16 Cloud Security Best Practices

Gui Alvarenga - April 20, 2023

Cloud security has become a big priority to most organizations operating in the cloud, especially those in hybrid or multi-cloud environments. In this blog, we’ll look at 16 recommended cloud security best practices organizations can implement throughout their cloud adoption process to keep their environments secure from cyberattacks.

Why Is Cloud Security Important?

Organizations are adopting cloud platforms for their mission-critical workloads more than ever, thanks to the flexibility and efficiency provided by the cloud in comparison to traditional data centers.

One of an organization’s key concerns while embarking on a digital-transformation journey in the cloud is security, because cloud security entails a paradigm shift from traditional security solutions and approaches. In addition, security breaches and malware attacks are becoming commonplace in the cloud, as the threat vectors keep evolving every day. It’s therefore important to understand the constructs of security in the cloud, to implement the right tools and best practices to protect your cloud-hosted workloads, and to evolve the maturity of your security practices as your organization progresses along its cloud-adoption journey.

Learn More

Read this article to go in-depth into what cloud security is, why it is important, all the different types of solutions you can get, and more. Everything You Need to Know About Cloud Security

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

16 Cloud Security Best Practices

This is where all organizations start. When making the initial foray into the cloud, there are some non-negotiable security constructs that come into play.

What are the best practices for cloud security?

  1. Understand the Shared Responsibility Model
  2. Secure the Perimeter
  3. Monitor for Misconfigurations
  4. Use Identity & Access Management
  5. Enable Security Posture Visibility
  6. Implement Cloud Security Policies
  7. Secure Your Containers
  8. Perform Vulnerability Assessment and Remediation
  9. Implement Zero Trust
  10. Train Your Employees
  11. Use Log Management & Monitoring
  12. Conduct Penetration Testing
  13. Encrypt Your Data
  14. Meet Compliance Requirements
  15. Execute Your Incident Response Plan
  16. Leverage a Comprehensive Cloud Security Tool

1. Understand Shared Responsibility

All leading cloud service providers — AWS, Azure and GCP — follow a shared responsibility model when it comes to cloud security. While some of the aspects such as underlying hardware security are managed by the service provider, customers are expected to enable security at the infrastructure and application layer.

For infrastructure-as-a-service (IaaS) deployments, this includes securing the OS of any virtual machines by regularly applying patches, configuring its firewall, and enabling virus and malware protection, among other measures. In platform-as-a-service (PaaS) deployments, VM-level protection is the prerogative of the cloud provider. However, the customer must still manage application and data protection. With software-as-a-service (SaaS) deployments, the majority of security controls up until the application are managed by the cloud provider, while the customer handles usage and access policies.

It is crucial for your cloud service provider to review the shared responsibility matrix, presented below, and enable the relevant controls for your app using native or third-party security tools and services.

Application SecurityCSPUserUser
Platform SecurityCSPCSPUser
Endpoint SecurityUserUserUser
Data Security / Data ProtectionUserUserUser
Network SecurityCSPCSPUser
User SecurityUserUserUser
Containers and Cloud WorkloadsUserUserUser
APIs and MiddlewareCSPUserUser

2. Secure the Perimeter

As cloud networks are based on software defined networking (SDN), there is greater flexibility to implement multilayer security guard rails. You should start with a basic segmentation of workloads between different virtual networks and allow for only required communication between them. Additionally, restrict incoming traffic to your applications using network or application layer firewalls.

Attacks such as SQL injection, data exposure and cross-site scripting are some of the major application security concerns that a web application firewall (WAF) based on OWASP threat detection rules can help detect and protect against. A multilayer DDoS defense strategy is unavoidable to protect workloads from organized DDoS attacks in the cloud. All cloud service providers offer DDoS protection tools that can be integrated with your application frontend to detect and protect against such attacks.

An efficient firewall that can act as a gatekeeper against incoming threats and malicious attacks should be deployed at your network perimeter. These can be cloud-native firewall services or more advanced third-party tools that perform intrusion detection, packet inspection, traffic analysis and threat detection. You can also opt for a separate intrusion detection system (IDS) or intrusion prevention system (IPS) in the architecture to fortify the perimeter security of your cloud deployments.

3. Monitor for Misconfigurations

Successful infiltrations of cloud workloads are most often the result of service misconfigurations or manual configuration errors. Cloud security posture management (CSPM) solutions should be incorporated into your architecture to monitor for misconfigurations that could creep into your cloud deployment.

CSPM solutions add value by evaluating your deployments against a set of best practice guidelines. These could be organization-specific standards or aligned to leading security and compliance benchmarks. A secure score is provided that quantifies the current state of security of all your workloads in the cloud, with a healthy security score indicating a secure cloud deployment. These tools will also flag any deviations from standard practices so that customers can take the necessary corrective action.

4. Use Identity & Access Management

When it comes to your cloud workloads, control plane security is critical since it holds the keys to the kingdom. You will need to use identity and access management services native to your cloud platform to implement role-based, fine-grained access control to cloud resources.

Cloud platforms also provide tools for hassle-free integration of on-premises solutions like Active Directory with cloud-native identity and access management (IAM) services; this can provide users with a seamless single sign-on (SSO) experience for cloud-hosted workloads. When it comes to IAM controls, the rule of thumb is to follow the principle of least privilege, which means allowing required users to access only the data and cloud resources they need to perform their work.

Learn More

Meeting the needs of DevOps and the multiple clouds that companies now need to protect requires a unified platform that automates security controls and compliance for hosts and containers regardless of the cloud provider or deployment model. To get cloud security efforts cooking, organizations need the right ingredients for effective security.Blog: 3 Ingredients for Successful & Effective Cloud Security

5. Enable Security Posture Visibility

As the cloud landscape expands, the likelihood of breaches remaining unreported increases. Having the right tools in place will help achieve much-needed visibility into your security posture and enable proactive security management.

All leading cloud platforms have an advanced/premium tier of a native CSPM solution that can provide capabilities like detection of data exfiltration, event threat detection, IAM account hijacks and cryptomining, to name a few. However, note that these features are often limited to their respective cloud platforms. For hybrid or multi-cloud deployments, it is recommended to incorporate a specialized tool for enabling security posture visibility.

6. Implement Cloud Security Policies

Cloud security policies are defined to implement organization-wide restrictions to ensure security. For example, restrict workload deployment using public IPs, contain east-west traffic flow, or implement monitoring of container workload traffic patterns.

The implementation approach differs among service providers. In Azure, customers could use Azure policies, while in GCP, this can be done using organizational policies. The advantage of security policies is that they will auto-enforce the compliance standard across the board in cloud deployments.

7. Secure Your Containers

Container security involves both container and orchestration platform protection, with Kubernetes being the solution most often used in the cloud. You will need to create industry-standard security baselines for containerized workloads, with continuous monitoring and reporting of any deviations.

Organizations require tools that can detect malicious activities in containers, even those that happen during run time. The necessity of security technologies that enable visibility into container-related activities, as well as the detection and decommissioning of rogue containers, cannot be overstated. With the threat landscape always changing, it’s best to employ technologies that leverage advanced artificial intelligence (AI) and machine learning (ML) to detect malware without relying on signatures.

8. Perform Vulnerability Assessment & Remediation

You should have a real-time vulnerability scanning and remediation service to protect your workloads against virus and malware attacks. The service should be able to support workloads deployed in VMs as well as in containers.

Consider a vulnerability management solution that can continuously scan workloads for vulnerabilities, compile reports and present the results in dashboards, and auto-remediate problems where possible.

9. Implement a Zero Trust Approach

The Zero Trust (aka assume breach) approach is the gold standard for enabling cloud security. It entails not assuming any trust between services, even if they are within the organization’s security perimeter.

The main principles of a Zero Trust approach involve segmentation and allowing for only minimal communication between different services in an application. Only authorized identities should be used for this communication aligned with the principle of least privilege. Any communication that happens within or with outside resources should be monitored, logged and analyzed for anomalies. This applies to admin activities as well. Here, you can adopt either native or third-party monitoring and logging tools.

Learn More

The old saying is true: You can’t protect what you can’t see. As cloud environments become more complex and distributed, stitching together a comprehensive view of cloud activity is a vital part of enterprise security. Blog: 5 Cloud Security Must-Haves

10. Implement a Cybersecurity Training Program

There are great tools available to protect the cloud from different kinds of adversaries, but something many security leaders realized is that it is better to be proactive about cybersecurity.

A great starting point to incorporating cybersecurity into the organization’s culture and have it be a priority for employees and other stakeholders is to implement a comprehensive security training program for employees. Make sure the program includes the most common adversaries in your industry and how they perform their attacks.

Additionally, incorporate specific training designed to identify phishing attempts, since phishing is one of the most common ways hackers gain unauthorized access to a company’s network and potentially sensitive information.

11. Use Log Management and Continuous Monitoring

It is essential for companies to enable logging capabilities within their cloud infrastructure to ensure full visibility into the network and quickly identify unusual activity to remediate if necessary. Within your log management platform, ensure you turn on notifications so that you find out in real time about any unusual activity.

12. Conduct Penetration Testing

In addition to performing vulnerability assessments like described above, it is recommended organizations conduct penetration testing, also known as pentesting. An advantage of conducting pentests is to determine whether security measures currently in place are enough to protect your applications and environment. It is also known as “ethical hacking” because these white hat hackers act as adversaries to simulate a real-world attack.

Expert Tip

Explore CrowdStrike’s pentesting services to discover if your current cloud security efforts are sufficient to protect your cloud infrastructure. Explore: CrowdStrike Penetration Testing Services

13. Encrypt Your Data

Cloud data encryption is key to a robust cloud security strategy. It allows for a seamless and secure flow of data among cloud-based applications by concealing it to unauthorized users. Data should be encrypted in the cloud itself as well as when it is in transit to ensure optimal protection.

There are cloud providers that offer data encryption services. Some of them are free, others come at a cost, but whichever solution you decide to pursue, make sure it can be incorporated into your current organization processes to avoid bottlenecks and other inefficiencies.

14. Meet Compliance Requirements

As with any product, service, or process, cloud security solutions and strategies should have cloud and data compliance requirements top of mind. Staying compliant means you are meeting standards set by laws and regulations to ensure customer protection.

Depending on the industry, companies hold a whole lot of sensitive customer information such as card numbers, social security numbers, addresses, and health information. A strong cloud security solution or strategy is one that has compliance in mind through every step of the process.

Learn More

Explore the plethora of cloud security, governance, and compliance frameworks that will help your organization stay compliant with government and industry regulations. Read: Cloud Security Frameworks

15. Execute Your Incident Response Plan

When it comes to cybersecurity, organizations that have an incident response plan in the event of a breach are better equipped to remediate the situation, avoid operational disruptions, and recover any lost data.

Incident response plans are designed to ensure your security teams act in the most efficient manner in the event of an attack. Think of the plan as a remediation framework that should include strict roles and responsibilities so that each team member knows what they have to do in each scenario. Enable notifications so that your team is notified as fast as possible of the breach.

Expert Tip

Stop active breaches and accelerate digital forensic investigations with CrowdStrike Incident Response Services. Explore: CrowdStrike Incident Response Services

16. Stay Protected With CrowdStrike Falcon® Cloud Security

Leading cloud platforms provide native tools that can implement some of the above security controls. However, it is always recommended to complement native cloud security with advanced tools like those offered by CrowdStrike.

CrowdStrike offers unified cloud security posture management and breach prevention for workloads deployed across hybrid and multi-cloud environments. The Falcon Cloud Security solution provides much-needed visibility across multi-cloud deployments, monitors for misconfigurations, eliminates compliance violations and enables continuous protection from identity-based threats. It also provides comprehensive container security by identifying and remediating even the most discrete threats.

Your organization can also leverage the Falcon Cloud Security solution’s CWP capabilities to provide full breach protection for workloads, containers and Kubernetes, allowing you to quickly design, manage and secure cloud-native applications.


Guilherme (Gui) Alvarenga, is a Sr. Product Marketing Manager for the Cloud Security portfolio at CrowdStrike. He has over 15 years experience driving Cloud, SaaS, Network and ML solutions for companies such as Check Point, NEC and Cisco Systems. He graduated in Advertising and Marketing at the Universidade Paulista in Brazil, and pursued his MBA at San Jose State University. He studied Applied Computing at Stanford University, and specialized in Cloud Security and Threat Hunting.