Secure Controls Framework
Download The SCF

Cloud Security (CLD)

Domain Principle

Govern cloud services and environments through risk-based, cloud-native security, compliance and resilience practices aligned with shared responsibility obligations.

Domain Intent

Organizations govern private, public and hybrid cloud environments, including IaaS, PaaS and SaaS, to manage shared responsibility risks, third-party dependencies, architectural decisions, data protection, portability and resilience requirements.

Domain Guide

Cloud environments shift security responsibility without eliminating it. The shared responsibility model that cloud providers publish assigns infrastructure security to the provider and application and data security to the customer, but that boundary is widely misunderstood. The CLD domain exists to ensure organizations explicitly govern those responsibilities rather than assuming the provider handles more than it does.

 

The SCF's intent for CLD to cover IaaS, PaaS and SaaS under private, public and hybrid deployment models. That breadth reflects the actual diversity of cloud environments most organizations operate. A SaaS security posture requires different controls than an IaaS deployment; a hybrid environment introduces third-party dependency risks on top of both. The intent addresses data protection, portability (the ability to move data and workloads when needed) and resilience requirements that cloud architectures can either support or undermine depending on how they’re designed.

 

CLD is not a subset of Network Security (NET) or Endpoint Security (END). Cloud environments create unique control surfaces: misconfigured storage buckets, permissive Identity and Access Management (IAM) policies in the cloud provider's identity system and serverless functions running with excessive permissions are all cloud-specific risks that traditional network and endpoint controls don't address.