Cloud Security: Principles, Solutions, and Architectures
Cloud security is gaining importance at many organizations, as cloud computing becomes mainstream.
What is cloud security?
Cloud security is gaining importance at many organizations, as cloud computing becomes mainstream. Most organizations use cloud infrastructure or services, whether software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS), and each of these deployment models has its own, complex security considerations.
Cloud systems are shared resources and are often exposed to, or exist on, the public Internet, and so are a prime target for attackers. In recent years, many high profile security breaches occurred due to misconfigured cloud systems, which allowed attackers easy access to sensitive data or mission critical systems.
Securing cloud systems requires a different approach than security for on-premise systems. New security tools, such as Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP), help organizations gain visibility over cloud environments, understand security gaps, and remediate them automatically.
In this post you will learn:
- Why is Cloud Security Important?
- Core Principles of a Cloud Security Architecture
- Cloud Security Solutions Types
- How to Secure Cloud Native Applications
- Cloud Security Best Practices for Major Cloud Computing Services
- Cloud Security with Exabeam
How cloud security differs from traditional cybersecurity
The following table illustrates how responsibility is divided between the cloud users and cloud providers across different cloud models.
|Cloud Security—the cloud service provider and customer share security responsibility||On-Premises Security—the enterprise is responsible for security end to end|
|Cloud Security—relies on API-driven security tools||On-Premises Security—uses individually managed security tools|
|Cloud Security—dynamic resources lead to blurred security boundaries and no clear perimeter||On-Premises Security—static resources contain security boundaries at the network perimeter|
Why is Cloud Security Important?
According to the 2020 Cloud Security Report by Check Point:
- 52% of organizations believe there is a higher risk of security breaches in the public cloud than in traditional data centers.
- 59% said their cloud security budget would grow over the next year.
- 82% said traditional security tools provide limited or no functionality in a cloud environment.
According to the same report, the top four public cloud security threats were:
- Cloud platform misconfiguration (68%)
- Unauthorized access (58%)
- Insecure interfaces and APIs (52%)
- Privileged account hijacking (50%)
In light of these challenges and risks, cloud security can provide several important benefits:
- Cloud native capabilities—cloud security solutions are built to secure cloud native infrastructure, such as infrastructure as a service (IaaS) workloads, containers and serverless applications. These new types of resources are difficult to monitor using traditional security tools.
- Improved visibility—cloud security systems help organizations, first and foremost, understand what exactly is running in their cloud environment, understanding their attack surface, and learning where weaknesses and vulnerabilities lie.
- Centralized security—cloud security solutions provide central management of security for cloud resources, services, and endpoint devices across multiple clouds. This provides visibility over misconfigurations and security events across complex cloud infrastructure.
- Reduced overhead cost—cloud security solutions are commonly offered as a service, with fully managed infrastructure. This converts the traditional capital expense of security licenses and specialized hardware to an operating expense, and reduces overheads.
Managed security services—many cloud security services not only provide security software, they also provide services like threat intelligence, setup of security rules, monitoring by human experts, and even managed response and remediation of security incidents.
Cloud Security Challenges: Security Concerns of Primary Types of Cloud Environments
There are three primary types of cloud environments—public clouds, private clouds and hybrid clouds. These three environments offer different types of security configurations, based on the shared responsibility model. This model defines how resources are utilized, how data moves and where, how connectivity is established, and who takes care of security.
Public cloud services are hosted by third-party companies like Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. While the services offer efficient and cost-effective authentication management and access control, the shared resources model of these services can result in poor security.
In order to secure your environment, you need to overcome the challenges that come with introducing new security tools. While some tools are available for free, some incur overhead costs. You need to learn how to use the tools or hire an expert to take care of that responsibility. Otherwise, misconfiguration or misuse of the tools can lead to security breaches.
Private clouds aren’t necessarily safer than public clouds. While public cloud services provide built-in security measures implemented in the service ecosystem, private cloud security falls solely on the in-house team.
Companies that don’t perform regular updates and security maintenance will leave themselves exposed to security vulnerabilities. Additionally, the lack of transparency in some private cloud setups can lead to security issues. For example, software upgrades can cause hidden bottlenecks that create security exploits. Private clouds are especially vulnerable to social engineering attacks and access breaches.
Hybrid clouds combine elements of public and private clouds in one environment. This approach gives companies more control over their data and resources. However, poor network execution, inefficient security protocols, and broken management chains can turn hybrid clouds into easy targets for attacks.
Since hybrid clouds integrate multiple services within one structure, compliance—which is critical for security—turns into a complex task as each environment needs to follow the same protocols. Each environment that transmits data within the hybrid network is vulnerable to eavesdropping and cyber attacks. Hybrid clouds with lack of encryption, poor data redundancy, insufficient risk assessment, and data leakage are wide open to attacks.
Top cloud security risks
Cloud systems provide increased access to sensitive data while allowing less control over the network, making them highly vulnerable. Following are the common risks facing cloud-based systems:
- Data breaches—many high profile data breaches have been associated with cloud infrastructure. Because cloud resources can be deployed on the open iInternet, insecure resources expose an organization to loss or theft of sensitive data.
- Contractual breaches—sometimes entities sign a contract specifying the terms for their joint use of data, including access authorization. One example is the transfer of data from local to cloud servers without authorization. Attacks can cause these organizations to violate their contracts and face financial losses or legal liability.
- Data loss—while cloud security doesn’t eliminate all data loss threats, it offers cost-effective and easy solutions for backup and disaster recovery. As opposed to on-premise solutions, cloud environments can store data on multiple cloud data centers and provide added disaster recovery resilience.
- Gaps in compliance—compliance standards help prevent data breaches by binding organizations into a set of security rules. Unfortunately, at many organizations there are significant gaps in compliance due to the complexity and lack of visibility of cloud environments.
- Hacked interfaces and insecure APIs—APIs and integration points power cloud computing. While APIs help connecting systems, they can also be used as a back door for attackers.
- Malware infections—used by hackers to hijack systems and accounts, delete data and harvest identity information and bank details. Cybercriminals use cloud services as an entry point for data exfiltration.
- Identity management and weak authentication—cloud authentication security requires managing identity across different services. Poorly executed identity management can lead to data breaches and access authorization issues—weak identity management gives cybercriminals easy access to credentials and sensitive systems.
- Insufficient due diligence and shared vulnerabilities—transitioning to the cloud without ensuring the cloud service provider security measures operate within the standard best practices or offer necessary security controls can lead to massive security breaches and shared vulnerabilities that leave all parties open to attack.
- Abuse and misuse—cheap infrastructure or pirated software expose companies to security breaches.
Core Principles of a Cloud Security Architecture
The architecture of a cloud security system should account for tools, policies and processes needed to safeguard cloud resources against security threats. Among its core principles, it should include:
- Security by design—cloud architecture design should implement security controls that are not vulnerable to security misconfigurations. For example, if a cloud storage container holds sensitive data, external access should be locked, and there should be no way for an administrator to open access to the public Internet.
- Visibility—many organizations use multi-cloud and hybrid-cloud deployments that traditional security solutions fail to protect. An effective strategy accounts for both the tools and the processes to maintain visibility throughout an organization’s complete cloud-based infrastructure.
- Unified management—security teams are often overworked and understaffed, and so cloud security solutions must provide unified management interfaces. Teams must be able to centrally manage a wide range of cloud security solutions from one pane of glass.
- Network security—the cloud uses a shared responsibility model, and the organization is responsible for securing traffic flows to and from cloud resources, and between the public cloud and on-premise networks. Segmenting networks is also important to limit an attacker’s ability to move laterally once they have gained access to a network.
- Agility—the cloud fosters development and deployment of new solutions. Security should not inhibit this agility. Organizations can use cloud-native security solutions that integrate seamlessly into the agile development lifecycle.
- Automation—automation is critical to swift provisioning and updating of security controls in a cloud environment. It can also help identify and remediate misconfigurations and other security gaps in real time.
Compliance—regulations and standards like GDPR, CCPA, and PCI/DSS protect both data and processes in the cloud. Organizations can leverage cloud provider solutions, but will often need third party solutions to manage compliance across multiple cloud providers.
Cloud Security Solutions Types
Here are several common technologies that help organizations secure their cloud deployments.
Cloud Workload Protection Platform (CWPP)
CWPP is a security solution that can protect cloud workloads, by providing visibility of resources across multiple clouds, ensuring they are appropriately deployed, and have the necessary security controls.
CWPP can perform active security tasks like hardening operating systems and applications, scanning and remediating vulnerabilities, whitelisting applications, and performing integrity checks.
Cloud Security Posture Management (CSPM)
CSPM reviews cloud environments and detects misconfigurations and risks pertaining to compliance standards. Its main goal is to automate security configuration and provide central control over configurations that have a security or compliance impact.
CSPM is usually delivered as a cloud service. It creates an inventory of cloud resources, enables setting and enforcing enterprise-wide policies, and can scan resources like compute instances, storage buckets, or databases for harmful configuration errors. It can also perform risk assessments according to frameworks like ISO, NIST, and CSI Benchmarks.
Cloud Access Security Broker (CASB)
CASB can help detect and control SaaS applications in use by the organization. Common uses are to identify shadow IT (unauthorized use of cloud services), as well as sensitive data being transferred to and from cloud applications. Many organizations use multiple CASB solutions, each supporting the specific APIs or ecosystem of a specific SaaS solution.
CASB solutions include several technologies to ensure network traffic flowing to and from the cloud are in line with security policies: traditional firewalls, web application firewalls (WAF), which can block threats at the application layer, authentication to prevent unauthorized access to content, and data loss prevention (DLP) to detect and prevent data exfiltration.
eXtended Detection and Response (XDR) is a holistic security platform that can protect cloud systems, as well as on-premise networks, endpoints, and other systems. Its goal is to enable visibility, detection and response for threats, regardless of whether they appear in the IT environment. In the cloud, it integrates with endpoints like compute instances and containers, and can gather data from cloud networks.
XDR can complement other cloud security systems by identifying sophisticated or hidden threats, especially when these threats hide in the interfaces between systems. It can combine data from disparate sources to create a complete attack story—so that events that seem benign in one system can be identified as part of a larger attack.
Read more in our detailed guide to XDR (coming soon)
Cloud Data Security
Cloud data security software implements access controls and security policies for cloud-based storage services, across multiple cloud providers. It can protect data stored in the cloud, or transferred to or from cloud-based resources.
Among the key capabilities of cloud data security systems are central management of data encryption, governance and permissions for sensitive data, and data loss prevention (DLP) to detect anomalous activity that could result in loss or exfiltration of sensitive data.
Cloud monitoring solutions are an essential component of a cloud security strategy. Organizations need continuous monitoring of cloud-based resources, both for visibility – to know what is running and where – and to identify anomalies which might be security incidents. There are five main types of cloud monitoring:
- Database monitoring – tracking availability, utilization, performance, and access to cloud-based databases.
- Website monitoring – tracking users, traffic, performance, and availability of cloud-deployed websites and web applications.
- Virtual network monitoring – virtual networks are critical to cloud security, and must be monitored at the router, firewall, and load balancer level.
- Cloud storage monitoring – gaining visibility into how storage is used by applications, databases, services, and compute instances.
- Virtual machine monitoring – just like you would monitor servers deployed on-premises, it is important to monitor uptime, traffic, and access to compute instances in the cloud.
Learn more in the detailed guides to:
Cloud compliance software can help organizations ensure they are meeting their compliance obligations in a cloud environment. It provides visibility over workloads running on public and private clouds, network traffic, and configurations, reporting which cloud services may be violating specific compliance requirements.
Cloud compliance systems are similar to CWPP, but they are different in that CWPP focus on controlling security in the cloud environment and enforcing security controls. While cloud compliance solutions are passive tools that can notify about violations, provide remediation instructions, and generate detailed reports and audits.
Learn more about all these solution types in the detailed guide to cloud security solutions
How to Secure Cloud Native Applications
A cloud native application is software that is designed to run on cloud infrastructure. There are many definitions of cloud native applications, and the term is used interchangeably with a microservices architecture.
Cloud native applications are commonly built with the following characteristics:
- Resilient—cloud native applications applications are distributed, and able to deal with failures as a normal occurrence, without downtime or disruption to service.
- Agile—cloud native applications are developed using automated continuous integration / continuous delivery (CI/CD) processes, and are made up of small, independent components, each of which can be rapidly developed and updated.
- Operable—cloud native applications are easy to test, deploy, and operate. They have advanced automation that manages system components at all stages of their lifecycle.
- Observable—cloud native applications easily expose information about application state, malfunctions and failures. Each component in the system is responsible for generating meaningful logs to provide insights into its operation.
Learn more in the detailed guide to cloud native applications
Below are several best practices you can use to secure cloud native applications.
Shift Security Left
Cloud native development is fast paced, and relies on automated deployment, whether using container images, infrastructure as code (IaC) templates, or cloud automation mechanisms. This makes it more important to start the security process from the onset of development.
Shifting security left in a cloud native environment involves:
- Scanning container images and cloud infrastructure on an ongoing basis
- Automatically testing for security issues in code long before it is deployed to production
- Automatically identifying misconfiguration and security malpractices, such as missing authentication or hard-coded secrets
Apply Perimeter Security at the Function and Container Level
Traditional security methods focused on securing the overall network perimeter. In a cloud native environment, there is no network perimeter. Instead, organizations must create micro-perimeters around infrastructure units:
- In a serverless architecture—protecting each serverless function and paying attention to security of event streams
- In a containerized architecture—securing individual containers, pods, clusters, and master nodes of container orchestration
- When using container platforms—you are responsible for securing worker nodes, while the cloud provider is responsible for securing the Kubernetes control plane
Minimal Roles and Privileges
Identity and access management (IAM) plays an important role in cloud security. Use IAM to define permissions on a granular basis for containers or serverless functions. Ensure each element has the least privileges it needs to perform its activities. Use zero trust principles to ensure that all communications, even between trusted entities, are authenticated and verified.
Secure Open Source and Dependencies
Cloud native applications commonly include open source components, which may include a large number of dependent packages. It is important to scan these components and their dependencies for open source vulnerabilities. This must be automated, and integrated into deployment processes, so that every component deployed in the cloud native environment is verified to be free of security vulnerabilities.
Shared Responsibility for Security
Cloud native security takes a DevSecOps approach, with close cooperation between developers, operations, and security professionals:
- Developers should be educated in security practices and take responsibility for secure coding practices
- Operations and DevOps must take into account security practices at all stages of the software development lifecycle (SDLC)
Security teams must understand development practices and provide relevant advice and guidance for improving security
Cloud Security Best Practices for Major Cloud Computing Platforms
Most organizations operating in the cloud run at least some services on the three major cloud providers—Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Each of these cloud providers provides a large ecosystem of infrastructure and services, which includes security tools and best practices.
Before we go into specific best practices for each cloud providers, here are general guidelines for improving security in a public cloud environment:
- Network segmentation—split networks into segments for improved performance and security. If segmentation is already in place you can assess the resources and leverage a zone approach to isolate systems and components.
- Identity and access management (IAM)—mitigate security threats like unauthorized access and hijacking of accounts. High-quality IAM solutions help define and enforce access policies and capabilities such as role permissions and multi-factor authentication. Cloud computing requires access control lists (ACL) that monitor and record access.
- Training your staff—employees are responsible for individual use of company tech and need to understand security risks. Educate staff on strong passwords, identifying dangerous emails and shadow IT. Using unauthorized cloud services without permission can put the company and the employee at risk.
- Implementation of cloud security policies—establish guidelines that define the level of access of each user, the proper use of each service, which type of data can be stored in the cloud, and the security technologies used.
- Endpoint security—secures endpoints and monitors user activity in the cloud environment. You can create a strong defense with intrusion detection, firewalls, access control, and anti-malware.
- Data encryption—since data is vulnerable to attacks in motion (during transit) and at rest (in storage), encryption provides and important layer of security.
- Audits and penetration testing—ensures your security infrastructure remains effective and helps identify points for improvement. Through audits and testing, you can analyze vendors’ capabilities and compliance with your SLA, and make sure that access logs show only authorized personnel.
- Cloud disaster recovery—protect data by setting up robust backup solutions. Make sure your cloud provider’s standards align with yours for data backup, retention, and recovery policies.
- Plan for compliance—ensure you have the expertise and tools to fully comply with relevant regulations and industry standards. Don’t take cloud vendor statements about standards compliance at face value; understand exactly what is required to become compliant in the cloud.
AWS Security Best Practices
Limit Security Groups
Security groups limit network access to AWS resources. Make sure that you only enable communication to and from ports and IP ranges that are absolutely necessary for components to function. Amazon provides AWS Config and AWS Firewall Manager services, which can automatically configure virtual private cloud (VPC) network policies, and apply WAF rules to resources accessible from the public Internet.
Backup is an important security practice, which can protect against data corruption, accidental deletion, and attacks such as ransomware. The AWS Backup service provides central control over backups in all main Amazon services, including Elastic File Service (EFS), Elastic Block Storage (EBS), DynamoDB, and Amazon Relational Database Service (RDS). Amazon also provides API and CLI access to backup functions.
Amazon CloudTrail is a service that collects logs and events from all Amazon services. Store CloudTrail logs to S3 buckets, alongside logs from load balancers, other monitoring services, or and own cloud native applications. By creating a central log archive, you can analyze and correlate logs across all Amazon systems. You can use a security information and event management (SIEM) system to generate security alerts from the data.
Learn more in the detailed guide to AWS security (coming soon)
Azure Security Best Practices
Encrypt Your Data
There are numerous ways to encrypt data in Azure:
- Azure Disk Encryption, with encryption keys stored in Azure Key Vault (AKV), or in your own key repository
- Encryption at Rest, enabled by default for all Azure storage services, using FIPS 140-2 compliant 256-bit AES encryption
- Encryption in Transit, with built in data link encryption in and between Azure data centers, and TLS encryption for all communications
Limit Data Access
Follow these best practices to limit access to sensitive data and resources:
- Always restrict access to Secure Shell (SSH), Remote Desktop Protocol (RDP), and similar services in your Network Security Groups configuration, unless absolutely necessary.
- Close all ports that are not actively used by your services or applications.
- Share data or files securely using Azure Information Protection service, which lets you set a security priority for files, mark them as sensitive, and protect them with relevant permissions.
- Use Azure Rights Management (RMS) to define encryption and authorization policies, which remain attached files wherever they are stored, ensuring only authorized users can view them.
Azure provides the state of the art in identity management supporting zero trust practices. The primary service used for identity management is Azure Active Directory (Azure ID). A few key access control best practices are:
- Use identity as the primary security perimeter
- Centrally manage identity management
- Enable single sign-on (SSO)
- Turn on conditional access to all cloud resources
- Enable automated password management
- Enforce ongoing multi-factor verification
- Use role-based access control (RBAC)
- Isolate privileged accounts to lower their exposure
- Use Azure AD to authenticate any access to storage
Learn more in the detailed guide to Azure security (coming soon)
Google Cloud Security Best Practices
GCP offers a flexible resource hierarchy that lets you define the structure of cloud resources and apply permissions in a granular way. Create a hierarchy using Folders, Teams, Projects and Resources that mimics your organizational structure. Otherwise, follow the structure of your development projects or cloud-based applications.
Managing Firewalls and Unrestricted Traffic
Use VPC firewalls to manage network traffic to VPCs, virtual machines, and other Google Cloud resources. Avoid allowing access to broad IP ranges, both for inbound and outbound communications. Google Cloud VPC lets you assign network targets using tags and Service Accounts, which makes it possible to define traffic flows logically. For example, you can specify that a certain front-end service can only connect to VMs using a specific service account.
Retain Admin Activity Logs
Google provides Admin Activity Logs which are retained for 400 days, and provide insights into a range of services and resources in the Google Cloud environment. Export them or save the logs to Google Cloud Storage if you want to retain them for longer, or for compliance purposes.
What is a Certified Cloud Security Professional (CCSP)?
CCSP is a role that was created to help standardize the knowledge and skills needed to ensure security in the cloud. This certification was developed by (ISC)² and the Cloud Security Alliance (CSA), two non-profit organizations dedicated to cloud computing security.
CCSP is designed to help professionals supplement and modify traditional security approaches to better ensure cloud protection. It does this by helping organizations train security professionals and recognize the level of competence in their current teams. This ensures that professionals understand how to secure the cloud and what tools are most effective.
Any professional in the information security or IT fields can gain a CCSP certification. Those who most commonly seek one include:
- Systems and security engineers
- Enterprise, system, or security architects
- Security administrators or managers
Why do you need a CCSP certification?
There are many professional and organizational benefits that can come with getting CCSP certified. The most common benefits include:
- Career advancement
- Validation and authentication of your skills and knowledge in cloud computing and security best practices and requirements
- Maintenance of certification level ensures that you remain up-to-date on best practices and technologies related to to cloud based security
- Access to a community of equally or more highly-skilled security professionals
How to become a CCSP
To gain your CCSP certification, you need to study for and pass the examination offered by (ISC)². This certification is only one of six certifications offered by the organization but is the only one focused solely on secure cloud computing.
To obtain your CCSP certification, you need at least five years of paid experience, including three years in information security and one year in one or more of six CCSP areas:
- Architecture and design concepts
- Data security
- Platform and infrastructure security
- Application security
- Security operations
- Legal, risk and compliance
Cloud Security with Exabeam
The Exabeam Security Management Platform (SMP) offers a comprehensive solution for protecting your digital resources in the cloud and on-premises.
Exabeam Cloud Connectors callow you to reliably collect logs from over 30 cloud services into Exabeam Data Lake, Exabeam Advanced Analytics or any other SIEM. Updates are made automatically whenever there are API changes, so you don’t need coding skills or costly professional service engagements to ensure the right data is being collected.
Exabeam provides the connectivity necessary to monitor all your cloud services, including:
- Cloud services—such as Salesforce, Office 365, and Box. Exabeam monitors your cloud services at scale, providing unlimited logging for the ingestion and modeling cloud data. The pricing model is flat and user-based, ensuring visibility within your budget.
- Cloud infrastructure providers—such as AWS, Azure, and Google Cloud. Exabeam scans for anomalous activity throughout your cloud infrastructure through intelligent and automated detection.
The Exabeam SMP platform organizes the data in a user-friendly and visually appealing interface. The cloud security modules of the Exabeam platform take a data-driven approach that enables enhanced controls for visibility, monitoring, and security in the cloud:
- Smart collection of data logs—made possible by Exabeam Data Lake.
- Analysis-based threat detection—made possible by:
- Automated incident response—made possible by the Exabeam Incident Responder.
See Additional Guides on Key Cloud Security Topics
Exabeam, together with several partner websites, has authored a large repository of content that can help you learn about many aspects of cloud security. Check out the articles below for objective, concise reviews of key cloud security topics.
Cloud Security Solutions
Authored by Netapp
Learn about the main types of technology solutions especially designed to secure cloud workloads, including CASB, CSPM, and CWPP.
See top articles in our cloud security solutions guide:
Authored by NetApp
Learn how to monitor cloud-based VMs, databases, web applications, storage, and virtual networks to prevent security incidents and production issues.
See top articles in our cloud monitoring guide:
Cloud Native Applications
Authored by Aqua Security
Learn about cloud native applications, a new paradigm in application development and deployment, and new security challenges raised by the cloud native model.
See top articles in our cloud native applications guide:
Authored by Aqua
Learn about containerized architecture, a foundational technology for modern DevOps teams used to deploy environments rapidly and consistently, and the security concerns it raises.
See top articles in our containerized architecture guide:
Authored by Aqua
Learn about managed container platforms like Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS), how they work and their security best practices.
See top articles in our container platforms guide:
Authored by Aqua
Discover serverless architecture, a new paradigm for deploying application code without managing the underlying server infrastructure, and the security concerns it raises.
See top articles in our serverless architecture guide:
Additional Cloud Security Resources
Below are additional resources about different aspects of cloud security and cloud operations, authored by our content partners