Cloud computing is the delivery of computing resources via the internet. Any type of IT tools and applications can be delivered; users can access servers, storage, databases, networking, and applications.
Cloud computing resources can be owned and maintained by an organization, but are more commonly provided as a service. When used as a service, cloud computing lowers capital expenses and provides elasticity by making IT infrastructure, applications, and services available on demand.
Cloud security is a cornerstone of cloud computing, providing technology, services, policies, and controls to protect hosted infrastructure, applications, and data from threats and accidents. Private clouds, public clouds, and hybrid clouds all have cloud computing security integral to their architecture and infrastructure to ensure data privacy and meet compliance requirements.
There are many benefits of cloud security, including:
- Advanced threat detection
Cloud computing security uses endpoint scanning, threat intelligence, and other tools to identify and neutralize threats proactively. - Compliance
The breadth of coverage provided by most cloud security ensures that organizations are able to meet the stringent compliance requirements set forth by legislation, standards, and internal protocols. - Continuous monitoring
To ensure optimal cloud security, availability, and performance, service providers must continuously monitor all systems. This visibility allows cloud services providers to proactively respond when issues are identified—before they become a problem. - Data security
Most cloud security solutions provide data security by design, using strong access controls and data encryption to protect data from threats. - Protection against distributed denial of service (DDoS) attacks
Cloud security solutions provide the most effective protection against DDoS attacks, because of the continuous monitoring, analysis, and redundancies that are built into the services.
Cloud security and the shared responsibility model
Cloud computing security is a shared responsibility regardless of what cloud model is deployed. Responsibilities for cloud security fall into three categories.
- Cloud security responsibilities that are always the provider’s include protecting the infrastructure by accessing, patching, and configuring the physical hosts and networks where the compute instances run and the storage and other resources reside.
- Cloud security responsibilities that are always the customer’s include managing users and their access privileges, protecting cloud accounts and cloud-based data from unauthorized access, and managing its security posture to adhere to compliance requirements.
- Cloud computing security responsibilities that vary depending on the service model include:
- Infrastructure as a Service (IaaS)—In the infrastructure delivery model, the provider offers compute resources (e.g., virtualized servers, storage, network equipment) via the internet. In the IaaS model, the customer is responsible for security. This means maintaining security for anything on the cloud infrastructure, including the operating system, applications, middleware, containers, workloads, data, and code. Customers are responsible for the security of endpoints, users, networks, configurations, settings, access rights, workloads, and data.
- Platform as a Service (PaaS)—In this model, the provider provides the hardware and software for the platform. The service provider is also responsible for the security of the platform and infrastructure that customers use to develop, run, and manage their applications. Customers are responsible for the security of applications developed on the platform and security for endpoints, users, networks, access rights, data, and workloads.
- Software as a Service (SaaS)—The provider centrally hosts an application (e.g., email) in the cloud and offers it as a subscription. In this model, the provider not only maintains and manages the solution, but is also responsible for application security. Customers bear responsibility for security of endpoints, users, networks, configurations, settings, access rights, workloads, and data.
Cloud security challenges
- Application Program Interface (API) vulnerabilities
Cybercriminals commonly exploit API flaws to gain unauthorized access to resources and data, using attacks such as denial-of-service (DoS) attacks and code injections. - Compliance and governance
Although the leading cloud providers support most of the security requirements for rules and legislation (e.g., Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), California Privacy Rights Act (CPRA), General Data Protection Regulation (GDPR)), customers are responsible for ensuring that their workload and data processes are compliant, and not all are up to the task. Many organizations assume that the cloud provider takes care of security and do not implement the processes and controls needed to meet requirements. - Dynamic workloads
Because cloud assets are provisioned and decommissioned dynamically, traditional security tools cannot provide the types of protection policies required to support the rapidly changing workloads. - Increased attack surface
The adoption of microservices has led to a significant increase in publicly available workloads, which expands attack surfaces as every workload adds to it. - Lack of visibility and tracking
In cloud deployments where providers have full control over the infrastructure layer, customers do not have exposure to it and lack the visibility and control needed to accurately identify and quantify cloud assets or visualize their cloud environments. - Loose privileges
Cloud user roles are often configured very loosely by default, with privileges granted beyond what is required. - Misconfigured cloud services
Cloud misconfigurations result from users or administrators failing to apply security settings correctly. This leads to issues such as unrestricted outbound access or weak credentials that can result in a data breach. - Zero-day exploits
Even top cloud security providers are vulnerable to zero-day exploits, which exploit vulnerabilities in software and operating systems that have not been patched.
Cloud security and zero trust
The basic principles of zero trust in cloud computing security are the same as any other deployment—do not automatically trust anyone or anything within or outside of the network; verify everything. The application of zero trust for cloud security includes:
- Ensuring that web-facing applications are properly secure
- Implementing and enforcing a least privilege governance strategy that limits users’ access to resources only to what is required to perform their duties, thereby reducing the attack surface
- Utilizing microsegmentation to enable granular cloud computing security
- Creating zones that segment workloads from each other to secure everything inside the zone and apply specific policies to protect traffic between zones
Among the many benefits of applying zero trust for cloud security include:
- Consistent and comprehensive security
- Improved visibility into data, assets, and risks
- Reduced operational cost and complexity
- Speed and agility to adapt to changes in use cases, technology, and threats
Key steps when implementing zero trust for cloud computing security are:
- Identify what type of applications (e.g., public, private, SaaS) and data (e.g., confidential, sensitive) require protection, where they are, and who accesses and uses them.
- Define the protect surface based on levels required for data, applications, assets, and services.
- Map the transaction flows.
- Architect the cloud security infrastructure to create boundaries between users and applications.
- Grant access rights according to least-privilege principles.
- Educate users on security policies and what is expected of them when accessing and using applications and data in the cloud.
- Monitor and maintain all cloud computing security systems.
Cloud security best practices
Organizations should consider these cloud security best practices when implementing tools and controls.
- Check for any default service accounts.
- Design zero trust cloud computing security and network segmentation based on how data moves across the network and how users and applications access sensitive information.
- Disable unused ports.
- Ensure that cloud security meets the requirements of standards, laws, and regulations, including the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and Society for Worldwide Interbank Financial Telecommunications (SWIFT).
- Establish continuous activity monitoring for all privileged users (e.g., system administrators, managers).
- Enable clear onboarding and offboarding procedures, including adding and removing accounts and their privileges.
- Keep track of privileged users in the cloud infrastructure.
- Know who is responsible for each aspect of cloud security—internal and external.
- Provide users with a secure, consistent, and seamless experience regardless of where they are physically located, how they want to connect, or which applications they want to use.
- Remove unnecessary processes and instances.
- Require the use of strong passwords and multi-factor authentication.
- Schedule regular assessments of user privileges.
- Take time to find the relationships in place and work with stakeholders to understand normal application behavior patterns and intersystem communications.
- Teach users about signs of phishing and social engineering, using real-life attack simulations to avoid accidental disclosure of sensitive information.
- Understand how the cloud architecture works to help avoid security holes due to misconfiguration.
- Use network traffic monitoring for passive application discovery.
Cloud security solutions
Due to cloud computing’s distributed and dynamic nature, a broad range of security tools and practices should be used, including the following.
- Change management and software updates
Applies governance and compliance rules and templates when provisioning virtual servers, auditing for configuration deviations, and remediating issues. - Cloud WAF (web application firewall)
Monitors incoming traffic and requests before they reach the server and access business resources. - Compliance assessments
Reviews and updates compliance rules and requirements. - Control over cloud data with:
- Data classification to stop data from entering or leaving the cloud based on its classification (e.g., sensitive, regulated, public).
- Data loss prevention (DLP) to protect data from unauthorized access and automatically disable access and transport of data when suspicious activity is detected.
- Collaboration controls to manage controls within the cloud (e.g., changing file and folder permissions for specified users, removing permissions, revoking shared links).
- Data encryption
Protects confidential and sensitive information in the event of a breach by masking it. - Device access control cloud data and applications
Blocks access based on rules (e.g., when a personal, unauthorized device tries to access cloud data). - Enhanced data protection
Uses encryption at all transport layers to secure file shares and communications, continuously meet compliance requirements related to risk management, and support good data governance (e.g., detecting misconfigured resources, terminating orphan resources). - Granular, policy-based identify and access management (IAM) and authentication
Provides access privileges to assets and APIs. - Identity management and access controls
Defines which users and user groups can have access to what resources and data, enforcing the principle of least privilege. - Microsegmentation
Uses dedicated wide area network (WAN) links to customize access to virtual devices, virtual networks and their gateways, and public internet protocol (IP) addresses to microsegment workloads from one another down to the individual workload level, with granular security policies at subnet gateways. - Next-generation firewalls
Uses application-aware filtering to stop advanced threats by granularly inspecting and controlling traffic to and from web application servers, automatically updating rules in response to traffic behavior changes. - Malware prevention
Stops malware from entering cloud services with file scanning, application whitelisting, machine learning-based malware detection, and network traffic analysis. - Privileged access controls
Identifies all forms of access that privileged accounts have to data and applications, then implements and manages controls to limit exposure. - Risk assessment
Identifies and addresses risk factors introduced by cloud environments and providers. - Threat intelligence
Detects and remediates known and unknown threats in real-time by scanning all traffic and then cross-referencing aggregated log data with internal data (e.g., asset and configuration management systems), vulnerability scanners, external data (e.g., public threat intelligence feeds, geolocation databases), and artificial intelligence-based anomaly detection algorithms. - User access control for cloud data and applications (e.g., cloud access security broker or CASB)
Ensures only authorized users access cloud data and applications. - User behavior analytics (UBA)
Identifies malicious activity, such as detecting compromised accounts and insider threats. - Visibility into cloud data
Uses an API connection to view:- What data is stored in the cloud.
- Who is using cloud data.
- The roles of users with access to cloud data.
- Who cloud users are sharing data with.
- Where cloud data is located.
- Where cloud data is being accessed and downloaded from, including from which device(s).
Require internal responsibility for cloud security quality
Cloud computing security must be a priority for the enterprise. While cloud service providers are adept at protecting systems and data, ownership of cloud security as a whole belongs within organizations. Whether it is overseeing and auditing outsourced solutions, managing cloud deployments from the inside, or hybrid, the enterprise must have a deep understanding of every aspect of cloud security.
Taking time to develop sound processes and policies for cloud security is essential and pays off with the peace of mind of knowing that systems are protected and meet compliance requirements. Done correctly, cloud security can provide the most effective defense against cybercriminals, with protections from unauthorized access, data breaches, and a never-ending list of other threats.