Cloud Infrastructure Security: 10 Controls Every CISO Should Verify
Cloud Infrastructure Security: 10 Controls Every CISO Should Verify
Cloud breach root causes are not generally novel — misconfigurations, weak identity hygiene, exposed credentials, and unmonitored services account for the bulk of incidents in the Mandiant M-Trends 2024 report and the Verizon DBIR 2024. The controls that prevent them are well-known and largely automatable. The reason these breaches keep happening is that "well-known" controls are not the same as "implemented" controls.
This is the 10-control verification list we run with customers as part of cloud security baseline reviews. It assumes AWS, Azure, or GCP — the controls map across all three. Each control has the verification question a CISO should be able to answer with a single tool query.
Control 1: Multi-Factor Authentication on All Privileged Accounts
Verification question: Are all break-glass and admin-tier accounts enrolled in phishing-resistant MFA?
Phishing-resistant means hardware tokens (YubiKey, Titan) or platform passkeys, not SMS or app-based TOTP. Cloud-native admin tools support FIDO2 directly. The 2024 IAM-targeted attacks shifted from credential theft to MFA-bombing and SIM-swap; phishing-resistant MFA is the only durable defence.
Control 2: No Long-Lived Privileged Credentials
Verification question: Are all production access events authenticated with short-lived, federated credentials?
Long-lived IAM access keys, service principals with secret-based auth, or service-account JSON keys all create persistent leaked-credential risk. The right pattern is federated identity through SSO (SAML/OIDC) for humans and workload identity (IRSA on AWS, Workload Identity on GCP, Managed Identity on Azure) for services. Long-lived secrets should be rotating dynamic secrets through Vault or AWS Secrets Manager.
Need expert help with cloud infrastructure security?
Our cloud architects can help you with cloud infrastructure security — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
Control 3: Network Segmentation Per Workload
Verification question: Do production workloads sit in dedicated VPCs/VNets with explicit east-west firewall rules?
Flat networks where all workloads share one VPC with permissive security groups give an attacker who breaches one service unrestricted lateral access. Per-workload VPCs (or per-team accounts/subscriptions) with explicit peering and egress controls limit blast radius. Service mesh adds another layer for inter-service authentication.
Control 4: Encryption at Rest with Customer-Managed Keys
Verification question: Do all data services use customer-managed keys (CMK) with rotation enabled?
Cloud-native default encryption (provider-managed keys) is good baseline hygiene but does not satisfy crypto-shredding or key-revocation requirements. Customer-managed keys via KMS (AWS), Key Vault (Azure), or Cloud KMS (GCP) let you revoke access decisively. Annual key rotation should be on by default.
Control 5: TLS Everywhere, Including Internal Traffic
Verification question: Is plaintext traffic permitted anywhere in the production environment?
Internal-network plaintext traffic (HTTP between services, unencrypted database connections) is a residual artefact of perimeter-trust architectures. Modern zero-trust assumes the network is hostile and requires TLS for service-to-service traffic. Service mesh (Istio, Linkerd) provides automatic mTLS without per-service configuration.
Control 6: Centralised, Tamper-Resistant Logging
Verification question: Are control-plane logs (CloudTrail, Activity Log, Audit Logs) shipped to an isolated logging account/project with write-once retention?
Logs that an attacker can delete are not really logs. The standard pattern is to ship audit logs to a dedicated logging account with cross-account write-only permissions and S3 Object Lock or equivalent immutable storage. Pair this with zero-downtime elk stack or a SIEM for correlation.
Control 7: Continuous Configuration Posture Management
Verification question: Is there a CSPM tool actively monitoring all cloud accounts against a defined benchmark (CIS, NIST, internal)?
Cloud Security Posture Management (CSPM) tools — AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center, third-party Wiz / Prisma / Lacework — continuously scan resources for misconfiguration. The right configuration:
- Coverage across all production accounts/subscriptions/projects
- Findings tied into engineering Jira/Linear tickets, not security email queues
- SLAs on remediation tied to severity
- Trend dashboard reviewed monthly by security leadership
Control 8: Workload Identity, Not Network Identity
Verification question: Do production services authenticate to other services with workload identity (IRSA, Workload Identity, Managed Identity), not source-IP allow-lists?
Source-IP allow-lists in cloud networks fail open when network architecture changes (new subnets, NAT gateway updates, peering modifications). Workload identity binds authentication to the workload itself, not its current network address. Cloud-native workload identity is now mature on all three hyperscalers and should be the default.
Control 9: Vulnerability Management Across the Stack
Verification question: Are known CVEs in OS, container images, dependencies, and IaC modules actively tracked with SLAs?
Vulnerability management spans four surfaces: OS-level (Inspector, Defender, OS Config), container-level (image scanners in registry and at runtime), application-level (SCA in CI), and IaC-level (Checkov, Tfsec). All four need active scanning, finding-to-ticket integration, and time-bound remediation SLAs. The CISA Known Exploited Vulnerabilities catalogue is the priority lens.
Control 10: Verified Backup and Disaster Recovery
Verification question: When did you last successfully restore production data from backup, end-to-end?
Backups that have never been restored are not real backups. Quarterly restore drills covering at least one major data store (database, object storage, secrets) prove the recovery path works and surface broken assumptions before an actual incident. Pair with cloud disaster recovery draas services for warm-DR scenarios.
The Verification Discipline
The list is not a checklist for once-per-year compliance theatre. It is a discipline. Each control needs:
- A query or dashboard that answers the verification question in one click
- An owner accountable for the answer
- A review cadence appropriate to the control (monthly for Controls 1, 6, 7; quarterly for Controls 9, 10)
Across customer reviews we typically find 6-8 of 10 controls implemented at least partially, but only 3-5 with the verification discipline that catches drift. The gap is where breaches happen.
How Opsio Helps
Opsio's managed cloud security implements and operates these 10 controls across AWS, Azure, and GCP customer environments. We pair this with managed cloud infrastructure for landing-zone redesigns where the existing architecture cannot support the controls cleanly, and with ISO certification consulting programmes where the controls become audit evidence for ISMS certification.
For hands-on delivery, see datadog monitoring for enterprise.
For hands-on delivery, see AI security compliance for EU AI Act readiness.
For hands-on delivery, see cloud scalability for enterprise.
For hands-on delivery, see cloud security assessment services.
For hands-on delivery, see managed cloud security services.
For hands-on delivery, see end-to-end cloud security.
About the Author
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.