Cloud security—also called cloud computing security—refers to the discipline and practice of protecting cloud computing environments, applications, data, and information. Cloud security entails securing cloud environments against unauthorized use/access, distributed denial of service (DDOS) attacks, hackers, malware, and other risks. While cloud security applies to security for cloud environments, the related term, cloud-based security, refers to the software as a service (SaaS) delivery model of security services, which are hosted in the cloud rather than deployed via on-premise hardware or software.
Hosted by third-party cloud service providers (eg. Amazon Web Services (AWS), Microsoft Azure, Google Cloud) and generally accessible through web browsers, so identity management, authentication, and access control are essential.
Usually dedicated and accessible to only a single organization. However, they are still vulnerable to access breaches, social engineering, and other exploits.
Combine aspects of public and private clouds, allowing organizations to wield more control over their data and resources than in a public cloud environment, yet still be able to tap into the scalability and other benefits of the public cloud when needed.
Enables an on-demand model for pre-configured virtualized data center computing resources (i.e. network, storage, and operating systems). This can involve automating the creation of virtual machines at scale, so it’s critical to consider how virtual machines are provisioned, managed, and spun down.
Provides tools and other computing infrastructure, enabling organizations to focus on building and running web applications and services. PaaS environments primarily support developers, operations, and DevOps teams. Here, management and configuration of self-service entitlements and privileges is key to controlling risk.
Consists of applications hosted by a third party and usually delivered as software services over a web browser that is accessed on the client’s side. While SaaS eliminates the need to deploy and manage applications on end-user devices, potentially any employee can access web services and download content. Thus, proper visibility and access controls are required to monitor types of SaaS applications accessed, usage, and cost.
Cloud computing makes it easy for anyone to subscribe to a SaaS application or even to spin up new instances and environments. Users should adhere to strong acceptable use policies for obtaining authorization for, and for subscribing to, new cloud services or creating new instances.
Leasing a public cloud service means an organization does not have ownership of the hardware, applications, or software on which the cloud services run. Ensure that you understand the cloud vendor’s approach to these assets.
Cloud applications often integrate and interface with other services, databases, and applications. This is typically achieved through an application programming interface (API). It’s vital to understand the applications and people who have access to API data and to encrypt any sensitive information.
Cloud applications may contain embedded and/or default credentials. Default credentials post an increased risk as they may be guessable by attackers. Organizations need to manage these credentials as they would other types of privileged credentials.
IT tools architected for on-premise environments or one type of cloud are frequently incompatible with other cloud environments. Incompatibilities can translate into visibility and control gaps that expose organizations to risk from misconfigurations, vulnerabilities, data leaks, excessive privileged access, and compliance issues.
Multitenancy is the backbone for many of the cloud benefits of shared resources (e.g., lower cost, flexibility, etc.), but it also introduces concerns about data isolation and data privacy.
Automation and rapid scalability are chief benefits of cloud computing, but the flip side is that vulnerabilities, misconfigurations, and other security issues (such as sharing of secrets–APIs, privileged credentials, SSH keys, etc.) can also proliferate at speed and scale. For example, cloud administrator consoles enable users to swiftly provision, configure, manage, and delete servers at massive scale. However, each of these virtual machines are born with their own set of privileges and privileged accounts, which need to be properly onboarded and managed. All of this can be further compounded in DevOps environments, which by nature are fast-charging, highly-automated, and tend to treat security as an afterthought.
Attackers can make a living by exploiting cloud vulnerabilities. Rapid detection, and a multi-layered security approach (firewalls, data encryption, vulnerability management, threat analytics, identity management, etc.) will help you to reduce risk, while leaving you better poised to respond to withstand an attack.
Insider-related threats (either through negligence or malevolence), generally take the longest to detect and resolve, with the potential to be the most harmful. A strong identity and access management framework along with effective privilege management tools are essential to eliminating these threats, and reducing the damage (such as by preventing lateral movement and privilege escalation) when they do occur.
A holistic cloud security program should account for ownership and accountability (internal/external) of cloud security risks, gaps in protection/compliance, and identify controls needed to mature security and reach the desired end state.
In multi-tenant environments, assess what segmentation is in place between your resources and those of other customers, as well as between your own instances. Leverage a zone approach to isolate instances, containers, applications, and full systems from each other when possible.
Leverage robust identity management and authentication processes to ensure only authorized users to have access to the cloud environment, applications, and data. Enforce least privilege to restrict privileged access and to harden cloud resources (for instance, only expose resources to the Internet as is necessary, and de-activate unneeded capabilities/features/access). Ensure privileges are role-based, and that privileged access is audited and recorded via session monitoring.
Once cloud instances, services, and assets are discovered and grouped, bring them under management (i.e. managing and cycling passwords, etc.). Discovery and onboarding should be automated as much as possible to eliminate shadow IT.
Never allow the use of shared passwords. Combine passwords with other authentication systems for sensitive areas. Ensure password management best practices.
Regularly perform vulnerability scans and security audits, and patch known vulnerabilities.
Ensure your cloud data is encrypted, at rest, and in transit.
Be aware of the data backup, retention, and recovery policies and processes for your cloud vendor(s). Do they meet your internal standards? Do you have break-glass strategies and solutions in place?
Implement continual security and user activity monitoring across all environments and instances. Try to integrate and centralize data from your cloud provider (if available) with data from in-house and other vendor solutions, so you have a holistic picture of what is happening in your environment.