1. Cloud Security Overview
What is cloud security?
Cloud security is a cybersecurity discipline and includes all of the tools, resources, processes and policies to protect your cloud infrastructure including data, systems, applications and resources stored in the cloud. You can also apply cloud security practices to elements of a hybrid environment where you have a mix of both on-prem and cloud-based systems.
With a cloud security program, you can assess all of the assets within your cloud infrastructure so you can discover, mitigate and remediate all vulnerabilities, weaknesses, misconfigurations and other security issues to keep your cloud infrastructure safe.
Cloud security is also known as cloud computing security. The goal is to protect all of your data in the cloud and help you meet your regulatory, legal, compliance and other standards.
You can use cloud security to limit and control who has access to your cloud systems and manage other security and configuration rules for your cloud environment.
Cloud security responsibility varies depending on your chosen infrastructure, but in general, both your organization and your cloud security solution provider should work together to protect your cloud environment.
How does cloud security work?
Cloud security works by applying various controls, processes and policies to protect your cloud environment and prevent unauthorized access to all of your systems, data and applications that reside there.
For effective cybersecurity, you need visibility into your entire cloud infrastructure including serverless computing, containers and microservices, and you should have a cloud security solution that enables you to continuously monitor and analyze all of your cloud assets.
You can personalize your cloud security approach based on a number of factors specifically related to your organization's unique characteristics and needs. While not exhaustive, here are some strategies you might choose to deploy for cloud security:
- Network monitoring and next-generation firewalls to control the flow of data into and out of your cloud environment. The goal is to create a defense that prevents unauthorized users on an external network from accessing your data.
- Continuous asset discovery, assessment and threat intelligence to uncover vulnerabilities, weaknesses and other security issues. The goal is to discover vulnerabilities so you can prioritize them and make plans to fix them.
- Identity and access management to ensure that only authorized users can access data in the cloud.
- Encryption to encode your data while it's moving and at rest.
- Segmentation to isolate specific data sets or systems to help decrease what attackers might be able to access in a successful attack.
- Penetration testing to determine if you can get unauthorized access into your cloud environment so you can remediate those issues and prevent a breach.
- Logging and reporting of all activities.
- Data loss prevention to prohibit access when you detect suspicious data activity.
- Configuration reviews and configuration hardening.
- Antivirus programs to prevent malware infection and spread.
How is cloud security different from traditional IT cybersecurity?
While cloud security and traditional IT cybersecurity share some common goals, like keeping your data, systems, and applications safe, the two practices have many differences.
Traditional IT security practices don't work well within cloud environments, leaving you with blind spots that can put your organization at risk. Why? Because unlike many traditional IT environments that you can more easily protect with a security perimeter (think servers and computers within a controlled environment), the cloud is dynamic and frequently changes. In general, it's easier to protect access points within a controlled on-premises environment than in a dynamic cloud.
The cloud is also increasingly interconnected, meaning security issues that originate in the cloud could traverse into your on-prem environment and vice versa. Additionally, if not well-protected, security issues that originate in a shared or public cloud space could traverse into your systems and data without your knowledge. If a bad actor gets access to a component within shared space, you could be at risk.
While there are many benefits for cloud security, the same things that make it affordable, scalable and accessible can contribute to security issues. The cloud is at risk from a variety of issues from weak identity and access management, to the use of default passwords, lateral movement from breaches, weaknesses in application code, vulnerabilities and other security issues.
Also, because threat actors know many cloud environments host a vast amount of data, they're prime targets for attacks.
And while there are a number of differences between cloud security and traditional information security as it relates to risks, there are also a number of differences with benefits of cloud security compared to traditional cybersecurity.
Here are a few examples:
- Cloud security is easier and faster to deploy. With a software as a service (SaaS) model, you don't need to purchase additional hardware or other appliances to protect your cloud infrastructure. Conversely, on-site IT often requires the expensive and time-consuming process of evaluating hardware and software, purchasing, waiting for arrival, set up, configuration and training.
- Cloud security solutions are more cost-friendly than complex on-premises solutions, which in addition to purchase prices, often include additional costs such as maintenance and upgrade fees, plus the time and resources your IT and security teams expend to implement and manage. With a subscription model for cloud security, for example, these costs can be considerably reduced and can easily be adjusted as your organization scales.
- Traditional IT cybersecurity taxes internal resources, which today is complicated further by a lack of available skilled professionals to fill critical roles. With cloud security, depending on if you're using a public, private or hybrid cloud model, you can share security responsibilities between your IT team and the cloud provider or shift to management by an outside provider.
- Cloud security solutions are better for comprehensive visibility into your cloud infrastructure and on-premises environments. Traditional IT cybersecurity is limited to monitoring on-site and across your network.
Why is cloud security important?
As more organizations adopt more cloud computing solutions, cloud security becomes increasingly important. That's because many of the traditional security practices employed for on-premises infrastructure don't provide the comprehensive insight you need for rapidly changing cloud environments.
Because of the volume of data stored there, cloud environments are in the crosshairs for cyber attackers, and as a result, security threats constantly evolve. That's why, if you're using a public, private or hybrid cloud model, you need cloud security.
Here are some of the many reasons why cloud security is important:
- Security threats are increasing and constantly changing.
- You can more easily manage your integrated security practices in a centralized location.
- Cloud security gives you insight you wouldn't have with traditional IT security, including visibility into short-lived and transient assets such as serverless computing, containers and microservices.
- Cloud security can scale and change as your organization evolves and changes.
- Cloud security can help you reduce costs and decrease strain on your already busy IT staff.
- You can automate many of your common security practices and eliminate time-consuming, repetitive, manual tasks.
- You can ensure your data is safe and you can access it from a variety of authorized devices and users from any location.
- You can have the same level of security and experience for all users accessing your cloud — wherever they are — unlike traditional IT that often requires security stacks for remote sites and other locations.
What's the difference between public cloud and private cloud?
Public and private clouds have some similarities, but are different. The core difference is that more than one organization shares a public cloud via the internet, whereas a private cloud is dedicated to one organization and shared through a private network.
Some organizations choose to adopt a hybrid cloud model with both public and private cloud services, often putting the most critical data and applications in a private cloud and the rest in a public cloud.
Here are some of the other ways public and private clouds are different:
- Private clouds are dedicated and secure and often have maintenance costs directly related to that.
- Public clouds, because they're shared, generally do not have additional maintenance costs.
- Public cloud models come with a variety of pricing options for expense flexibility.
- You can customize private clouds to meet your organization's specific needs, which can bring additional benefits relating to compliance and regulatory obligations.
- Public cloud is good for software development, application usage and communications services, whereas a private cloud may be better suited for sensitive data like personally identifiable information (PII) and protected health information (PHI).
- You can employ customized security solutions for a private cloud, which may be better for compliance, but you may have less security options in a private cloud.
What's a hybrid cloud?
Hybrid cloud computing offers organizations flexibility when deploying solutions off-premises. Some hybrid cloud models use a mix of public and private cloud, while some may also include on-prem resources.
There are a variety of reasons your organization may choose a hybrid cloud model. Often, it's a decision regulatory and compliance requirements drive, where some data may need specific security protocols executable in a private cloud but not in a public one. Other data and applications may have more security flexibility and they're well-suited for a public cloud. A hybrid cloud solution is a good option to help you mitigate risks. You can put your most sensitive data in a controlled environment, and then use the public cloud for workloads that don't need as stringent security measures.
Here are some of the many benefits of choosing a hybrid cloud option:
- Remain in control of the security you want, helping ensure regulatory compliance
- May be more cost effective than putting all your data in a private cloud
- Flexible and scalable alternative that you can adapt as your organization changes and evolves
- Enables planned, scaled migration to the cloud without moving everything at once
Are public clouds secure?
Yes, public clouds are secure. The nuance here is what type of security you need to deploy, especially for compliance and regulatory standards, which may be more difficult to do in a public cloud environment compared to a private cloud. Public clouds are not for every organization or every data type, but they offer secure alternatives to on-site hosting.
Just like your on-premises environment, no environment is 100 percent secure. There are always risks. However, most public cloud providers continuously improve their security practices and learn from exploits that put data at risk.
When you establish a relationship with a public cloud provider, it's likely you'll sign a service level agreement (SLA) or other contract, which should outline who is responsible for which security components. Make sure both parties have a clear understanding of expectations and be sure to routinely follow-up throughout the course of your relationship and any time you have a contract or other similar renewal. If you're using a public cloud provider that is compliant with your organization's regulatory requirements, ask to see compliance audit documentation.
Is the cloud more secure than on-premises?
In one study, almost 90% of respondents said their organization uses some type of public cloud infrastructure. About 40% believe public clouds are more secure than security they can deliver in their on-prem environments, with an additional 35% saying public cloud is somewhat more secure than on-prem.
With that confidence and reliability, an increasing number of organizations are moving business critical applications to the cloud, with nine out of 10 adopting software as a service (SaaS). Another 76% of respondents use infrastructure as a service (IaaS) and 70% use platform as a service (PaaS).
Aligning cloud security with the cybersecurity lifecycle
Your cloud security program can reap many benefits from alignment with the cybersecurity lifecycle.
According to Ponemon's “The Economic Value of Prevention in the Cybersecurity Lifecycle” survey, when you prevent attacks from entering your environment and can't cause damage, you can save costs, resources, damage, time and reputation.
Although prevention is one of the most difficult components of the cybersecurity lifecycle, it's imperative. Preventing a zero-day attack, for example, can save nearly $1 million (an average of $775,000). And having an insecure cloud platform, according to almost 20% of respondents, is among top security concerns.
NIST's cybersecurity framework identifies five core functions of the cybersecurity lifecycle: identify, protect, detect, respond and recover. Each function consists of categories and subcategories that align these functions to activities you can use to build and improve your cloud security processes.
Let's take a closer look at each function and what's included:
- Identify: Asset management, business environment, governance, risk assessment, risk management strategy and supply chain risk management
- Protect: Identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology
- Detect: Anomalies and events, security continuous monitoring and detection processes
- Respond: Response planning, communications, analysis, mitigation and improvements
- Recover: Recovery planning, improvements and communications
So, how can you effectively apply components of the lifecycle to your cloud security approach? See. Predict. Act.
Tenable's exposure management platform, which includes a number of solutions and resources for cloud-based security, can give you increased visibility into cloud assets, including exposures, so you can prioritize cyber risk and make plans to remediate security issues within your cloud environment. It's rooted in Tenable's unique approach that enables you to see everything, predict what matters and act to address risks.