Five Best Practices

for Cloud Security

Cloud security is a fundamentally new landscape for many companies.

While many security principles remain the same as on-premises,
the implementation is often very different. This overview provides
a snapshot of five best practices for cloud security: identity and access
management, security posture management, apps and data security,
threat protection and network security.

Strengthen Improve security Secure apps Mitigate Protect the

access control posture and data threats network

1 Strengthen access control

Traditional security measures are not enough to defend against modern security
attacks. Today’s best practice is to ‘assume breach’ and protect as though the
attacker has breached the network perimeter. A Zero Trust approach that verifies
and secures every identity, validates device health, enforces least-privilege access
and captures and analyses telemetry is therefore a new security mandate.

Institute multi-factor Enforce Conditional Ensure least

authentication Access policies privilege access

Provide another layer of security Master the balance between Simplify access management
by requiring two or more of the security and productivity in multi-cloud environments
following authentication methods: by factoring how a resource with unified cross-cloud
is accessed into access control visibility into all permissions and
• Something you know (typically
decisions. Implement automated identities and automate least
a password)
access control decisions for privilege policy enforcement
accessing your cloud apps that consistently to protect your
• Something you have (a trusted
are based on conditions. most sensitive cloud resources.
device that is not easily
duplicated, like a phone)

• Something you are (biometrics)

2 Improve your security posture

With the dynamic nature of the cloud and ever-growing landscape of workloads and other
resources, it can be difficult to understand your company’s security state in the cloud. Make sure
you have the tools you need to assess your current environments, identify risks and mitigate them.

Assess and strengthen Educate Collaborate with your

your current posture stakeholders DevOps team on policies

Secure score in Microsoft Track your secure score Involve your DevOps teams
Defender for Cloud offers progress over time and create in your security strategy.
hundreds of out-of-the-box rich, interactive reports that you Help them understand and
recommendations mapped can share with key stakeholders implement key policies and
to industry best practices and to demonstrate how your deploy application security
regulatory standards. security team is continually at the beginning of the
improving the organisation’s development lifecycle.
cloud security posture.

3 Secure apps and data

Protect data, apps and infrastructure through a layered, defence-in-depth strategy
across identity, data, hosts and networks.

Encryption Share the responsibility

Encrypt data at rest and in transit, and When a company operates primarily on premises,
consider also encrypting data at use with it owns the whole stack and is responsible for its
confidential computing technologies. own security. Depending on how you use the cloud,
your responsibilities change, with some responsibilities
moving to your cloud provider.

• Infrastructure-as-a-Service (IaaS): For applications

running in virtual machines, more of the burden
Follow security best practices is on the IT organisation to ensure that both the
application and OS are secure.
Ensure your open-source dependencies do not have
vulnerabilities. Additionally, train your developers • Platform-as-a-Service (PaaS): As you move
in security best practices such as Security Development to cloud-native PaaS, cloud providers like
Lifecycle (SDL). Microsoft will take more of the security
responsibility at the OS level.

• Software-as-a-Service (SaaS): At the SaaS level,

more responsibility shifts away from the IT
organisation. See the shared responsibility model.

4 Defend against threats

Operational security posture – protect, detect and respond – should
be informed by security intelligence to identify rapidly evolving threats early
so you can respond quickly.

Enable detection for Integrate threat Modernize your security information

all resource types intelligence and event management (SIEM)

Ensure threat detection is Use a cloud provider that Consider a cloud-native SIEM
enabled for virtual machines, integrates threat intelligence and that scales with your needs,
containers, databases, storage, provides the necessary context, uses AI to reduce noise and
IoT and your other resources. relevance and prioritisation for requires no infrastructure.
Microsoft Defender for Cloud you to make faster, better and
has built-in threat detection that more proactive decisions.
supports all major Azure and
AWS resource types.

5 Protect the network

The network security landscape is rapidly transforming. To keep pace with
the changes, your security solutions must meet the challenges of the evolving
threat landscape and make it more difficult for attackers to exploit networks.

Keep strong Enable distributed denial- Create a micro-

firewall protection of-service (DDoS) protection segmented network

Setting up your firewall is still Protect web assets and networks A flat network makes it easier
important, even with identity from malicious traffic targeting for attackers to move laterally.
and access management. You application and network layers Familiarise yourself with
need controls in place to protect to maintain availability and concepts like virtual networking,
the perimeter, detect hostile performance while containing subnet provisioning and
activity and build your response. operating costs. IP addressing. Use micro-
A web application firewall (WAF) segmentation and embrace the
protects web apps from common concept of micro-perimeters to
exploits like SQL injection and support zero-trust networking.
cross-site scripting.

What’s next?
Are you looking to strengthen the security
of your cloud workloads?

Get expert guidance through the Azure Migration and Modernisation Programme

© 2022 Microsoft Corporation. All rights reserved. This document is provided ‘as-is’. Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any
legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.