More and more companies are migrating to the cloud or have already completed the migration. Cost savings, demand-optimised scalability and location-independent access to applications and data are just some of the advantages of cloud use. Protecting the cloud environment is critical as the digital landscape evolves.

In addition to the previously valid security requirements for locally used applications (on-premises), there are further requirements that specifically address the circumstances of cloud computing. In addition to vendor-independent requirements (e.g. requirements of the German Federal Office for Security [BSI] "Criteria Catalogue Cloud Computing C5" and National Institute of Standards and Technology [NIS] "SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing"), vendor-specific requirements and better practices are also relevant, such as the Microsoft Azure Well-Architected Framework and the requirements of the American Center for Internet Security (CIS).

To structure relevant topics and requirements, KPMG has developed a Cloud Security Framework that allows us to quickly and efficiently identify and address the topics relevant to you, regardless of your individual starting point and the cloud models you use.


The Cloud Security Framework from KPMG

Cloud Security Governance

Cloud security governance specifically includes the oversight and strategic direction required for a secure cloud environment. This is where the framework that surrounds the entire cloud emerges. It includes the definition, implementation and automated operation of appropriate controls, as well as compliance and security risk reporting.

We place the protection of identities and data at the heart of our security strategy and have developed the Zero Trust model for this purpose, which is applied in the implementation of our cloud security strategies.

Due to the global orientation of public clouds, the legal requirements regarding data location and data processing play an elementary role here.

Secure Cloud Deployment

Secure Cloud Deployment includes securing the processes around the lifecycle of cloud applications and the cloud infrastructure. According to Secure DevOps (SecDevOps/DevSecOps), we build on the Shift-Left-Security approach, which sees security and data protection as an integral part of the Secure Software Development Lifecycle from the very beginning, and incorporate security requirements as early as the design and creation of the solutions.

Secure Cloud Platform

Secure Cloud Platform involves the implementation of cloud-native platform security services and security hardening around perimeter, storage and compute resources, as well as data and application workloads. In addition to protecting data through encryption, this is also about protecting the "underlying" layers. The application programming interfaces (APIs) must be protected as well as access to virtual machines and network communication.

Secure Cloud Operations

To enable the secure operation of the cloud environment, proactive measures alone are not enough. It is necessary to monitor the cloud to detect vulnerabilities, suspicious configurations and other abnormal behaviour. Changes to the environment must also be taken into account and monitored to ensure that no unintended adjustments go undetected. Continuous monitoring in conjunction with the adaptation of existing or the introduction of new operational processes are enormously important here.

Access Management

Access management deals with the functions required to set up and manage identities and identity data (human, service, device, etc.), identity permissions/authorisations and identity authentication including single sign-on (SSO), multi-factor, federation and directory services in cloud environments.

Availability and Scalability

Availability and scalability include the capabilities required to achieve recovery time objectives (RTO) and recovery point objectives (RPO) for data, services and infrastructure in the cloud, as well as the capabilities to use cloud-native concepts to achieve them (e.g. dynamic scaling, multi-region and multi-zone architectures, secure backups, etc.).


Using KPMG's Cyber Security Framework, the necessary topic areas that are relevant to you can be identified quickly and efficiently. Once the areas have been identified, we work with you to implement the appropriate measures to make your cloud environment more secure so that you can protect your data and workloads.

We look forward to accompanying you on your cloud journey and walking the path to efficient cloud adoption with you.

Further Information

Your contacts

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today

Connect with us