What is Cloud Security?

Cloud computing categories

Cloud security differs based on the category of cloud computing being used. There are four main categories of cloud computing:

• Public cloud services, operated by a public cloud provider — These include software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS).
• Private cloud services, operated by a public cloud provider — These services provide a computing environment dedicated to one customer, operated by a third party.
• Private cloud services, operated by internal staff — These services are an evolution of the traditional data center, where internal staff operates a virtual environment they control.
• Hybrid cloud services — Private and public cloud computing configurations can be combined, hosting workloads and data based on optimizing factors such as cost, security, operations and access. Operation will involve internal staff, and optionally the public cloud provider.

When using a cloud computing service provided by a public cloud provider, data and applications are hosted with a third party, which marks a fundamental difference between cloud computing and traditional IT, where most data was held within a self-controlled network. Understanding your security responsibility is the first step to building a cloud security strategy.

Segmentation of cloud security responsibilities

Most cloud providers attempt to create a secure cloud for customers. Their business model hinges on preventing breaches and maintaining public and customer trust. Cloud providers can attempt to avoid cloud security issues with the service they provide, but can’t control how customers use the service, what data they add to it, and who has access. Customers can weaken cybersecurity in cloud with their configuration, sensitive data, and access policies. In each public cloud service type, the cloud provider and cloud customer share different levels of responsibility for security. By service type, these are:

• Software-as-a-service (SaaS) — Customers are responsible for securing their data and user access.
• Platform-as-a-service (PaaS) — Customers are responsible for securing their data, user access, and applications.
• Infrastructure-as-a-service (IaaS) — Customers are responsible for securing their data, user access, applications, operating systems, and virtual network traffic.

Within all types of public cloud services, customers are responsible for securing their data and controlling who can access that data. Data security in cloud computing is fundamental to successfully adopting and gaining the benefits of the cloud. Organizations considering popular SaaS offerings like Microsoft Office 365 or Salesforce need to plan for how they will fulfill their shared responsibility to protect data in the cloud. Those considering IaaS offerings like Amazon Web Services (AWS) or Microsoft Azure need a more comprehensive plan that starts with data, but also covers cloud app security, operating systems, and virtual network traffic—each of which can also introduce potential for data security issues.

Cloud security challenges

Since data in the public cloud is being stored by a third party and accessed over the internet, several challenges arise in the ability to maintain a secure cloud. These are:

• Visibility into cloud data — In many cases, cloud services are accessed outside of the corporate network and from devices not managed by IT. This means that the IT team needs the ability to see into the cloud service itself to have full visibility over data, as opposed to traditional means of monitoring network traffic.
• Control over cloud data — In a third-party cloud service provider’s environment, IT teams have less access to data than when they controlled servers and applications on their own premises. Cloud customers are given limited control by default, and access to underlying physical infrastructure is unavailable.
• Access to cloud data and applications —Users may access cloud applications and data over the internet, making access controls based on the traditional data center network perimeter no longer effective. User access can be from any location or device, including bring-your-own-device (BYOD) technology. In addition, privileged access by cloud provider personnel could bypass your own security controls.
• Compliance — Use of cloud computing services adds another dimension to regulatory and internal compliance. Your cloud environment may need to adhere to regulatory requirements such as HIPAA, PCI and Sarbanes-Oxley, as well as requirements from internal teams, partners and customers. Cloud provider infrastructure, as well as interfaces between in-house systems and the cloud are also included in compliance and risk management processes.
• Cloud–native breaches – Data breaches in the cloud are unlike on-premises breaches, in that data theft often occurs using native functions of the cloud. A Cloud-native breach is a series of actions by an adversarial actor in which they “land” their attack by exploiting errors or vulnerabilities in a cloud deployment without using malware, “expand” their access through weakly configured or protected interfaces to locate valuable data, and “exfiltrate” that data to their own storage location.
• Misconfiguration – Cloud-native breaches often fall to a cloud customer’s responsibility for security, which includes the configuration of the cloud service. Research shows that just 26% of companies can currently audit their IaaS environments for configuration errors. Misconfiguration of IaaS often acts as the front door to a Cloud-native breach, allowing the attacker to successfully land and then move on to expand and exfiltrate data. Research also shows 99% of misconfigurations go unnoticed in IaaS by cloud customers. Here’s an excerpt from this study showing this level of misconfiguration disconnect:

• Disaster recovery – Cybersecurity planning is needed to protect the effects of significant negative breaches. A disaster recovery plan includes policies, procedures, and tools designed to enable the recovery of data and allow an organization to continue operations and business.
• Insider threats – A rogue employee is capable of using cloud services to expose an organization to a cybersecurity breach. A recent McAfee Cloud Adoption and Risk Report revealed irregular activity indicative of insider threat in 85% of organizations.

Cloud security solutions

Organizations seeking cloud security solutions should consider the following criteria to solve the primary cloud security challenges of visibility and control over cloud data.

• Visibility into cloud data — A complete view of cloud data requires direct access to the cloud service. Cloud security solutions accomplish this through an application programming interface (API) connection to the cloud service. With an API connection it is possible to view:
  • What data is stored in the cloud.
  • Who is using cloud data?
  • The roles of users with access to cloud data.
  • Who cloud users are sharing data with.
  • Where cloud data is located.
  • Where cloud data is being accessed and downloaded from, including from which device.
• Control over cloud data — Once you have visibility into cloud data, apply the controls that best suit your organization. These controls include:
  • Data classification — Classify data on multiple levels, such as sensitive, regulated, or public, as it is created in the cloud. Once classified, data can be stopped from entering or leaving the cloud service.
  • Data Loss Prevention (DLP) — Implement a cloud DLP solution to protect data from unauthorized access and automatically disable access and transport of data when suspicious activity is detected.
  • Collaboration controls — Manage controls within the cloud service, such as downgrading file and folder permissions for specified users to editor or viewer, removing permissions, and revoking shared links.
  • Encryption — Cloud data encryption can be used to prevent unauthorized access to data, even if that data is exfiltrated or stolen.
• Access to cloud data and applications— As with in-house security, access control is a vital component of cloud security. Typical controls include:
  • User access control — Implement system and application access controls that ensure only authorized users access cloud data and applications.  A Cloud Access Security Broker (CASB) can be used to enforce access controls
  • Device access control — Block access when a personal, unauthorized device tries to access cloud data.
  • Malicious behavior identification — Detect compromised accounts and insider threats with user behavior analytics (UBA) so that malicious data exfiltration does not occur.
  • Malware prevention — Prevent malware from entering cloud services using techniques such as file-scanning, application whitelisting, machine learning-based malware detection, and network traffic analysis.
  • Privileged access — Identify all possible forms of access that privileged accounts may have to your data and applications, and put in place controls to mitigate exposure.
• Compliance — Existing compliance requirements and practices should be augmented to include data and applications residing in the cloud.
  • Risk assessment — Review and update risk assessments to include cloud services. Identify and address risk factors introduced by cloud environments and providers. Risk databases for cloud providers are available to expedite the assessment process.
  • Compliance Assessments — Review and update compliance assessments for PCI, HIPAA, Sarbanes-Oxley and other application regulatory requirements.