Risk Glossary
Cloud Security
What is cloud security?
Cloud security is a type of cybersecurity that covers all aspects of securing a cloud environment against both external and insider cybersecurity threats. Cloud security protects cloud computing systems, including cloud data, applications, and infrastructure.
Organizations are increasingly using cloud-based infrastructure for data storage and to host websites and other applications. These resources would need to be protected regardless of where they are located. However, the nature of the cloud creates unique security challenges and requirements for its users.
The cloud shared responsibility model
One of the most common misconceptions about cloud security is that it is the cloud services provider’s responsibility. While this is partially true, moving to the cloud does not mean giving up all responsibility for security.
In the cloud, an organization outsources management of some portion of its infrastructure stack to its cloud services provider. How much of this infrastructure management is outsourced depends on the cloud services model in use (SaaS, IaaS, PaaS, etc.).
A cloud services provider is responsible for securing the portion of the infrastructure under its direct control, but the customer has security responsibilities as well. Cloud services providers delineate this responsibility breakdown in shared responsibility models.
Moving to the cloud can certainly decrease an organization’s infrastructure and security responsibilities. However, companies are still partially responsible for security in the cloud.
The challenges of cloud security
Beyond a lack of understanding of their security responsibilities, organizations face a number of challenges when working to secure their cloud deployments.
Some of the most common security challenges that companies face in the cloud include:
- Limited Network Visibility: In the cloud, organizations outsource part of their security stack to their cloud services provider. While this has its advantages, it also limits the organization’s visibility into their cloud deployment because they lack control over the underlying infrastructure and the ability to deploy security solutions to monitor it.
- Expanded Attack Surface: Cloud adoption has accelerated greatly in recent years, and most organizations have adopted a multi-cloud deployment. This enables them to take advantage of the optimizations and specializations of different cloud vendors, but it also creates an IT infrastructure that sprawls over multiple different vendor-specific environments.
- Publicly Accessible Infrastructure: In traditional on-prem environments, all of an organization’s IT infrastructure is behind and protected by its perimeter defenses. Cloud deployments, on the other hand, are accessible directly from the public Internet, leaving them more exposed to cyber threats and degrading organization’s visibility into the traffic to and from them.
- Security Misconfigurations: Security misconfigurations are a major cause of data leaks in the cloud, and, according to Gartner, 99% of cloud data breaches through 2025 will be the customer’s fault. With a variety of different cloud environments and vendor-specific security tools, organizations commonly overlook or incorrectly configure security settings that leave them open to attack.
- Unofficial Clouds: Cloud environments are designed to be easy to deploy, meaning that employees within an organization can easily set up their own cloud storage. This is another way in which shadow IT creates data security risks. If corporate data is placed on these personal or unofficial clouds, the company lacks security visibility and control, and security settings are less likely to be configured correctly.
- Insider Risks: Insiders are some of the biggest risks to an organization’s cloud security. Whether intentionally or unintentionally, insiders can take actions that put an organization’s data and applications at risk, such as misconfiguring security settings or using insecure link-based sharing to collaborate on a sensitive document.
- Limited Data Visibility: Organizations can lack visibility into their cloud-based data for a number of different reasons. With cloud infrastructure spread over multiple different vendors’ platforms and the potential for unofficial cloud deployments containing sensitive corporate data, it is easy for an organization to lose track of where its data is. This lack of visibility makes this data much more at risk of leaking.
- Regulatory Compliance: Companies are subject to a wide range of data protection regulations, and the number is growing. When moving to the cloud, an organization’s responsibilities under these regulations do not go away. However, their lack of control over their infrastructure and increased security complexity can make it more difficult to meet these regulatory requirements.
What are the 5 areas of cloud security?
Securing cloud infrastructure can seem complex and overwhelming, especially in the face of the long list of cloud security challenges. Cloud security includes the entire ecosystem of people, processes, policies, and technology that protect data and applications that operate in the cloud.
The Security section of the AWS Well-Architected Framework outlines five main areas of focus for cloud security:
Identity and access management
Cloud deployments are accessible from the public Internet, making access management essential for security. A cloud deployment should be configured based on the principle of least privilege, which limits users to only the access and permissions required to do their jobs.
Detection
Before a security team can respond to a potential threat, it needs to know that it exists. An organization’s cloud deployment should include solutions that monitor applications and data for indications of anomalous and potentially malicious activity.
Incident response
No security is perfect, and security incidents can happen in any environment, including the cloud. This means that organizations must-have tools and processes in place to support incident response activities such as threat investigation and remediation.
Data protection
Data storage is a common application of cloud infrastructure. Organizations should use data security controls – like encryption – to protect the data stored in the cloud.
Infrastructure protection
Infrastructure protection is based on the principle of defense in depth. A cloud deployment should have solutions in place to help detect and block unauthorized use of and threats against the cloud environment.
The different categories of cloud security controls are the same as what would be required to protect a traditional, on-prem data center. However, the cloud is a very different environment from on-prem systems and requires solutions and security strategies that are specifically designed to meet its needs.
Is the cloud really secure?
Securing the cloud can be challenging for a number of different reasons. Cloud security incidents and data breaches are likely to grow increasingly common over the next few years, and, in most cases, they will be the cloud customer’s fault.
However, that isn’t to say that organizations shouldn’t trust or use cloud-based infrastructure.
The cloud provides a number of advantages, including increased scalability, flexibility, and support for secure online collaboration. While this collaboration can create additional insider risk, it can also provide significant security benefits if secured correctly.
Additionally, tools exist to help organizations design and deploy effective defenses for their cloud environments. By working to develop an effective cloud security strategy, an organization can take advantage of the benefits of the cloud without putting their data and applications at risk.
Forrester Study: Yesterday’s Solutions Won’t Solve Tomorrow’s Data Security Issues
After interviewing over 315 security decision-makers, Forrester discovered that security tools initially purchased for data compliance aren’t fulfilling current data security needs.
Read Report