Building a public cloud security program from scratch is a lot of work. There are a ton of things you need to do and figuring out what you need to do and the priority is critical. CIS publishes a list of 20 Critical Security Controls. While primarily focused at traditional IT data-center centric organizations, the concepts and the order of the 20 Controls provides a reasonably good road map for anyone looking to start their cloud security journey.
CIS has 20 base controls they break down into three categories: Basic, Foundational, and Organizational. To further group the effort they categorize specific sub-controls based on the type of organization:
Implementation Group 1: An organization with limited resources and cybersecurity expertise available to implement Sub-Controls Implementation Group 2: An organization with moderate resources and cybersecurity expertise to implement Sub-Controls Implementation Group 3: A mature organization with significant resources and cybersecurity experience to allocate to Sub-Controls
For the basic and foundational controls, we will outline what CIS provides as the appropriate sub-controls for the specific control, then provide a prioritized list of cloud-specific sub-controls. Where possible we map the cloud-specific sub-control the the CIS provided sub-control.