There are 5 broad security measure groups that need to be in place in order to securely defend and protect a cloud-based IT Service
effectively. These measures primarily revolve around the prevention and handling of security incidents. The level of maturity of these
security measures is a key factor to the overall maturity of your cloud security management program.
PREVENTIVE CLOUD SECURITY MEASURES
Preventive security measures are used to prevent a security incident from occurring. This is akin to making sure that in your home, every door has a bolt and every window is locked. Measures such as firewalls, identity and access management, access control lists, and
web application firewalls are the common security measures implemented. In a cloud environment, it may be challenging to ensure
that every cloud asset is properly secured given the dynamic and fluid nature of cloud resources. It is imperative that every cloud asset
is identified and adequately protected. Some key questions to consider are: Does every server have firewall rules appropriate for its
role? Am I identifying newly added resources to protect, and am I protecting assets that no longer exist? Do all logins use multi-factor
authentication? Is every web application protected with a web application firewall?
REDUCTIVE CLOUD SECURITY MEASURES
Reductive security measures are actions taken in advance to reduce the impact or damage of a security incident. These are proactive
measures that support corrective security measures. Typical examples include taking timely backups to support restoring data that are
compromised (i.e. altered financial data), documenting network ACL settings, maintenance, and testing of contingency plans. In a cloud
environment, this requires taking timely snapshots of data and boot volumes, enabling easy access to those snapshots, documenting
the authorized settings of cloud firewall rules and network ACLs, and having a well understood and documented cloud security action
plan to invoke when a security breach is detected. Some key questions to consider are: Does my backup/restore process support my
security recovery requirements? Am I considering all possible security incident scenarios?
DETECTIVE CLOUD SECURITY MEASURES
Detective cloud security measures are designed to detect or discover security incidents. Unfortunately, some security incidents are
discovered months, or years, after the initial breach. Detecting a breach early will minimize the potential damage from a security incident. Ongoing and automated monitoring is key to detect security incidents. Traditional security solutions include Intrusion Detection
System (IDS), Security Information and Event Management (SIEM), and Log Data Management. In a cloud environment these security
mechanisms must work at scale and across multiple layers: network, server, and application. Correlation rules and cross-domain correlation systems are needed to detect well-known security signatures and to also identify atypical behavior that may be an indicator of
a new type of security breach. Some key questions to consider are: Can I get access to well-known security signatures? Am I up to date
on the latest security hacking techniques? Can I detect changes to my key assets in real-time?
REPRESSIVE CLOUD SECURITY MEASURES
Repressive security measures are used to counteract ongoing security incidents. Once a security incident is identified, an immediate
repressive action is required to shut down the intruder and prevent further security breaches. This generally requires a combination
of a security response team and automation tools. In a cloud environment, it is important to coordinate the quick deployment of repressive measures across your IT team, the cloud provider, and your security solution provider. Some key questions to consider are:
Is my security team 24x7? Are they knowledgeable enough? Can decisive action be determined quickly and implemented effectively?
CORRECTIVE CLOUD SECURITY MEASURES
Corrective security measures are activated to repair any damage caused by an incident. Once an active security breach is halted, the
damaged assets need to be restored as quickly and as thoroughly as possible. If proper reductive measures are already in place (see
security measure #2), then the damaged assets can quickly be restored to a well-known and safe state. In a cloud environment, this
may require restoring from snapshots or resetting the configuration of a resource. In some cases, it may be best to re-create the asset
from configuration templates. Some key questions to consider are: How do I validate the recovered asset? How can I speed up the
These five security measure areas are meant to be integrated holistically across your IT organization, the cloud provider’s environment,
and your security solution provider. As elements of a comprehensive cloud security program, it will provide an effective defense
against today’s cloud security threats.
 ITIL Service Design 2011 Edition, p 197.