Cloud security—also called cloud computing security—refers to the discipline and practice of protecting cloud computing environments, applications, data, and information. Cloud security entails securing cloud environments against unauthorized use/access, distributed denial of service (DDOS) attacks, hackers, malware, and other risks. While cloud security applies to security for cloud environments, the related term, cloud-based security, refers to the software as a service (SaaS) delivery model of security services, which are hosted in the cloud rather than deployed via on-premise hardware or software.

The Three Primary Types of Cloud Environments Include

Public Cloud Services

Hosted by third-party cloud service providers (eg. Amazon Web Services (AWS), Microsoft Azure, Google Cloud) and generally accessible through web browsers, so identity management, authentication, and access control are essential.

Private Clouds

Usually dedicated and accessible to only a single organization. However, they are still vulnerable to access breaches, social engineering, and other exploits.

Hybrid Clouds

Combine aspects of public and private clouds, allowing organizations to wield more control over their data and resources than in a public cloud environment, yet still be able to tap into the scalability and other benefits of the public cloud when needed.

The Main Cloud Service Models Generally Fall into Three Categories

Infrastructure as a Service (IaaS)

Enables an on-demand model for pre-configured virtualized data center computing resources (i.e. network, storage, and operating systems). This can involve automating the creation of virtual machines at scale, so it’s critical to consider how virtual machines are provisioned, managed, and spun down.

Platform as a Service (PaaS)

Provides tools and other computing infrastructure, enabling organizations to focus on building and running web applications and services. PaaS environments primarily support developers, operations, and DevOps teams. Here, management and configuration of self-service entitlements and privileges is key to controlling risk.

Software as a Service (SaaS)

Consists of applications hosted by a third party and usually delivered as software services over a web browser that is accessed on the client’s side. While SaaS eliminates the need to deploy and manage applications on end-user devices, potentially any employee can access web services and download content. Thus, proper visibility and access controls are required to monitor types of SaaS applications accessed, usage, and cost.

What are the Principal Cloud Computing Security Considerations?

Lack of Visibility & Shadow IT

Cloud computing makes it easy for anyone to subscribe to a SaaS application or even to spin up new instances and environments. Users should adhere to strong acceptable use policies for obtaining authorization for, and for subscribing to, new cloud services or creating new instances.

Lack of Control

Leasing a public cloud service means an organization does not have ownership of the hardware, applications, or software on which the cloud services run. Ensure that you understand the cloud vendor’s approach to these assets.

Transmitting & Receiving Data

Cloud applications often integrate and interface with other services, databases, and applications. This is typically achieved through an application programming interface (API). It’s vital to understand the applications and people who have access to API data and to encrypt any sensitive information.

Embedded/Default Credentials & Secrets

Cloud applications may contain embedded and/or default credentials. Default credentials post an increased risk as they may be guessable by attackers. Organizations need to manage these credentials as they would other types of privileged credentials.

Incompatibilities

IT tools architected for on-premise environments or one type of cloud are frequently incompatible with other cloud environments. Incompatibilities can translate into visibility and control gaps that expose organizations to risk from misconfigurations, vulnerabilities, data leaks, excessive privileged access, and compliance issues.

Multitenancy

Multitenancy is the backbone for many of the cloud benefits of shared resources (e.g., lower cost, flexibility, etc.), but it also introduces concerns about data isolation and data privacy.

Scalability Cuts Both Ways

Automation and rapid scalability are chief benefits of cloud computing, but the flip side is that vulnerabilities, misconfigurations, and other security issues (such as sharing of secrets–APIs, privileged credentials, SSH keys, etc.) can also proliferate at speed and scale. For example, cloud administrator consoles enable users to swiftly provision, configure, manage, and delete servers at massive scale. However, each of these virtual machines are born with their own set of privileges and privileged accounts, which need to be properly onboarded and managed. All of this can be further compounded in DevOps environments, which by nature are fast-charging, highly-automated, and tend to treat security as an afterthought.

Malware & External Attackers

Attackers can make a living by exploiting cloud vulnerabilities. Rapid detection, and a multi-layered security approach (firewalls, data encryption, vulnerability management, threat analytics, identity management, etc.) will help you to reduce risk, while leaving you better poised to respond to withstand an attack.

Insider Threats – Privileges

Insider-related threats (either through negligence or malevolence), generally take the longest to detect and resolve, with the potential to be the most harmful. A strong identity and access management framework along with effective privilege management tools are essential to eliminating these threats, and reducing the damage (such as by preventing lateral movement and privilege escalation) when they do occur.

9 Cloud Computing Security Best Practices

Strategy & Policy

A holistic cloud security program should account for ownership and accountability (internal/external) of cloud security risks, gaps in protection/compliance, and identify controls needed to mature security and reach the desired end state.

Network Segmentation

In multi-tenant environments, assess what segmentation is in place between your resources and those of other customers, as well as between your own instances. Leverage a zone approach to isolate instances, containers, applications, and full systems from each other when possible.

Identity and Access Management and Privileged Access Management

Leverage robust identity management and authentication processes to ensure only authorized users to have access to the cloud environment, applications, and data. Enforce least privilege to restrict privileged access and to harden cloud resources (for instance, only expose resources to the Internet as is necessary, and de-activate unneeded capabilities/features/access). Ensure privileges are role-based, and that privileged access is audited and recorded via session monitoring.

Discover and Onboard Cloud Instances and Assets

Once cloud instances, services, and assets are discovered and grouped, bring them under management (i.e. managing and cycling passwords, etc.). Discovery and onboarding should be automated as much as possible to eliminate shadow IT.

Password Control (Privileged and Non-Privileged Passwords)

Never allow the use of shared passwords. Combine passwords with other authentication systems for sensitive areas. Ensure password management best practices.

Vulnerability Management

Regularly perform vulnerability scans and security audits, and patch known vulnerabilities.

Encryption

Ensure your cloud data is encrypted, at rest, and in transit.

Disaster Recovery

Be aware of the data backup, retention, and recovery policies and processes for your cloud vendor(s). Do they meet your internal standards? Do you have break-glass strategies and solutions in place?

Monitoring, Alerting, and Reporting

Implement continual security and user activity monitoring across all environments and instances. Try to integrate and centralize data from your cloud provider (if available) with data from in-house and other vendor solutions, so you have a holistic picture of what is happening in your environment.