← Patterns / SP-011

Cloud Computing Pattern

Cloud computing has fundamentally changed how organisations provision, operate, and secure their IT infrastructure. What was once a nascent concept when this pattern was first published has become the dominant deployment model for enterprises of all sizes. The shift from on-premises to cloud does not eliminate security requirements -- it redistributes them across a shared responsibility model where the cloud provider secures the infrastructure layer and the customer secures their workloads, data, configurations, and access controls. The security challenges of cloud computing are distinct from traditional on-premises environments. Organisations must trust a third party with their data and processing, often across jurisdictions with different legal and regulatory frameworks. Multi-tenancy means that a misconfigured storage bucket or overly permissive IAM policy can expose data not just within the organisation but to the entire internet. The speed and ease of provisioning -- a core benefit of cloud -- also means that misconfigurations can propagate at scale, shadow IT can flourish, and cost overruns from cryptomining attacks can materialize in hours. This pattern addresses security across all three service models. In Infrastructure as a Service (IaaS), the customer is responsible for operating system hardening, network segmentation via VPCs and security groups, encryption of data at rest and in transit, and patch management. In Platform as a Service (PaaS), the provider manages the runtime but the customer must secure application code, access controls, and data. In Software as a Service (SaaS), the customer's control is limited to configuration, user management, and data governance -- but the risk of data loss or exposure remains squarely with the customer. Provider assurance is a critical dimension. Organisations must evaluate cloud providers against recognised frameworks (SOC 2, ISO 27001, CSA STAR) and maintain ongoing oversight through continuous monitoring, contractual obligations, and right-to-audit clauses. The concentration of workloads with a small number of hyperscale providers creates systemic risk that must be addressed through multi-cloud strategy, data portability planning, and exit strategy documentation. Identity and access management in cloud environments is more complex than in traditional infrastructure. Federation across multiple providers, service accounts with programmatic access, temporary credentials, cross-account roles, and the explosion of fine-grained permissions (AWS alone has over 15,000 IAM actions) create an attack surface that requires dedicated tooling and governance. The principle of least privilege is easy to state and extraordinarily difficult to implement at cloud scale.
Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06
Assess
ATT&CK This pattern addresses 461 techniques across 13 tactics View on ATT&CK Matrix →
08-02-Pattern_011_15_Cloud_Computing.svgOSA is licensed according to Creative Commons Share-alike.Please see:http://www.opensecurityarchitecture.org/community/license-terms. Provisioning and ConfigurationManagement Infrastructure Monitoring, Logging, Loadand Performance Testing Security services(PKI, Auth, Azn, Federation) Actor: End Users Actor: Developer Actor: IT Manager SDLC Actor: Business Mgr Actor: Architect Actor: 3rd Party Auditor Applications Cloud Service Provider Cloud Service Provider Cloud Service Provider Cloud Service Providers Platforms AC-01 Access ControlPolicies and Proced.. AC-02 Account Management AC-03 Access Enforcement AC-04 Information FlowEnforcement AC-13 Supervision AndReview -- Access Co.. AT-01 Security AwarenessAnd Training Policy.. AT-02 Security Awareness AU-06 Audit Monitoring,Analysis, And Repor.. CA-01 Certification,Accreditation, And .. CA-03 Information SystemConnections CA-07 ContinuousMonitoring CM-01 ConfigurationManagement Policy A.. CM-02 BaselineConfiguration CM-03 ConfigurationChange Control CM-04 MonitoringConfiguration Chang.. CM-05 Access RestrictionsFor Change CP-01 ContingencyPlanning Policy And.. IA-01 Identification AndAuthentication Poli.. IA-02 User IdentificationAnd Authentication IA-03 DeviceIdentification And .. IA-05 AuthenticatorManagement IR-01 Incident ResponsePolicy And Procedur.. PL-01 Security PlanningPolicy And Procedur.. PS-06 Access Agreements PS-07 Third-PartyPersonnel Security RA-03 Risk Assessment RA-04 Risk AssessmentUpdate SA-01 System And ServicesAcquisition Policy .. SA-03 Life Cycle Support SA-09 ExternalInformation System .. SA-10 DeveloperConfiguration Manag.. SA-11 Developer SecurityTesting SC-01 System AndCommunications Prot.. SC-02 ApplicationPartitioning SC-03 Security FunctionIsolation SC-04 Information Remnance SC-06 Resource Priority SC-11 Trusted Path SC-12 Cryptographic KeyEstablishment And M.. SI-02 Flaw Remediation SI-04 Information SystemMonitoring Tools An.. AT-03 Security Training SA-02 Allocation OfResources SA-04 Acquisitions SA-05 Information SystemDocumentation SC-05 Denial Of ServiceProtection SC-07 Boundary Protection SC-08 TransmissionIntegrity SC-09 TransmissionConfidentiality SC-18 Mobile Code SI-03 Malicious CodeProtection CA-02 Security Assessments CA-04 SecurityCertification CA-06 SecurityAccreditation In-house orCloud Service Provider Billing &Usage ControlSystem Architects & Mgrs agree on baseline, map to providers control framework and agree onminimal set of metrics / observables

Click any control badge to view its details. Download SVG

Key Control Areas

  • Access Control and Identity Federation (AC-01, AC-02, AC-03, AC-04, AC-13): Cloud environments require rigorous access control that spans both the cloud provider's management plane and the customer's workloads. AC-02 (Account Management) is critical because cloud accounts proliferate rapidly -- service accounts, machine identities, cross-account roles, and federated users all need lifecycle management. AC-03 (Access Enforcement) must be implemented at multiple layers: IAM policies on cloud resources, network-level security groups and NACLs, application-level authorisation, and data-level access controls. AC-04 (Information Flow Enforcement) addresses the need to control data movement between cloud regions, accounts, and services -- preventing unintended data exfiltration through misconfigured S3 buckets, overly permissive API gateways, or unrestricted egress rules. AC-13 (Supervision And Review) requires regular access reviews and entitlement audits, which in cloud environments should be automated using cloud-native tools (AWS IAM Access Analyzer, Azure AD Access Reviews, GCP IAM Recommender) to identify unused permissions and overly broad policies.
  • Security Awareness for Cloud (AT-01, AT-02, AT-03): Cloud security failures are overwhelmingly caused by human error -- misconfiguration, not exploitation. AT-02 (Security Awareness) must include cloud-specific content: the shared responsibility model, the consequences of public storage buckets, the risks of hard-coded credentials in code repositories, and the importance of enabling MFA on all cloud console accounts. AT-03 (Security Training) must be role-specific: cloud architects need training on secure VPC design and encryption configuration; developers need training on secrets management and secure CI/CD pipelines; operations teams need training on cloud-native monitoring and incident response. AT-01 (Policy And Procedures) should establish clear cloud security policies covering acceptable use of cloud services, approved providers, data classification requirements for cloud storage, and the process for provisioning new cloud resources.
  • Continuous Monitoring and Assessment (CA-01, CA-02, CA-03, CA-04, CA-06, CA-07, AU-06): The dynamic nature of cloud infrastructure makes point-in-time assessments insufficient. CA-07 (Continuous Monitoring) is arguably the most important control in cloud security -- implement cloud security posture management (CSPM) tools that continuously evaluate configurations against security baselines and alert on drift. CA-02 (Security Assessments) should include cloud-specific penetration testing (within provider terms of service) and architecture reviews of VPC designs, IAM policies, and encryption configurations. CA-03 (Information System Connections) addresses the proliferation of connections between cloud accounts, on-premises networks (via VPN or Direct Connect), SaaS applications, and third-party integrations -- each connection is a potential attack path. AU-06 (Audit Monitoring) requires centralised log aggregation from CloudTrail, CloudWatch, Azure Monitor, or GCP Cloud Logging with automated analysis for indicators of compromise such as root account usage, security group modifications, or unusual API call patterns.
  • Configuration Management and Infrastructure as Code (CM-01, CM-02, CM-03, CM-04, CM-05): Cloud infrastructure should be defined and deployed as code (Terraform, CloudFormation, Pulumi), making CM-02 (Baseline Configuration) enforceable and auditable through version-controlled templates. CM-03 (Configuration Change Control) is implemented through pull request workflows on infrastructure code, with automated security scanning (Checkov, tfsec, cfn-nag) in the CI pipeline to catch misconfigurations before deployment. CM-04 (Monitoring Configuration Changes) leverages cloud-native change tracking (AWS Config, Azure Policy, GCP Security Command Center) to detect and alert on configuration drift from approved baselines. CM-05 (Access Restrictions For Change) ensures that only authorised pipelines and personnel can modify production infrastructure, typically through break-glass procedures for emergency changes and automated deployment for standard changes.
  • Identity and Authentication (IA-01, IA-02, IA-03, IA-05): Authentication in cloud environments is more complex than traditional infrastructure because of the variety of identity types. IA-02 (User Identification And Authentication) must enforce MFA for all human access to cloud management consoles and APIs -- compromised cloud credentials without MFA protection are a leading cause of cloud breaches. IA-03 (Device Identification And Authentication) extends to cloud workloads themselves: instance metadata services, workload identity federation, and service mesh authentication (mTLS) ensure that only authorised compute resources can communicate with each other. IA-05 (Authenticator Management) must address the lifecycle of API keys, access tokens, service account credentials, and secrets -- these should be stored in dedicated secrets managers (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault), rotated automatically, and never committed to source code repositories.
  • Vendor Management and External Services (SA-01, SA-02, SA-03, SA-04, SA-05, SA-09, SA-10, SA-11, PS-06, PS-07): Cloud computing is fundamentally an outsourcing arrangement, making the SA family critical. SA-09 (External Information System Services) requires formal agreements defining security responsibilities, data handling obligations, breach notification procedures, and service level commitments. SA-04 (Acquisitions) should include security evaluation criteria when selecting cloud providers and services. SA-11 (Developer Security Testing) must extend to cloud-native application code, serverless functions, container images, and infrastructure templates. PS-06 (Access Agreements) and PS-07 (Third-Party Personnel Security) ensure that cloud provider personnel with access to customer environments meet security requirements. The organisation should maintain a current inventory of all cloud services consumed, their data classification, and their compliance status.
  • Communications Protection and Data Security (SC-01, SC-02, SC-03, SC-04, SC-05, SC-06, SC-07, SC-08, SC-09, SC-11, SC-12, SC-18, SI-02, SI-03, SI-04): Cloud networking requires defence in depth. SC-07 (Boundary Protection) is implemented through VPC architecture, security groups, NACLs, and private endpoints that eliminate public internet exposure for backend services. SC-08 (Transmission Integrity) and SC-09 (Transmission Confidentiality) require encryption in transit for all inter-service communication, typically via TLS or VPN tunnels for hybrid connectivity. SC-12 (Cryptographic Key Management) is particularly important in cloud -- customer-managed keys (CMK) versus provider-managed keys, key rotation policies, and cross-region key replication all require careful design. SC-04 (Information Remnance) addresses data sanitisation when decommissioning cloud resources -- ensuring that EBS volumes, S3 objects, and database snapshots are properly purged. SI-02 (Flaw Remediation) requires patching strategies appropriate to each service model: OS patching for IaaS, dependency updates for PaaS, and configuration reviews for SaaS. SI-04 (Information System Monitoring) must cover network flow logs, DNS query logs, and anomaly detection across the cloud estate.

When to Use

Any organisation that consumes cloud services for production workloads, development and testing, data storage, or SaaS applications. This pattern applies whether the organisation uses a single cloud provider or multi-cloud strategy, and regardless of service model (IaaS, PaaS, SaaS). It is essential for organisations migrating workloads from on-premises to cloud, adopting cloud-native architectures (containers, serverless, microservices), or evaluating cloud providers for regulated workloads subject to compliance requirements such as PCI DSS, HIPAA, SOX, or GDPR.

When NOT to Use

Organisations that operate entirely on-premises with no cloud service consumption, including SaaS, may not need this pattern. However, this is increasingly rare -- even organisations with strict on-premises policies typically consume SaaS services (email, collaboration, HR systems) that fall under this pattern's scope. The pattern should not be applied without first completing a data classification exercise to understand what data will be stored in cloud environments and what regulatory constraints apply.

Typical Challenges

The shared responsibility model is widely misunderstood. Organisations frequently assume that 'moving to the cloud' transfers security responsibility to the provider, when in practice the customer remains responsible for data protection, access control, and application security in all service models. Cloud misconfigurations are the leading cause of cloud data breaches -- public S3 buckets, overly permissive security groups, disabled logging, and unencrypted storage are discovered by automated scanners constantly probing cloud provider IP ranges. Identity and access management complexity grows exponentially with cloud adoption: cross-account access, service account sprawl, overprivileged roles, and the challenge of implementing least privilege across thousands of fine-grained permissions. Vendor lock-in is a strategic risk -- data portability, API compatibility, and the cost of migration make provider changes expensive and disruptive. Compliance in multi-region deployments requires understanding data sovereignty laws, which vary by jurisdiction and change frequently. Shadow IT flourishes when cloud services are easy to provision with a credit card, bypassing security review processes. Cost management intersects with security when cryptomining attackers exploit compromised credentials to provision expensive compute resources.

Threat Resistance

This pattern addresses cloud-specific threats including: misconfiguration of cloud resources exposing data to public access; credential compromise enabling unauthorised access to cloud management planes; insider threats from both the customer organisation and the cloud provider; data exfiltration through overly permissive egress rules or compromised API keys; denial of service attacks targeting cloud-hosted applications; supply chain attacks through compromised container images, serverless dependencies, or infrastructure modules; cross-tenant attacks exploiting vulnerabilities in the cloud provider's isolation mechanisms; cryptojacking where attackers use compromised cloud accounts to mine cryptocurrency; data sovereignty violations from unintended data replication across jurisdictions; and loss of availability from cloud provider outages or account suspension.

Assumptions

The organisation has evaluated and selected cloud service providers based on documented security and compliance requirements. A shared responsibility model is understood and formally documented, with clear delineation of which controls are the provider's responsibility and which are the customer's. Network connectivity between on-premises and cloud environments (if applicable) uses encrypted tunnels or dedicated connections. The organisation has personnel with cloud security skills or is investing in upskilling. Data classification exists and informs decisions about which data can be stored in which cloud environments and regions.

Developing Areas

  • Cloud-Native Application Protection Platforms (CNAPP) are consolidating previously separate capabilities -- CSPM, CWPP, CIEM, and cloud code security -- into unified platforms, but the market is still in flux. Vendors like Wiz, Prisma Cloud, and Orca each take different architectural approaches (agentless vs agent-based, graph-based vs policy-based), and organisations struggle to evaluate which capabilities are genuinely integrated versus bolted-on acquisitions. The risk of consolidation fatigue is real: organisations deploy a CNAPP expecting comprehensive coverage but discover gaps that require supplementary point solutions.
  • Cloud-native identity federation complexity is increasing as organisations operate across multiple cloud providers, SaaS applications, and on-premises identity stores. The number of machine identities (service accounts, workload identities, API keys) now exceeds human identities by a factor of 10-45x in typical cloud environments, and tools for managing this machine identity sprawl are immature. Cross-cloud identity federation (AWS roles assuming Azure managed identities, GCP workload identity federation with external providers) introduces trust chains that are difficult to audit and easy to misconfigure.
  • Sovereign cloud requirements driven by EU data sovereignty regulations, Schrems II implications, and national security concerns are fragmenting the cloud market. Hyperscale providers are responding with sovereign cloud offerings (AWS European Sovereign Cloud, Microsoft Cloud for Sovereignty, Google Distributed Cloud), but these come with reduced service availability, higher costs, and operational complexity. Organisations operating across jurisdictions must navigate an increasingly complex matrix of data residency, operational residency, and encryption key sovereignty requirements that existing cloud security frameworks do not fully address.
  • Cloud Detection and Response (CDR) is emerging as a distinct discipline that applies detection engineering principles specifically to cloud control plane events. Unlike traditional EDR which monitors endpoint behaviour, CDR analyses CloudTrail, Azure Activity Log, and GCP Audit Log events to detect attacker techniques such as privilege escalation through IAM policy manipulation, persistence via backdoor role creation, and defence evasion through log disabling. The tooling is maturing rapidly (Vectra AI, Lacework, native cloud provider offerings) but detection rule libraries are still being developed, and cloud-specific threat intelligence is less mature than endpoint threat intelligence.
  • The intersection of FinOps and cloud security is creating a new operational challenge. Cryptomining attacks that exploit compromised cloud credentials can generate tens of thousands of dollars in compute costs within hours, and cost anomaly detection is increasingly viewed as a security detection mechanism. Conversely, aggressive cost optimisation (shutting down logging, deleting snapshots, reducing instance sizes) can inadvertently weaken security controls. Organisations are beginning to recognise that FinOps and CloudSecOps teams need shared visibility and coordinated policies, but the tooling and processes for this integration are nascent.
AC: 5AT: 3AU: 1CA: 6CM: 5CP: 1IA: 4IR: 1PL: 1PS: 2RA: 2SA: 8SC: 12SI: 3
AC-01 Access Control Policies and Procedures
AC-02 Account Management
AC-03 Access Enforcement
AC-04 Information Flow Enforcement
AC-13 Supervision And Review -- Access Control
AT-01 Security Awareness And Training Policy And Procedures
AT-02 Security Awareness
AT-03 Security Training
AU-06 Audit Monitoring, Analysis, And Reporting
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
CA-02 Security Assessments
CA-03 Information System Connections
CA-04 Security Certification
CA-06 Security Accreditation
CA-07 Continuous Monitoring
CM-01 Configuration Management Policy And Procedures
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-04 Monitoring Configuration Changes
CM-05 Access Restrictions For Change
CP-01 Contingency Planning Policy And Procedures
IA-01 Identification And Authentication Policy And Procedures
IA-02 User Identification And Authentication
IA-03 Device Identification And Authentication
IA-05 Authenticator Management
IR-01 Incident Response Policy And Procedures
PL-01 Security Planning Policy And Procedures
PS-06 Access Agreements
PS-07 Third-Party Personnel Security
RA-03 Risk Assessment
RA-04 Risk Assessment Update
SA-01 System And Services Acquisition Policy And Procedures
SA-02 Allocation Of Resources
SA-03 Life Cycle Support
SA-04 Acquisitions
SA-05 Information System Documentation
SA-09 External Information System Services
SA-10 Developer Configuration Management
SA-11 Developer Security Testing
SC-01 System And Communications Protection Policy And Procedures
SC-02 Application Partitioning
SC-03 Security Function Isolation
SC-04 Information Remnance
SC-05 Denial Of Service Protection
SC-06 Resource Priority
SC-07 Boundary Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-11 Trusted Path
SC-12 Cryptographic Key Establishment And Management
SC-18 Mobile Code
SI-02 Flaw Remediation
SI-03 Malicious Code Protection
SI-04 Information System Monitoring Tools And Techniques