Cloud security architecture is a strategy designed to secure and view an enterprise’s data and collaboration applications in the cloud through the lens of shared responsibility with cloud providers.

Cloud-enabled innovation is becoming a competitive requirement. As more enterprises seek to accelerate their business by shifting data and infrastructure to the cloud, security has become a higher priority. Operations and development teams are finding new uses for cloud services, and companies are searching for strategies to gain speed and agility. Enterprises must remain competitive by adding new collaborative capabilities and increasing operational efficiency in the cloud – while also saving money and resources.

Cloud Security Architecture is a shared responsibility

Cloud security is based on a shared cloud responsibility model in which both the provider and the customer possess responsibility in securing the cloud. Shared responsibility does not mean less responsibility. Cloud providers will cover many aspects of physical, infrastructure, and application security while cloud customers remain responsible for certain areas of security and control, depending on the cloud environment.

Shared Responsibility Model for Security in the Cloud

 

Infrastructure-as-a-Service (IaaS)

IaaS is a cloud computing model that provides virtualized computing resources including networking, storage, and machines accessible through the internet. In IaaS, the Cloud Service Provider (CSP) is responsible for the controls that protect their underlying servers and data including security of servers, storage and networking hardware, virtualization, and the hypervisor. The enterprise’s security responsibilities include user access, data, applications, operating systems, and network traffic.

IaaS cloud security models also require these security features:

  • Audit and monitor resources for misconfiguration
  • Automate policy corrections
  • Prevent data loss with DLP
  • Capture custom app activity and enforce controls
  • Detect malicious user activity and behavior
  • Detect and remove malware
  • Discover rouge IaaS services and accounts
  • Identify provisioned user risk
  • Enrich native cloud platform forensics
  • Manage multiple IaaS providers

According to Gartner, through 2023, at least 99% of cloud security failures will be the customer’s fault. Through 2024, workloads that leverage the programmability of cloud infrastructure to improve security protection will demonstrate improved compliance and at least 60% fewer security incidents than those in traditional data centers. As with on-premises data centers, the majority of successful cloud attacks are caused by mistakes, such as misconfiguration, missing patches, or mismanaged credentials. To achieve more secure cloud-based infrastructure and platform services, Gartner recommends a systematic and risk-based approach for IaaS/PaaS security using a set of layered capabilities.

 

Platform-as-a-Service (PaaS)

The CSP secures a majority of a PaaS cloud service model, however, the enterprise is responsible for the security of its applications. PaaS builds upon IaaS deploying applications without taking on the cost and resources required to buy and manage hardware, software, and hosting capabilities. These features can include:

  • Cloud Access Security Brokers (CASB)
  • Cloud workload protection platforms (CWPP)
  • Cloud security posture management (CSPM)
  • Business analytics/intelligence
  • Logs
  • IP restrictions
  • API gateways
  • Internet of Things (IoT)

 

Software-as-a-Service (SaaS)

Terms of security ownership within SaaS are negotiated with the CSP as part of their service contract. SaaS often hosts an enterprise’s physical, infrastructure, hypervisor, network traffic, and operating system. SaaS apps and infrastructure controls can include:

  • Enforce data loss prevention (DLP)
  • Prevent unauthorized sharing of sensitive data to wrong people
  • Block sync/download of corporate data to personal devices
  • Detect compromised account, insider threats, and malware
  • Gain visibility into unsanctioned applications
  • Audit for misconfiguration

New architectural elements of enterprise security in the cloud

  1. CASB-Anchored Multi-Cloud Safety Net, Central shared security for:

    1. Cloud Edge
      1. Cloud-related traffic monitoring and preventative controls
      2. Data, user behavior, and activity monitoring within and across authorized and unauthorized SaaS CSPs
      3. Malware protection across CSPs
      4. Shadow cloud use protection

    2. Cloud Infrastructure
      1. Configuration management for IaaS/PaaS
      2. Container security, data protection, and other shared aspects application security
      3. Traffic within/to/from IaaS/PaaS

  2. Cross-CSP Identity, Authorization and Authentication

    1. Must be implemented across all cloud providers in use and authorization/authentication security

  3. CSP and Application Project Security Basics

    1. Implementation, configuration, and audit of security design and configurations necessarily within each SaaS or IaaS/PaaS CSP, like CSP-end IAM configuration or network configuration. Often implemented initially through individual projects, then centrally for application projects within a specific CSP

Cloud Security Architecture customer challenges and outcomes

Advanced Shadow IT (Web + CASB)

  • Problem: Not all applications provide API’s for CASB data protection.
  • Solution: Seamless DLP Inspection for API & non API supported applications.
  • Outcome: Complete cloud application control of data exfiltration.

Unified Policies (CASB + DLP)

  • Problem: Complexity of different engines, policies, and incidents – manual correlation.
  • Solution: Unified policies and workflow management with consistent classifications and a single pane of glass.
  • Outcome: Administrative simplicity. Efficiency & accuracy gains by not managing multiple disparate systems.

Unified Incident Management (DLP + Web + CASB)

  • Problem: Loss of data protection due to cloud transformation. No clear path to secure all data.
  • Solution: Unified data & threat protection – from device to cloud.
  • Outcome: A unified management platform creating minimal impact to existing DP processes. Increased speed helps meet compliance initiatives. Complete control point coverage is gained for exfiltration.

Customer malware challenges and outcomes with convergence

Realtime Malware Protection (Web + CASB)

  • Problem: Detection Latency in Cloud Apps. Includes IaaS & SaaS applications store benign and malicious files, even send links into inboxes from trusted sources.
  • Solution: In-line, Proactive Advanced Malware Detection. Policy based controls to trigger in-line anti-malware via SWG.
  • Outcome: Risk Reduction while enabling appropriate cloud application use.

Control Application Processes (Web + CASB)

  • Problem: Identifying and Blocking Malicious Processes or Scripts accessing cloud services.
  • Solution: Application Process Access Control. Set access policies based upon process name within the CASB registry. Block, limit and/or monitor untrusted processes via SWG. Dropbox.exe always goes to Dropbox – nowhere else.
  • Outcome: Additional Control Point Coverage with advanced anti-malware. Ensure trusted processes only access trusted URLs.