NIST SP 800-145, NIST CSF 2.0, and ENISA cloud security guidance — compared side-by-side, with the Capital One 2019 breach as a case study in how framework application prevents real-world cloud disasters.
Sign in to mark this article as read and track your progress.
The National Institute of Standards and Technology (NIST) produces the most referenced cloud security guidance globally.
The foundational document — defines cloud computing with the five characteristics, three service models, and four deployment models. Every other cloud security conversation starts here.
Addresses: data portability, audit rights, incident response coordination with providers, and managing the risk of public cloud adoption. Particularly relevant for US government workloads and any organisation requiring FedRAMP-aligned controls.
CSF 2.0 (released 2024) expanded the original five functions to six, adding Govern at the top:
| Function | Purpose | Cloud Application |
|---|---|---|
| Govern | Establish policy, risk tolerance, accountability | Cloud security policy; CISO ownership of cloud risk |
| Identify | Asset and risk inventory | Cloud asset discovery; CSPM inventory |
| Protect | Safeguards implementation | IAM, encryption, network controls |
| Detect | Anomaly and event detection | GuardDuty, CloudTrail, SIEM rules |
| Respond | Incident response | IR playbooks for cloud; provider coordination |
| Recover | Restore capabilities | Multi-region failover; backup restoration |
CSF 2.0 is designed to be sector-neutral and size-neutral — it applies equally to a startup on a single AWS account and a multinational with a hybrid multi-cloud estate.
The European Union Agency for Cybersecurity (ENISA) publishes cloud security risk assessments and guidance relevant to European and international deployments.
| Risk Category | Examples |
|---|---|
| Policy and organisational | Vendor lock-in, loss of governance, compliance challenges |
| Technical | Resource exhaustion, isolation failure, insecure data deletion |
| Legal | Data protection law conflicts, jurisdiction complexity |
| Incident response | Provider IR capability limitations, evidence access restrictions |
| Availability | Service outages, loss of business continuity |
ENISA guidance specifically addresses the right to audit — the ability for customers to independently verify provider security practices, which is often limited in public cloud environments.
| Dimension | CSA CCM | NIST CSF 2.0 | ENISA |
|---|---|---|---|
| Focus | Cloud-specific controls | Risk management framework | Risk taxonomy and guidance |
| Audience | Cloud consumers and providers | All organisations | European deployments |
| Depth | 197 specific controls | High-level functions and categories | Risk descriptions and recommendations |
| Compliance mapping | ISO 27001, PCI-DSS, SOC 2, NIST | Internal and sector frameworks | GDPR, NIS2 directive |
| Update frequency | Version releases | Version releases | Regular reports and guidance docs |
The practical approach: use NIST CSF 2.0 for overall programme structure, CSA CCM for cloud-specific control requirements, and ENISA guidance for risk language and European compliance context.
In July 2019, a former AWS employee exploited a Server-Side Request Forgery (SSRF) vulnerability in Capital One SSRF to reach the EC2 Instance Metadata Service. The attached IAM role had excessive permissions — s3:GetObject on more than 700 buckets. Over 100 million customer records were exfiltrated.
How framework application could have prevented this:
| Framework Control | What Was Missing | What It Would Have Prevented |
|---|---|---|
| CSA CCM IAM-06 | IAM role permissions were far beyond least privilege | Reduced blast radius; attacker role could only access specific buckets |
| NIST CSF Detect | No alerting on mass S3 GetObject from EC2 role | Early detection before full exfiltration |
| NIST CSF Protect | IMDSv1 in use; no block on SSRF to metadata IP | SSRF chain broken at Step 2 |
| ENISA Technical risks | Isolation failure risk not assessed for web-facing EC2 | Risk identified; SSRF controls mandated |
The breach was entirely preventable with standard cloud security framework controls applied consistently.
No single framework covers everything. NIST CSF 2.0 gives you the programme skeleton, CSA CCM fills it with cloud-specific controls, and ENISA provides the risk vocabulary for European and international regulatory alignment. The Capital One case proves these are not theoretical frameworks — they are the checklist that stops billion-dollar breaches.