2026-03-08
By Emre SalmanogluCloud Security: The Complete Guide for Compliance and Security Teams
Learn how to implement cloud security controls that satisfy ISO 27001, SOC 2, NIS2, and DORA requirements. Covers shared responsibility, cloud-native security, CSPM, workload protection, and compliance evidence.
cloud security
cloud compliance
shared responsibility
CSPM
compliance
What Is Cloud Security?
Cloud security is the discipline of protecting cloud computing environments — including infrastructure, platforms, applications, and data — from threats, misconfigurations, and compliance violations. It adapts traditional security principles to the dynamic, API-driven, shared-responsibility nature of cloud computing.
For compliance-driven organisations, cloud security is essential because regulators increasingly scrutinise how organisations protect data and systems hosted in cloud environments under ISO 27001, SOC 2, NIS2, and DORA.
Shared Responsibility Model
| Layer | IaaS (e.g., AWS EC2) | PaaS (e.g., Azure App Service) | SaaS (e.g., Salesforce) |
|---|---|---|---|
| Physical security | Provider | Provider | Provider |
| Network infrastructure | Provider | Provider | Provider |
| Virtualisation | Provider | Provider | Provider |
| Operating system | Customer | Provider | Provider |
| Runtime/middleware | Customer | Provider | Provider |
| Application | Customer | Customer | Provider |
| Data | Customer | Customer | Customer |
| Identity & access | Customer | Customer | Customer |
| Configuration | Customer | Customer | Customer |
Cloud Security Domains
| Domain | Description | Key Controls |
|---|---|---|
| Identity & access | Authentication, authorisation, privilege management | SSO, MFA, least privilege, JIT access |
| Data protection | Encryption, classification, data loss prevention | Encryption at rest/transit, DLP, key management |
| Network security | Segmentation, traffic filtering, DDoS protection | Security groups, WAF, private endpoints, VPN |
| Workload protection | Securing VMs, containers, serverless | CWPP, vulnerability scanning, runtime protection |
| Configuration management | Preventing and detecting misconfigurations | CSPM, infrastructure as code, policy as code |
| Logging & monitoring | Visibility into cloud activity and threats | Cloud-native logging, SIEM integration, alerting |
| Incident response | Detecting and responding to cloud incidents | Cloud IR playbooks, forensic readiness |
Cloud Security Architecture
| Component | Function | Examples |
|---|---|---|
| CSPM | Configuration compliance and risk assessment | Wiz, Orca, Prisma Cloud, AWS Security Hub |
| CWPP | Workload protection across compute types | CrowdStrike, Aqua, Sysdig |
| CNAPP | Unified cloud-native application protection | Wiz, Palo Alto Prisma Cloud |
| CASB | Shadow IT discovery and SaaS security | Netskope, Zscaler, Microsoft Defender for Cloud Apps |
| CIEM | Cloud identity and entitlement management | Ermetic (Tenable), CrowdStrike, Wiz |
| KMS | Encryption key management | AWS KMS, Azure Key Vault, HashiCorp Vault |
Cloud Security Controls
| Control | Description | Implementation |
|---|---|---|
| Encryption at rest | Encrypt all stored data | Provider-managed or customer-managed keys |
| Encryption in transit | Encrypt all data in motion | TLS 1.2+, mutual TLS for service-to-service |
| Least privilege IAM | Minimum required permissions | Role-based policies, regular access reviews |
| Network segmentation | Isolate workloads and environments | VPCs, security groups, private subnets |
| Logging | Record all API calls and changes | CloudTrail, Azure Activity Log, GCP Audit Logs |
| MFA enforcement | Multi-factor for all cloud access | FIDO2 for admins, conditional access policies |
| Infrastructure as code | Define infrastructure in version-controlled templates | Terraform, CloudFormation, Pulumi |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|---|---|---|---|
| Cloud service security | A.5.23 | CC6.1 | Art. 21(2)(d) | Art. 28-30 |
| Data protection | A.8.24 | CC6.1 | Art. 21(2)(d) | Art. 9(2) |
| Access control | A.8.2 | CC6.3 | Art. 21(2)(i) | Art. 9(4) |
| Logging & monitoring | A.8.15 | CC7.2 | Art. 21(2)(g) | Art. 10(2) |
| Supplier management | A.5.21 | CC9.2 | Art. 21(2)(d) | Art. 28 |
| Incident response | A.5.26 | CC7.4 | Art. 23 | Art. 17 |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| Cloud security policy | Documented policy covering all cloud environments | All frameworks |
| Shared responsibility matrix | Documented responsibilities per cloud provider/service | All frameworks |
| CSPM scan reports | Configuration compliance scan results | All frameworks |
| IAM access reviews | Evidence of cloud access rights reviews | All frameworks |
| Encryption configuration | Documentation of encryption at rest and in transit | All frameworks |
| Cloud provider contracts | Agreements covering security obligations | NIS2, DORA |
| Incident response playbooks | Cloud-specific incident response procedures | All frameworks |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| Not understanding shared responsibility | Security gaps where neither party manages controls | Document responsibilities per cloud service |
| Overly permissive IAM policies | Credential compromise leads to full account takeover | Implement least privilege, use IAM Access Analyzer |
| Public storage buckets | Data exposure and regulatory penalties | Enable bucket policies, block public access by default |
| No centralised logging | Cannot detect or investigate incidents | Aggregate all cloud logs into SIEM |
| Single-account architecture | Blast radius of compromise affects everything | Use multi-account strategy with isolation boundaries |
| Ignoring cloud provider changes | New features introduce unmanaged risk | Monitor provider change logs, update controls quarterly |
How Orbiq Supports Cloud Security Compliance
Orbiq helps you demonstrate cloud security controls:
- Evidence collection — Centralise cloud security policies, CSPM reports, and access reviews
- Continuous monitoring — Track cloud security posture across providers
- Trust Center — Share your cloud security controls via your Trust Center
- Compliance mapping — Map cloud controls to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- Cloud Security Posture Management — Automated cloud configuration compliance
- Zero Trust — Identity-centric security for cloud environments
- Encryption — Protecting data in cloud environments
- Identity and Access Management — Cloud IAM best practices
- Data Sovereignty — Managing data location requirements in cloud