saba
        Bosnia And Herzegovina
        Botswana
        Bouvet Island
        Brazil
        British Indian Ocean Territory
        Brunei Darussalam
        Bulgaria
        Burkina Faso
        Burundi
        Cambodia
        Cameroon
        Cape Verde
        Cayman Islands
        Central African Republic
        Chad
        Chile
        China
        Christmas Island
        Cocos (Keeling) Islands
        Colombia
        Comoros
        Cook Islands
        Costa Rica
        Croatia (Local Name: Hrvatska)
        Curacao
        Cyprus
        Czech Republic
        Democratic Republic of the Congo
        Djibouti
        Dominica
        Dominican Republic
        East Timor
        East Timor
        Ecuador
        Egypt
        El Salvador
        Equatorial Guinea
        Eritrea
        Estonia
        Ethiopia
        Falkland Islands (Malvinas)
        Faroe Islands
        Fiji
        Finland
        France
        French Guiana
        French Polynesia
        French Southern Territories
        Gabon
        Gambia
        Georgia
        Germany
        Ghana
        Gibraltar
        Greece
        Greenland
        Grenada
        Guadeloupe
        Guam
        Guatemala
        Guernsey
        Guinea
        Guinea-Bissau
        Guyana
        Haiti
        Heard And McDonald Islands
        Honduras
        Hong Kong
        Hungary
        Iceland
        Indonesia
        Iraq
        Ireland
        Isle of Man
        Israel
        Italy
        Jamaica
        Jersey
        Jordan
        Kazakhstan
        Kenya
        Kiribati
        Korea, Republic Of
        Kosovo
        Kuwait
        Kyrgyzstan
        Lao People's Democratic Republic
        Latvia
        Lebanon
        Lesotho
        Liberia
        Liechtenstein
        Lithuania
        Luxembourg
        Macau
        Macedonia
        Madagascar
        Malawi
        Malaysia
        Maldives
        Mali
        Malta
        Marshall Islands
        Martinique
        Mauritania
        Mauritius
        Mayotte
        Mexico
        Micronesia, Federated States Of
        Moldova, Republic Of
        Monaco
        Mongolia
        Montenegro
        Montserrat
        Morocco
        Mozambique
        Myanmar
        Namibia
        Nauru
        Nepal
        Netherlands Antilles
        New Caledonia
        New Zealand
        Nicaragua
        Niger
        Nigeria
        Niue
        Norfolk Island
        Northern Mariana Islands
        Oman
        Pakistan
        Palau
        Palestine
        Panama
        Papua New Guinea
        Paraguay
        Peru
        Philippines
        Pitcairn
        Poland
        Portugal
        Puerto Rico
        Qatar
        Reunion
        Romania
        Russian Federation
        Rwanda
        Saint Bartholemy
        Saint Kitts And Nevis
        Saint Lucia
        Saint Martin
        Saint Vincent And The Grenadines
        Samoa
        San Marino
        Sao Tome And Principe
        Saudi Arabia
        Senegal
        Serbia
        Seychelles
        Sierra Leone
        Sint Maarten
        Slovakia
        Slovenia
        Solomon Islands
        South Africa
        South Georgia and the South Sandwich Islands
        South Sudan
        Sri Lanka
        St. Helena
        St. Pierre And Miquelon
        Suriname
        Svalbard And Jan Mayen Islands
        Swaziland
        Sweden
        Switzerland
        Taiwan
        Tajikistan
        Tanzania
        Thailand
        Togo
        Tokelau
        Tonga
        Trinidad And Tobago
        Tunisia
        Turkey
        Turkmenistan
        Turks And Caicos Islands
        Tuvalu
        Uganda
        Ukraine
        United Arab Emirates
        United States Minor Outlying Islands
        Uruguay
        Uzbekistan
        Vanuatu
        Vatican City
        Venezuela
        Vietnam
        Virgin Islands (British)
        Virgin Islands (U.S.)
        Wallis And Futuna Islands
        Western Sahara
        Yemen
        Yugoslavia
        Zambia
        Zimbabwe

        By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

        This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

        Tags:
        • Cloud Security

        Related Content

        Blog
        CloudSecNext Summit Visual Summary
        Cloud Security, DevSecOps
        May 3, 2022
        A Visual Summary of SANS CloudSecNext Summit 2022
        On May 3-4, thousands from around the globe tuned in for the SANS CloudSecNext Summit. We invited Ashton Rodenhiser to create graphic recordings of our Summit presentations. If you missed a talk or are looking to view the SANS CloudSecNext Summit through a visual lens, take a look at the recordings...
        370x370-person-placeholder.png
        Alison Kim
        read more
        Blog
        CloudSecNext_Ashton.png
        Cloud Security
        June 4, 2021
        A Visual Summary of SANS CloudSecNext Summit
        The SANS CloudSecNext was a free, global, virtual event for the community. Check out these graphic recordings created in real-time throughout the even
        370x370-person-placeholder.png
        Emily Blades
        read more
        Blog
        Blog_teaser_images_(12).png
        Digital Forensics and Incident Response, Cloud Security
        April 9, 2021
        NEW FOR509: Enterprise Cloud Forensics & Incident Response
        The new Enterprise Cloud Forensics course brings examiners up to speed with the rapidly changing world of enterprise cloud
        Viv_Ross_370x370.png
        Viviana Ross
        read more
        • Register to Learn
        • Courses
        • Certifications
        • Degree Programs
        • Cyber Ranges
        • Job Tools
        • Security Policy Project
        • Posters & Cheat Sheets
        • White Papers
        • Focus Areas
        • Cyber Defense
        • Cloud Security
        • Cybersecurity Leadership
        • Digital Forensics
        • Industrial Control Systems
        • Offensive Operations
        Subscribe to SANS Newsletters
        Receive curated news, vulnerabilities, & security awareness tips
        United States
        Canada
        United Kingdom
        Spain
        Belgium
        Denmark
        Norway
        Netherlands
        Australia
        India
        Japan
        Singapore
        Afghanistan
        Aland Islands
        Albania
        Algeria
        American Samoa
        Andorra
        Angola
        Anguilla
        Antarctica
        Antigua and Barbuda
        Argentina
        Armenia
        Aruba
        Austria
        Azerbaijan
        Bahamas
        Bahrain
        Bangladesh
        Barbados
        Belarus
        Belize
        Benin
        Bermuda
        Bhutan
        Bolivia
        Bonaire, Sint Eustatius, and Saba
        Bosnia And Herzegovina
        Botswana
        Bouvet Island
        Brazil
        British Indian Ocean Territory
        Brunei Darussalam
        Bulgaria
        Burkina Faso
        Burundi
        Cambodia
        Cameroon
        Cape Verde
        Cayman Islands
        Central African Republic
        Chad
        Chile
        China
        Christmas Island
        Cocos (Keeling) Islands
        Colombia
        Comoros
        Cook Islands
        Costa Rica
        Croatia (Local Name: Hrvatska)
        Curacao
        Cyprus
        Czech Republic
        Democratic Republic of the Congo
        Djibouti
        Dominica
        Dominican Republic
        East Timor
        East Timor
        Ecuador
        Egypt
        El Salvador
        Equatorial Guinea
        Eritrea
        Estonia
        Ethiopia
        Falkland Islands (Malvinas)
        Faroe Islands
        Fiji
        Finland
        France
        French Guiana
        French Polynesia
        French Southern Territories
        Gabon
        Gambia
        Georgia
        Germany
        Ghana
        Gibraltar
        Greece
        Greenland
        Grenada
        Guadeloupe
        Guam
        Guatemala
        Guernsey
        Guinea
        Guinea-Bissau
        Guyana
        Haiti
        Heard And McDonald Islands
        Honduras
        Hong Kong
        Hungary
        Iceland
        Indonesia
        Iraq
        Ireland
        Isle of Man
        Israel
        Italy
        Jamaica
        Jersey
        Jordan
        Kazakhstan
        Kenya
        Kiribati
        Korea, Republic Of
        Kosovo
        Kuwait
        Kyrgyzstan
        Lao People's Democratic Republic
        Latvia
        Lebanon
        Lesotho
        Liberia
        Liechtenstein
        Lithuania
        Luxembourg
        Macau
        Macedonia
        Madagascar
        Malawi
        Malaysia
        Maldives
        Mali
        Malta
        Marshall Islands
        Martinique
        Mauritania
        Mauritius
        Mayotte
        Mexico
        Micronesia, Federated States Of
        Moldova, Republic Of
        Monaco
        Mongolia
        Montenegro
        Montserrat
        Morocco
        Mozambique
        Myanmar
        Namibia
        Nauru
        Nepal
        Netherlands Antilles
        New Caledonia
        New Zealand
        Nicaragua
        Niger
        Nigeria
        Niue
        Norfolk Island
        Northern Mariana Islands
        Oman
        Pakistan
        Palau
        Palestine
        Panama
        Papua New Guinea
        Paraguay
        Peru
        Philippines
        Pitcairn
        Poland
        Portugal
        Puerto Rico
        Qatar
        Reunion
        Romania
        Russian Federation
        Rwanda
        Saint Bartholemy
        Saint Kitts And Nevis
        Saint Lucia
        Saint Martin
        Saint Vincent And The Grenadines
        Samoa
        San Marino
        Sao Tome And Principe
        Saudi Arabia
        Senegal
        Serbia
        Seychelles
        Sierra Leone
        Sint Maarten
        Slovakia
        Slovenia
        Solomon Islands
        South Africa
        South Georgia and the South Sandwich Islands
        South Sudan
        Sri Lanka
        St. Helena
        St. Pierre And Miquelon
        Suriname
        Svalbard And Jan Mayen Islands
        Swaziland
        Sweden
        Switzerland
        Taiwan
        Tajikistan
        Tanzania
        Thailand
        Togo
        Tokelau
        Tonga
        Trinidad And Tobago
        Tunisia
        Turkey
        Turkmenistan
        Turks And Caicos Islands
        Tuvalu
        Uganda
        Ukraine
        United Arab Emirates
        United States Minor Outlying Islands
        Uruguay
        Uzbekistan
        Vanuatu
        Vatican City
        Venezuela
        Vietnam
        Virgin Islands (British)
        Virgin Islands (U.S.)
        Wallis And Futuna Islands
        Western Sahara
        Yemen
        Yugoslavia
        Zambia
        Zimbabwe

        By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

        This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
        • © 2023 SANS™ Institute
        • Privacy Policy
        • Contact
        • Careers
        • Twitter
        • Facebook
        • Youtube
        • LinkedIn