Cloud security is a vast topic that can mean different things to different organizations. At the simplest level, cloud security is how an organization applies cybersecurity to the technology and business processes it runs through the cloud. From there, the subject quickly gets more complex.
A good place to start when exploring cloud security is to focus on “Infrastructure as a Service” (IaaS) and “Platform as a Service” (PaaS) from cloud providers such as Amazon Web Services (AWS), Google Cloud (GCP), or Microsoft Azure. All three include cybersecurity as part of their offering, but it’s still incumbent on businesses using those cloud services to develop their own cybersecurity strategies.
When exploring cloud security, executives need to consider several issues, including:
- Selecting the right cloud service vendor
- Understanding and shared responsibility models of cloud service providers
- Cloud vendor risk management
- Compliance in the cloud: how a vendor’s compliance does not guarantee your organization’s compliance
- Cloud computing and cloud security complexity
- Fundamental differences between on-premises data center security and cloud security
- Cloud security training and education requirements
Understanding the above issues will help your organization reach the right cloud security solution, security standards, and information security program.
Selecting the right cloud service vendor
When selecting a cloud service vendor, the actual services each vendor offers will usually drive your selection process. Many organizations adopt a “multi-cloud” initiative when they find that one vendor supports a specific cloud infrastructure they need while another does not. Each cloud service has similar ways of securing IaaS, PaaS, and SaaS services; typically the challenge is managing the security controls across multiple vendors’ tech stacks.
Understanding and shared responsibility models of cloud service providers
A common misconception early in cloud security was that responsibility for security ultimately fell to the cloud vendor. As cloud computing evolved, we’ve found that security is the responsibility of the cloud consumer. Data security, access management, and access controls are all required for a secure environment — and none of them are managed offerings of public cloud service vendors. Sure, the cloud service vendor will secure all aspects of what it takes to “run the cloud,” but securing IaaS, PaaS, and SaaS still falls on the end-user.
Cloud vendor risk management
Threats lead to exploited vulnerabilities, which ultimately lead to incidents. Cloud vendor risk management assists the business in identifying threats, hardening their security mesh, and responding to incidents. A disaster recovery plan is an important part of vendor risk management, and disaster recovery on the cloud is more manageable than most on-premises solutions. Cloud computing services such as backup vaults assist greatly in maintaining a robust backup solution.
Compliance in the cloud: vendor compliance doesn’t guarantee your compliance
Being compliant in the cloud can be difficult. Some vendors help to fulfill your compliance obligations in certain PaaS, IaaS, and SaaS areas; others don’t. Understand the specific before selecting a vendor, but generally speaking, patch management, identity and access controls, and malware solutions are the customer’s responsibility. Most cloud vendors see the importance of encrypting data in transit and in storage, but data in use can still be a vulnerability and, depending on the compliance needed, may require additional services.
Cloud computing and cloud security complexity
Maintaining cloud security involves several objectives, such as governing usage, securing data, and warding off outside threats. CISOs need a proven, high-quality security framework to achieve those objectives, such as the frameworks from SASE, CASB, and the Cloud Security Alliance. If compliance regulations call for activity monitoring, additional tools will need to be deployed to satisfy that demand.
The difference between ‘on-prem’ data center security and cloud security
The fundamental difference between on-premises and cloud security is that of control. Cloud security always requires you to relinquish a certain level of control simply because another organization is managing your data storage. Most cloud providers do have highly secure facilities these days, but they remain an attractive target for hackers and other threats. Knowing how a cloud provider manages its stored data is important, especially when comparing that to the regulatory demands your organization faces.
Cloud security training and education requirements
Maintaining a team of certified cybersecurity professionals is common practice, especially within larger organizations that must also meet compliance standards such as HIPAA, PCI-DSS, or FERPA. A vast number of certifications are available to meet compliance and education regulations; certificates such as SEC+, CISSP, CISM, CISA, and CCSP are common throughout the field. One good idea to maintain security hygiene: have a certified cloud security professional audit your cloud network periodically.
Although cloud security is a broad topic, having the ability to break it down into more manageable pieces is crucial. By exploring the above topics in-depth when considering a cloud security solution, an organization can rest assured that it is doing its best to protect sensitive data. That’s good because the industry is exploding with growth as more and more companies run their operations in the cloud. Those companies simply need to run those operations with a thoughtful approach to security, too.