Business and Enterprise
Protect your company from cybercriminals.Start Free Trial
Cloud computing security, also called cloud security, is an umbrella term referring to the technologies, processes and controls used to secure cloud infrastructures, services and applications, as well as data stored or processed in the cloud.
Before delving into the specifics of cloud security, we must first understand what cloud computing is.
In a traditional data environment, an organization owns and operates its own back-end hardware and other infrastructure, either on-site or in a data center (the latter is known as a “private cloud”). This means that the organization is responsible for configuring, maintaining and securing everything, including servers and other hardware.
In a cloud computing environment, an organization essentially “rents” cloud infrastructure from a cloud services provider. The cloud services provider owns and operates the data center, all of the servers and other hardware, and all of the underlying infrastructure, like undersea cables. This frees the organization from having to maintain and secure the cloud infrastructure and provides many other benefits, such as easy scalability and pay-as-you-go pricing models.
Not all cloud computing services are created equal. There are three primary types of cloud services, and modern organizations typically use all of them in combination:
Software-as-a-Service (SaaS) is the most common type of cloud service. Nearly everyone uses SaaS applications (apps), even if they don’t know it. A SaaS product delivered over the internet and accessed through a mobile app, a desktop app or a web browser. SaaS apps include everything from consumer-grade apps like Gmail and Netflix, to business solutions like Salesforce and the Google Workspace office suite.
Infrastructure-as-a-service (IaaS) is a cloud service aimed primarily at organizations, although some tech enthusiasts may purchase an IaaS service for personal use. The cloud services provider delivers infrastructure services, like servers, storage, networking and virtualization, while the customer handles the operating system and any data, applications, middleware and runtimes. When people talk about a “public cloud,” they’re usually referring to IaaS. Examples of public cloud providers include the big three in the industry: Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure.
Platform-as-a-service (PaaS) solutions are aimed squarely at developers. The customer takes care of applications and data, and the cloud provider handles everything else, including the operating system, middleware and runtime. In other words, PaaS solutions give developers an out-of-the-box environment where they can build, deploy and manage apps without having to worry about updating the operating system or software. PaaS examples include AWS Elastic Beanstalk, Heroku and Google App Engine. Generally, PaaS is used in conjunction with IaaS. For example, a company may use AWS for hosting and AWS Elastic Beanstalk for developing applications.
Understanding what the cloud provider is responsible for and what the cloud customer is responsible for are key to understanding cloud security.
Cloud security is based upon what’s known as the shared responsibility model. In this model:
Think of this as similar to renting a self-storage unit. You are responsible for securing the belongings inside your unit, which means locking the unit’s door and keeping your key safe. The self-storage company is responsible for securing the entire complex through controls such as gated entrances, cameras, adequate lighting in common areas and security guards. The self-storage provider is responsible for security of the storage center, but you’re responsible for security in your unit.
Whether we’re talking about a SaaS app, an IaaS (public cloud) deployment, or a PaaS developer platform, cloud security is based heavily on identity and access management (IAM) and data loss prevention (DLP); in other words, preventing unauthorized parties from accessing your cloud service – and your data.
Expounding on our self-storage example, if you leave your storage unit key unattended, and someone steals it and uses it to access your unit, the storage provider’s security controls didn’t fail – yours did. Similarly, if you use a weak, easily-guessed password to secure your Gmail account or GCP admin console, and a threat actor compromises it, the security failure was on your part, not Google’s.
In addition to preventing unauthorized access and data theft, cloud security also seeks to prevent accidental data loss or corruption through human error or negligence, ensure data recovery if data loss does occur, and abide by user privacy laws such as HIPAA, which forbids unauthorized access to private health records. Cloud security is fundamental to security incident response, disaster recovery and business continuity planning.
Common cloud security measures include:
Here are some of the biggest challenges and risks associated with cloud security.
Make sure you fully understand the shared responsibility model and what your organization is and isn’t responsible for securing. This may sound obvious, but sorting out who’s responsible for what can be tricky, particularly in hybrid environments.
One of the benefits of cloud computing is that resources can be accessed anywhere and from any device. However, from a security perspective, that means there are more endpoints to secure. Endpoint security and mobile device management tools will enable you to enforce access policies and deploy access-verification solutions, firewalls, antivirus, disk encryption and other security tools. Other cloud computing best practices include: