Cloud security is an umbrella term for technology that protects cloud-based data, applications and infrastructure. Cloud security can encompass a variety of cybersecurity objectives, including identity and access controls; security policies and strategies; threat prevention, detection, and mitigation; network security; regulatory compliance; and user security.
How Does Cloud Security Work?
There is a burgeoning market of cloud-specific security tools. Cloud security tools take many forms, including the following categories:
These cloud security offerings can be purchased and run independently by an organization or bought as a security-as-a-service offering from a provider.
Who Is Responsible for Cloud Security?
Unlike on-premises applications, data, and infrastructure, which are the sole responsibility of the organization that houses and owns them, cloud-based workloads fall under a shared responsibility model.
Cloud security’s shared responsibility model splits security efforts between the cloud provider and the customer. Third-party cloud services providers are typically responsible for monitoring and responding to threats in their own infrastructure, platform, or applications, while customers are responsible for their own data, endpoints, applications, workloads, or operating systems.
- In the software-as-a-service model the vendor is responsible for application security, while the customer is responsible for endpoints, user and network security, configurations, workloads, and data.
- In the platform-as-a-service model, the vendor is responsible for platform security, including software and hardware, while the customer is responsible for the security of applications developed on the platform, endpoints, user and network security, and workload security.
- In the infrastructure-as-a-service model, the vendor secures all infrastructure components while the customer secures all applications installed on the infrastructure.
Why Is Achieving Security in the Cloud Challenging?
The operating model of using the cloud as a waystation and repository for applications, data, and infrastructure presents unique challenges compared to traditional models. In the cloud operating model, for example, an organization might need to entrust a cloud service provider (CSP) with the protection of sensitive data. That means having a high degree of confidence in the CSP’s security systems and policies.
A June 2021 report by IDC and cloud infrastructure security firm Ermetic found 98% of organizations experienced a cloud security breach in the past 18 months.
Multi-cloud environments, in which an organization uses different clouds for different business purposes, can add even more challenges. Organizations that use multiple clouds report more security incidents than those using a single platform, according to report from Sophos, a security vendor.
Factors that can compromise cloud security include the following:
- Cloud-based resources require a different management infrastructure, one that prizes central management and visibility above all else;
- Shared resources increase risk (the IDC/Ermetic study revealed that 83% of cloud breaches stem from access vulnerabilities); and
- Vulnerabilities can arise from misconfigurations and user error (a full two-thirds of cloud security incidents are due to misconfiguration, according to a Unit 42 report).
Other factors include weak cloud control plane, compliance and governance problems, and poor authentication controls.
Examples of Cloud Security Tools in Action
Because cloud security can be achieved in many ways, the vendor pool is large. Some of the most prominent are Palo Alto Networks, Fortinet, Check Point Software, CyberArk, Aqua Security, Trend Micro, Sophos, Zscaler, Netskope, McAfee, and Imperva.
Here are some examples of cloud security at work.
- A cloud-friendly approach for application and network security. For a machinery manufacturer that moved many of its workloads to the cloud, the traditional castle-and-moat approach to network and application security was no longer effective. The company struggled to provide its workforce and growing cadre of IoT devices with secure access to web and custom applications through traditional VPN products. The company decided to standardize on Zscaler technology. First, the company deployed Zscale Internet Access to connect globally distributed mobile users to its SaaS applications. The company then added Zscaler Private Access (ZPA) to give its mobile workforce and contractors access to apps running on-premises. More recently, the company began using ZPA for secure access to apps running on AWS and Azure in a zero-trust model.
- Continuity of digital business operations. A major insurance company with a large web presence wanted to prevent web application attacks, common to the industry because of the sensitive data that insurance firms handle. While the company already had a service for monitoring website traffic, the product didn’t have a granular level of visibility or the desired flexibility. The company implemented Imperva Cloud WAF, which provides real-time visibility into web activity, separates legitimate from malicious website traffic, and protect against application-layer attacks.
- Security for hybrid cloud model. An online broker used a hybrid cloud model in Microsoft Azure and AWS that demanded consistent and secure connectivity, along with resource-sharing availability. To meet these requirements, the company implemented a Fortinet Secure SD-WAN offering based on FortiGate. The offering integrated FortiGate with a Fortinet Secure SD-Branch product based on FortiSwitch and FortiAP at the branch offices to optimize wireless connectivity. As a result, the broker achieved improved security performance and threat blocking, along with secure and transparent connectivity from any location. The IT staff can now quickly integrate the multi-cloud environment of Azure and AWS from the Fortinet technology dashboard, centrally manage the entire network, and configure multiple security rules they couldn’t previously deploy.
- Visibility and threat protection for AWS. An IT services firm running on AWS needed a way to keep customer data safe. The firm was particularly concerned about spreading files that contained malware. While the company was achieving its goals by manually checking cloud configurations, the work became overwhelming, leading the company to look for an automated product for scanning data against data loss prevention policies. The company settled on Netskope for AWS, which provides automated control from a cloud-native platform that includes CASB, Secure Web Gateway, and zero-trust networking capabilities.
- Secure cloud-native applications. An online retailer with 500 developers on 100 teams moved to the cloud to adopt more agile processes for software development and use cloud-native technologies like microservices and containers. Decision-makers wanted to provide its developers, which build applications to improve buying experience, with a security platform that supports secure code in the cloud. The team implemented Aqua Security’s CSP, which allowed for the detection and remediation of security issues earlier in the software development lifecycle. Aqua Security is now heavily used within the retailer’s development pipeline, where the retailer uses its own purpose-built security application for data aggregation and to call for scans from the Aqua CSP.
There are many valid reasons for why cloud adoption is at an all-time high. It’s scalable, predictable, and flexible. Yet, storing data, running workloads, developing applications, and conducting commerce in a cloud-based environment opens organizations up to more cyberattacks, as well as misconfigurations and other errors that can make them vulnerable.
To determine how to bolster cloud security for a specific environment, consider performing an assessment to determine the types of cloud security tools that would address your challenges.