Cyber Defense Matrix 2.0 · Asset Row · Cloud
CloudSS Extension
Cloud workloads and operations. A SecurityStack extension reflecting that cloud control planes are too different to share a row with traditional compute.
Cloud is a SecurityStack extension to the original Cyber Defense Matrix, added to CDM 2.0 to reflect that cloud workloads — IaaS VMs, containers, serverless, managed services — have a control plane, threat surface, and operating model too different from traditional on-prem compute to share the Devices or Applications rows. If you treat cloud as 'just someone else's servers,' the matrix hides your real coverage gaps.
Provenance note: This row/column is a SecurityStack extension and is not part of NIST CSF 2.0. Practitioners citing it externally should label it as such.
Why Cloud is its own row
The decision to split Cloud from Devices and Applications comes down to the control plane. An attacker compromising an AWS IAM role, a Kubernetes service account, or an Azure Resource Graph query gains capabilities that no endpoint compromise can match — the ability to manipulate infrastructure at scale via API. The controls that mitigate cloud-control-plane attacks (CSPM, CIEM, CNAPP, cloud-native IAM policies) do not map to the tooling that protects traditional servers.
Treating cloud as a subset of Applications hid this structural difference in the original CDM. CDM 2.0 makes Cloud its own row so coverage questions can be asked at the cloud-native layer. The cost is one more row; the benefit is that programs can reason about cloud control-plane risk separately from workload risk.
The cloud-security tooling stack
The modern cloud-security stack is dominated by CNAPP (Cloud-Native Application Protection Platform) — Wiz, Orca Security, Palo Alto Prisma Cloud, Microsoft Defender for Cloud, CrowdStrike Falcon Cloud Security, Lacework, Sysdig. CNAPPs consolidate what used to be five or six tool categories: CSPM (posture), CWPP (workload protection), CIEM (entitlements), container security, and often KSPM (Kubernetes) and DSPM (data).
Around the CNAPP sits specialized tooling: cloud DLP / DSPM that goes deeper on data (Dig, Laminar, Normalyze, Cyera), cloud-native SIEM (AWS Security Lake feeding Sentinel/Panther/Snowflake), Kubernetes-specific platforms (Sysdig, Aqua, StackRox/OpenShift ACS), and IaC scanning (Snyk IaC, Checkov, Bridgecrew, Terrascan).
The consolidation pattern in the last three years: organizations are replacing five-to-seven-tool cloud-security stacks with one or two CNAPPs plus a DSPM. The matrix often reveals this consolidation in progress — some cells covered by legacy point products, others by the new CNAPP, with tool overlap during the migration window.
Coverage patterns specific to Cloud
GOVERN × Cloud is cloud-policy management — usually handled by the CNAPP's policy engine plus the organization's GRC framework. IDENTIFY × Cloud is cloud-asset inventory and vulnerability detection at the workload level (CNAPP + CSPM). PROTECT × Cloud spans configuration hardening (CSPM), workload runtime protection (CWPP), identity and entitlement management (CIEM), and IaC pre-deployment scanning.
DETECT × Cloud is covered by CNAPPs plus native cloud-provider logging (AWS GuardDuty, Azure Defender, GCP SCC). RESPOND × Cloud is where tooling is weakest — cloud-native SOAR integration is improving but still requires custom playbook work. RECOVER × Cloud is largely about infrastructure-as-code rebuild paths plus managed-service backups.
Not-applicable rules and cloud adoption patterns
Per CDM 2.0 rules, organizations that are strictly on-premises mark the Cloud row as Not Applicable. In the assessment wizard this shows up as ORG-06 = 'On-premises only' — the Cloud row does not count against coverage because it is not in scope.
The more common scenario is partial cloud adoption: an organization with some SaaS plus a small IaaS footprint. The row stays in scope, but coverage will be weighted toward Applications (for SaaS) and PROTECT × Cloud (for the IaaS workloads). As cloud usage grows, cells that were thin fill in; organizations tracking the matrix over time can see cloud-adoption shape their coverage pattern directly.
Frequently asked
Is SaaS on the Cloud row?
No. SaaS sits on Applications. Cloud is specifically for workloads you operate — IaaS, PaaS, containers, serverless. The distinction is operational ownership: SaaS is software you consume, Cloud is infrastructure you run.
Are containers on the Cloud row or the Devices row?
Cloud. Containers have a cloud-native security model (admission controllers, image scanning, runtime protection) that differs fundamentally from endpoint security. A Kubernetes cluster is Cloud; the VM nodes under it can be Devices depending on who operates them, but the orchestrator layer and the workloads are Cloud.
When does a CNAPP replace individual point products?
When the organization has more than ~3 cloud-security point products (e.g., standalone CSPM + standalone container security + standalone CIEM) and the integration burden is consuming operational time. CNAPP ROI is real but does require migration effort; below three point products the math often does not support consolidation.
How does Cloud relate to OT/IoT?
They are distinct rows with very different controls. Industrial cloud (OT workloads running in IaaS) is still OT/IoT — the security controls need to match the OT operational constraints, not the cloud-workload model. A bank running its core banking in AWS is Cloud; a manufacturer running its SCADA platform in a cloud tenant is OT/IoT.