EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityNISTCSF-2.0ENISA

NIST, ENISA & Comparing Cloud Security Frameworks

NIST SP 800-145, NIST CSF 2.0, and ENISA cloud security guidance — compared side-by-side, with the Capital One 2019 breach as a case study in how framework application prevents real-world cloud disasters.

Ashish Revar3 July 202613 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

NIST Cybersecurity Framework 2.0

The official NIST CSF 2.0 framework including the new Govern function and implementation tiers.

paper
NIST Cybersecurity Framework 2.0

The official NIST CSF 2.0 framework including the new Govern function and implementation tiers.

paper
ENISA Cloud Security for Healthcare

ENISA sector-specific cloud guidance demonstrating the risk taxonomy in regulated environments.

paper
ENISA Cloud Security for Healthcare

ENISA sector-specific cloud guidance demonstrating the risk taxonomy in regulated environments.

paper
Capital One Breach — SEC Filing and Technical Analysis

Capital One SEC filing disclosing the breach, affected data categories, and remediation actions.

paper
Capital One Breach — SEC Filing and Technical Analysis

Capital One SEC filing disclosing the breach, affected data categories, and remediation actions.

paper
AWS Security Assurance Programs and Compliance Reports

AWS compliance programme page listing SOC 2, ISO 27001, FedRAMP, PCI-DSS, and sector-specific certifications.

blog
AWS Security Assurance Programs and Compliance Reports

AWS compliance programme page listing SOC 2, ISO 27001, FedRAMP, PCI-DSS, and sector-specific certifications.

blog
More articlesTest your knowledge

NIST Cloud Security Publications

The National Institute of Standards and Technology (NIST) produces the most referenced cloud security guidance globally.

NIST SP 800-145: The Definition

The foundational document — defines cloud computing with the five characteristics, three service models, and four deployment models. Every other cloud security conversation starts here.

NIST SP 800-144: Guidelines for Security in Public Cloud

Addresses: data portability, audit rights, incident response coordination with providers, and managing the risk of public cloud adoption. Particularly relevant for US government workloads and any organisation requiring FedRAMP-aligned controls.

NIST Cybersecurity Framework 2.0 (CSF 2.0)

CSF 2.0 (released 2024) expanded the original five functions to six, adding Govern at the top:

FunctionPurposeCloud Application
GovernEstablish policy, risk tolerance, accountabilityCloud security policy; CISO ownership of cloud risk
IdentifyAsset and risk inventoryCloud asset discovery; CSPM inventory
ProtectSafeguards implementationIAM, encryption, network controls
DetectAnomaly and event detectionGuardDuty, CloudTrail, SIEM rules
RespondIncident responseIR playbooks for cloud; provider coordination
RecoverRestore capabilitiesMulti-region failover; backup restoration

CSF 2.0 is designed to be sector-neutral and size-neutral — it applies equally to a startup on a single AWS account and a multinational with a hybrid multi-cloud estate.

ENISA Cloud Security Guidance

The European Union Agency for Cybersecurity (ENISA) publishes cloud security risk assessments and guidance relevant to European and international deployments.

ENISA Cloud Risk Taxonomy

Risk CategoryExamples
Policy and organisationalVendor lock-in, loss of governance, compliance challenges
TechnicalResource exhaustion, isolation failure, insecure data deletion
LegalData protection law conflicts, jurisdiction complexity
Incident responseProvider IR capability limitations, evidence access restrictions
AvailabilityService outages, loss of business continuity

ENISA guidance specifically addresses the right to audit — the ability for customers to independently verify provider security practices, which is often limited in public cloud environments.

Comparing CSA, NIST, and ENISA

DimensionCSA CCMNIST CSF 2.0ENISA
FocusCloud-specific controlsRisk management frameworkRisk taxonomy and guidance
AudienceCloud consumers and providersAll organisationsEuropean deployments
Depth197 specific controlsHigh-level functions and categoriesRisk descriptions and recommendations
Compliance mappingISO 27001, PCI-DSS, SOC 2, NISTInternal and sector frameworksGDPR, NIS2 directive
Update frequencyVersion releasesVersion releasesRegular reports and guidance docs

The practical approach: use NIST CSF 2.0 for overall programme structure, CSA CCM for cloud-specific control requirements, and ENISA guidance for risk language and European compliance context.

Case Study: Capital One (2019) — Framework Failure in Practice

In July 2019, a former AWS employee exploited a Server-Side Request Forgery (SSRF) vulnerability in Capital One SSRF to reach the EC2 Instance Metadata Service. The attached IAM role had excessive permissions — s3:GetObject on more than 700 buckets. Over 100 million customer records were exfiltrated.

How framework application could have prevented this:

Framework ControlWhat Was MissingWhat It Would Have Prevented
CSA CCM IAM-06IAM role permissions were far beyond least privilegeReduced blast radius; attacker role could only access specific buckets
NIST CSF DetectNo alerting on mass S3 GetObject from EC2 roleEarly detection before full exfiltration
NIST CSF ProtectIMDSv1 in use; no block on SSRF to metadata IPSSRF chain broken at Step 2
ENISA Technical risksIsolation failure risk not assessed for web-facing EC2Risk identified; SSRF controls mandated

The breach was entirely preventable with standard cloud security framework controls applied consistently.

Key Takeaway

No single framework covers everything. NIST CSF 2.0 gives you the programme skeleton, CSA CCM fills it with cloud-specific controls, and ENISA provides the risk vocabulary for European and international regulatory alignment. The Capital One case proves these are not theoretical frameworks — they are the checklist that stops billion-dollar breaches.