search menu icon-carat-right cmu-wordmark

Cloud Security Best Practices Derived from Mission Thread Analysis

Technical Report
This report presents practices for secure, effective use of cloud computing and risk reduction in transitioning applications and data to the cloud, and considers the needs of limited-resource businesses.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2019-TR-003
DOI (Digital Object Identifier)
10.1184/R1/12363563.V1

Abstract

This report presents four important security practices that are practical and effective for improving the cybersecurity posture of cloud-deployed information technology (IT) systems. These practices help to address the risks, threats, and vulnerabilities that organizations face in deploying or moving applications and systems to a cloud service provider (CSP).

The practices address cloud security issues that consumers are experiencing, illustrated by several recent cloud security incidents. The report demonstrates the practices through examples using cloud services available from Amazon Web Service (AWS), Microsoft, and Google.

The presented practices are geared toward small and medium-sized organizations; however, all organizations, independent of size, can use these practices to improve the security of their cloud usage. The focus here is on hybrid deployments where some IT applications deploy or move to a CSP while other IT applications remain in the organization’s data center. Small and medium-sized organizations likely have limited resources; where possible, these practices describe implementation approaches that may be effective in limited-resource situations.

This report was updated in September 2021 to

  • Add two risk examples to Section 2
  • Add information about compliance with industry and government standards or regulations to Section 4
  • Update cloud service provider (CSP) tools and capabilities, where appropriate, in Section 4
  • Add a discussion of positives and negatives of multi-CSP strategies to Section 4

Cite This Technical Report

Morrow, T., LaPiana, V., Faatz, D., Hueca, A., & Richmond, N. (2021, September 2). Cloud Security Best Practices Derived from Mission Thread Analysis. (Technical Report CMU/SEI-2019-TR-003). Retrieved June 24, 2024, from https://doi.org/10.1184/R1/12363563.V1.

@techreport{morrow_2021,
author={Morrow, Timothy and LaPiana, Vincent and Faatz, Donald and Hueca, Angel and Richmond, Nathaniel},
title={Cloud Security Best Practices Derived from Mission Thread Analysis},
month={Sep},
year={2021},
number={CMU/SEI-2019-TR-003},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/12363563.V1},
note={Accessed: 2024-Jun-24}
}

Morrow, Timothy, Vincent LaPiana, Donald Faatz, Angel Hueca, and Nathaniel Richmond. "Cloud Security Best Practices Derived from Mission Thread Analysis." (CMU/SEI-2019-TR-003). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, September 2, 2021. https://doi.org/10.1184/R1/12363563.V1.

T. Morrow, V. LaPiana, D. Faatz, A. Hueca, and N. Richmond, "Cloud Security Best Practices Derived from Mission Thread Analysis," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2019-TR-003, 2-Sep-2021 [Online]. Available: https://doi.org/10.1184/R1/12363563.V1. [Accessed: 24-Jun-2024].

Morrow, Timothy, Vincent LaPiana, Donald Faatz, Angel Hueca, and Nathaniel Richmond. "Cloud Security Best Practices Derived from Mission Thread Analysis." (Technical Report CMU/SEI-2019-TR-003). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 2 Sep. 2021. https://doi.org/10.1184/R1/12363563.V1. Accessed 24 Jun. 2024.

Morrow, Timothy; LaPiana, Vincent; Faatz, Donald; Hueca, Angel; & Richmond, Nathaniel. Cloud Security Best Practices Derived from Mission Thread Analysis. CMU/SEI-2019-TR-003. Software Engineering Institute. 2021. https://doi.org/10.1184/R1/12363563.V1