What is cloud computing security?

Cloud computing security, also called cloud security, is an umbrella term referring to the technologies, processes and controls used to secure cloud infrastructures, services and applications, as well as data stored or processed in the cloud.

What is cloud computing?

Before delving into the specifics of cloud security, we must first understand what cloud computing is.

In a traditional data environment, an organization owns and operates its own back-end hardware and other infrastructure, either on-site or in a data center (the latter is known as a “private cloud”). This means that the organization is responsible for configuring, maintaining and securing everything, including servers and other hardware.

In a cloud computing environment, an organization essentially “rents” cloud infrastructure from a cloud services provider. The cloud services provider owns and operates the data center, all of the servers and other hardware, and all of the underlying infrastructure, like undersea cables. This frees the organization from having to maintain and secure the cloud infrastructure and provides many other benefits, such as easy scalability and pay-as-you-go pricing models.

Not all cloud computing services are created equal. There are three primary types of cloud services, and modern organizations typically use all of them in combination:

Software-as-a-Service (SaaS) is the most common type of cloud service. Nearly everyone uses SaaS applications (apps), even if they don’t know it. A SaaS product delivered over the internet and accessed through a mobile app, a desktop app or a web browser. SaaS apps include everything from consumer-grade apps like Gmail and Netflix, to business solutions like Salesforce and the Google Workspace office suite.

Infrastructure-as-a-service (IaaS) is a cloud service aimed primarily at organizations, although some tech enthusiasts may purchase an IaaS service for personal use. The cloud services provider delivers infrastructure services, like servers, storage, networking and virtualization, while the customer handles the operating system and any data, applications, middleware and runtimes. When people talk about a “public cloud,” they’re usually referring to IaaS. Examples of public cloud providers include the big three in the industry: Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Entra ID (Azure).

Platform-as-a-service (PaaS) solutions are aimed squarely at developers. The customer takes care of applications and data, and the cloud provider handles everything else, including the operating system, middleware and runtime. In other words, PaaS solutions give developers an out-of-the-box environment where they can build, deploy and manage apps without having to worry about updating the operating system or software. PaaS examples include AWS Elastic Beanstalk, Heroku and Google App Engine. Generally, PaaS is used in conjunction with IaaS. For example, a company may use AWS for hosting and AWS Elastic Beanstalk for developing applications.

Understanding what the cloud provider is responsible for and what the cloud customer is responsible for are key to understanding cloud security.

What is cloud security?

Cloud security is based upon what’s known as the shared responsibility model. In this model:

  • The cloud provider is responsible for security of the cloud, meaning their physical data center, other assets like undersea cables and logical cloud infrastructure.
  • Your organization is responsible for security in the cloud, meaning the applications, systems and data you reside on the cloud.

Think of this as similar to renting a self-storage unit. You are responsible for securing the belongings inside your unit, which means locking the unit’s door and keeping your key safe. The self-storage company is responsible for securing the entire complex through controls such as gated entrances, cameras, adequate lighting in common areas and security guards. The self-storage provider is responsible for security of the storage center, but you’re responsible for security in your unit.

How does cloud security work?

Whether we’re talking about a SaaS app, an IaaS (public cloud) deployment, or a PaaS developer platform, cloud security is based heavily on identity and access management (IAM) and data loss prevention (DLP); in other words, preventing unauthorized parties from accessing your cloud service – and your data.

Expounding on our self-storage example, if you leave your storage unit key unattended, and someone steals it and uses it to access your unit, the storage provider’s security controls didn’t fail – yours did. Similarly, if you use a weak, easily-guessed password to secure your Gmail account or GCP admin console, and a threat actor compromises it, the security failure was on your part, not Google’s.

In addition to preventing unauthorized access and data theft, cloud security also seeks to prevent accidental data loss or corruption through human error or negligence, ensure data recovery if data loss does occur, and abide by user privacy laws such as HIPAA, which forbids unauthorized access to private health records. Cloud security is fundamental to security incident response, disaster recovery and business continuity planning.

Common cloud security measures include:

  • IAM controls such as Role-Based Access Control (RBAC) and least-privilege access, which means that employees have access only to the applications and data they need to do their jobs, and no more
  • DLP tools that identify sensitive data, classify it, monitor its usage, and prevent data misuse, such as stopping end users from sharing sensitive information outside of corporate business networks
  • Encryption of data both in transit and at rest
  • Secure system configuration and maintenance

Are there risks to cloud security?

Here are some of the biggest challenges and risks associated with cloud security.

  • The cloud creates a greatly expanded attack surface with no network perimeter. One of the biggest mistakes organizations make when migrating to the cloud is thinking they can simply transfer all of their current security tools and policies. While many aspects of cloud security mirror their on-premises counterparts, securing a cloud environment is quite different from securing on-prem hardware, as the cloud has no defined network perimeter.
  • There can be a lack of visibility in the cloud, especially in today’s highly complex data environments. Rare is the organization that uses only one public cloud. Most organizations use at least two public clouds (called a multi-cloud environment) or combine public clouds with on-premise infrastructure (known as a hybrid cloud environment). Unfortunately, each cloud environment comes with its own native monitoring tools, which makes it difficult for IT admins and DevOps personnel to get the big picture of what’s going on throughout the data environment.
  • Workload sprawl is another visibility issue, even for organizations that use only one public cloud. Virtual Machines (VMs) and containers are easy to spin up, which means they can proliferate very quickly. In addition to compromising security, unused VMs and containers pad your cloud services bill.
  • Shadow IT, or employees using apps that haven’t been vetted by security personnel are another cloud concern.
  • Companies can face compatibility issues with legacy systems and software, especially legacy Line-of-Business (LOB) apps that can’t realistically be replaced or refactored for the cloud.
  • Cloud misconfigurations also cause problems, such as inadvertently setting a cloud folder to be publicly visible when it contains sensitive data.

Cloud computing security best practices

Make sure you fully understand the shared responsibility model and what your organization is and isn’t responsible for securing. This may sound obvious, but sorting out who’s responsible for what can be tricky, particularly in hybrid environments.

One of the benefits of cloud computing is that resources can be accessed anywhere and from any device. However, from a security perspective, that means there are more endpoints to secure. Endpoint security and mobile device management tools will enable you to enforce access policies and deploy access-verification solutions, firewalls, antivirus, disk encryption and other security tools. Other cloud computing best practices include:

  • Encrypting all data that you store or process in the cloud, both in transit and at rest
  • Scanning your environment for vulnerabilities, and patching any findings as soon as possible.
  • Performing regular data backups in case of a ransomware attack or a disaster.
  • Log and monitor all user and network activity throughout your data environment.
  • Configuring your cloud settings very carefully. A good rule of thumb is that you rarely want to leave default settings as-is. Make the most of your cloud provider’s security settings and tools, and keep up with new tools and enhancements.
  • Implementing a zero-trust security policy, complete with network segmentation and strong identity and access management (IAM) tools and controls, including role-based access, least-privileged access, strong passwords, device approval and multi-factor authentication (MFA).
English (US) Call Us