It's important to create a secure, high-performing, and resilient foundation for your cloud environment. The Security capabilities help you design and implement security policies and controls across different levels to protect your resources from external or internal vulnerabilities and threats. These capabilities can also help you ensure confidentiality, availability, integrity, and usability, while providing priorities and advice to assist with remediation.

  • An organization without access controls and a structured cloud environment welcomes risk. Following the principal of least privilege (PoLP), the Identity Management & Access Control (IMAC) capability helps teams develop a framework to manage their environments by helping them build and monitor their cloud framework with defined, isolated groups. Use this capability to establish and monitor identity in your environment through fine-grained access control for your users, applications, and devices.


    • CF2 – S1: Represent and organize identities and roles in the environment
    • CF2 – S2: Enable preventative access controls across the environment
    • CF2 – S3: Establish a single point of management for access and authorization for the cloud environment
    • CF2 – S4: Manage the lifecycle of identities
    • CF2 – S5: Enforce multi-factor authentication (MFA)
    • CF2 – S5: Implement data parameter
  • Encryption and Key Management is the ability to centrally manage encryption keys for different workloads, and the ability to encrypt data at rest and in transit. Access to keys is provided based on least privilege, and usage is monitored to report any anomalies. This capability also includes different patterns of rotation based on your requirements.


    • CF21 – S1: Ensure appropriate access control for retrieving secrets
    • CF21 – S2: Log secret access and usage
    • CF21 – S3: Detect unusual activity and the potential misuse of secrets
  • Managing secrets (access credentials) such as passwords, access keys, other API keys, X.509, or SSH private keys is an important part of your organization. The Secrets Management capability helps your teams manage storage, access control, access logging, revocation, and rotation aspects for managing secrets.


    • CF21 - S1: Durable and highly available storage and retrieval of passwords/credentials/keys
    • CF21 - S2: Ensure appropriate access control for strong and retrieving secrets
    • CF21 - S3: Log secret access and usage
    • CF21 - S4: Detect unusual activity and and potential miss-use of secrets
  • Data Isolation enables you to limit access to data at rest and in transit so that data is only accessible to appropriate, authorized entities. This capability helps your teams detect misuse and/or unauthorized access, leak, and theft of data.

  • When security incidents occur, you need to respond as quickly as possible to mitigate risks. The Security Incident Response capability will help you establish the right tools and mechanisms in your environment to respond to these types of events in a timely manner.

  • Vulnerability & Threat Management is the ability to identify vulnerabilities that can affect the environment (availability, performance, or security). This capability helps teams to assess the impact and scope (such as blast radius) of vulnerabilities and threats, and address/remediate them.
  • Protecting application software and detecting irregular behavior in your applications are critical in a secure cloud environment. The Application Security capability helps you enforce a fine-grained security policy across your workloads to secure and protect your applications.