Cloud security definition
Cloud security is a discipline of cyber security dedicated to securing cloud computing systems. This includes keeping data private and safe across online-based infrastructure, applications, and platforms. Securing these systems involves the efforts of cloud providers and the clients that use them, whether an individual, small to medium business, or enterprise uses.
Cloud providers host services on their servers through always-on internet connections. Since their business relies on customer trust, cloud security methods are used to keep client data private and safely stored. However, cloud security also partially rests in the client’s hands as well. Understanding both facets is pivotal to a healthy cloud security solution.
At its core, cloud security is composed of the following categories:
- Data security
- Identity and access management (IAM)
- Governance (policies on threat prevention, detection, and mitigation)
- Data retention (DR) and business continuity (BC) planning
- Legal compliance
Cloud security may appear like legacy IT security, but this framework actually demands a different approach. Before diving deeper, let’s first look at what cloud security is.
What is cloud security?
Cloud security is the whole bundle of technology, protocols, and best practices that protect cloud computing environments, applications running in the cloud, and data held in the cloud. Securing cloud services begins with understanding what exactly is being secured, as well as, the system aspects that must be managed.
As an overview, backend development against security vulnerabilities is largely within the hands of cloud service providers. Aside from choosing a security-conscious provider, clients must focus mostly on proper service configuration and safe use habits. Additionally, clients should be sure that any end-user hardware and networks are properly secured.
The full scope of cloud security is designed to protect the following, regardless of your responsibilities:
- Physical networks — routers, electrical power, cabling, climate controls, etc.
- Data storage — hard drives, etc.
- Data servers — core network computing hardware and software
- Computer virtualization frameworks — virtual machine software, host machines, and guest machines
- Operating systems (OS) — software that houses
- Middleware — application programming interface (API) management,
- Runtime environments — execution and upkeep of a running program
- Data — all the information stored, modified, and accessed
- Applications — traditional software services (email, tax software, productivity suites, etc.)
- End-user hardware — computers, mobile devices, Internet of Things (IoT) devices, etc.
With cloud computing, ownership over these components can vary widely. This can make the scope of client security responsibilities unclear. Since securing the cloud can look different based on who has authority over each component, it’s important to understand how these are commonly grouped.
To simplify, cloud computing components are secured from two main viewpoints:
1. Cloud service types are offered by third-party providers as modules used to create the cloud environment. Depending on the type of service, you may manage a different degree of the components within the service:
- The core of any third-party cloud service involves the provider managing the physical network, data storage, data servers, and computer virtualization frameworks. The service is stored on the provider’s servers and virtualized via their internally managed network to be delivered to clients to be accessed remotely. This offloads hardware and other infrastructure costs to give clients access to their computing needs from anywhere via internet connectivity.
- Software-as-a-Service (SaaS) cloud services provide clients access to applications that are purely hosted and run on the provider's servers. Providers manage the applications, data, runtime, middleware, and operating system. Clients are only tasked with getting their applications. SaaS examples include Google Drive, Slack, Salesforce, Microsoft 365, Cisco WebEx, Evernote.
- Platform-as-a-Service cloud services provide clients a host for developing their own applications, which are run within a client’s own “sandboxed” space on provider servers. Providers manage the runtime, middleware, operating system. Clients are tasked with managing their applications, data, user access, end-user devices, and end-user networks. PaaS examples include Google App Engine, Windows Azure.
- Infrastructure-as-a-Service (IaaS) cloud services offer clients the hardware and remote connectivity frameworks to house the bulk of their computing, down to the operating system. Providers only manage core cloud services. Clients are tasked with securing all that gets stacked atop an operating system, including applications, data, runtimes, middleware, and the OS itself. In addition, clients need to manage user access, end-user devices, and end-user networks. IaaS examples include Microsoft Azure, Google Compute Engine (GCE), Amazon Web Services (AWS).
2. Cloud environments are deployment models in which one or more cloud services create a system for the end-users and organizations. These segments the management responsibilities — including security — between clients and providers.
The currently used cloud environments are:
- Public cloud environments are composed of multi-tenant cloud services where a client shares a provider’s servers with other clients, like an office building or coworking space. These are third-party services run by the provider to give clients access via the web.
- Private third-party cloud environments are based on the use of a cloud service that provides the client with exclusive use of their own cloud. These single-tenant environments are normally owned, managed, and operated offsite by an external provider.
- Private in-house cloud environments also composed of single-tenant cloud service servers but operated from their own private data center. In this case, this cloud environment is run by the business themselves to allow full configuration and setup of every element.
- Multi-cloud environments include the use of two or more cloud services from separate providers. These can be any blend of public and/or private cloud services.
- Hybrid cloud environments consist of using a blend of private third-party cloud and/or onsite private cloud data center with one or more public clouds.
By framing it from this perspective, we can understand that cloud-based security can be a bit different based on the type of cloud space users are working in. But the effects are felt by both individual and organizational clients alike.
How does cloud security work?
Every cloud security measure works to accomplish one or more of the following:
- Enable data recovery in case of data loss
- Protect storage and networks against malicious data theft
- Deter human error or negligence that causes data leaks
- Reduce the impact of any data or system compromise
Data security is an aspect of cloud security that involves the technical end of threat prevention. Tools and technologies allow providers and clients to insert barriers between the access and visibility of sensitive data. Among these, encryption is one of the most powerful tools available. Encryption scrambles your data so that it's only readable by someone who has the encryption key. If your data is lost or stolen, it will be effectively unreadable and meaningless. Data transit protections like virtual private networks (VPNs) are also emphasized in cloud networks.
Identity and access management (IAM) pertains to the accessibility privileges offered to user accounts. Managing authentication and authorization of user accounts also apply here. Access controls are pivotal to restrict users — both legitimate and malicious — from entering and compromising sensitive data and systems. Password management, multi-factor authentication, and other methods fall in the scope of IAM.
Governance focuses on policies for threat prevention, detection, and mitigation. With SMB and enterprises, aspects like threat intel can help with tracking and prioritizing threats to keep essential systems guarded carefully. However, even individual cloud clients could benefit from valuing safe user behavior policies and training. These apply mostly in organizational environments, but rules for safe use and response to threats can be helpful to any user.
Data retention (DR) and business continuity (BC) planning involve technical disaster recovery measures in case of data loss. Central to any DR and BC plan are methods for data redundancy such as backups. Additionally, having technical systems for ensuring uninterrupted operations can help. Frameworks for testing the validity of backups and detailed employee recovery instructions are just as valuable for a thorough BC plan.
Legal compliance revolves around protecting user privacy as set by legislative bodies. Governments have taken up the importance of protecting private user information from being exploited for profit. As such, organizations must follow regulations to abide by these policies. One approach is the use of data masking, which obscures identity within data via encryption methods.
What makes cloud security different?
Traditional IT security has felt an immense evolution due to the shift to cloud-based computing. While cloud models allow for more convenience, always-on connectivity requires new considerations to keep them secure. Cloud security, as a modernized cyber security solution, stands out from legacy IT models in a few ways.
Data storage: The biggest distinction is that older models of IT relied heavily upon onsite data storage. Organizations have long found that building all IT frameworks in-house for detailed, custom security controls is costly and rigid. Cloud-based frameworks have helped offload costs of system development and upkeep, but also remove some control from users.
Scaling speed: On a similar note, cloud security demands unique attention when scaling organization IT systems. Cloud-centric infrastructure and apps are very modular and quick to mobilize. While this ability keeps systems uniformly adjusted to organizational changes, it does poses concerns when an organization’s need for upgrades and convenience outpaces their ability to keep up with security.
End-user system interfacing: For organizations and individual users alike, cloud systems also interface with many other systems and services that must be secured. Access permissions must be maintained from the end-user device level to the software level and even the network level. Beyond this, providers and users must be attentive to vulnerabilities they might cause through unsafe setup and system access behaviors.
Proximity to other networked data and systems: Since cloud systems are a persistent connection between cloud providers and all their users, this substantial network can compromise even the provider themselves. In networking landscapes, a single weak device or component can be exploited to infect the rest. Cloud providers expose themselves to threats from many end-users that they interact with, whether they are providing data storage or other services. Additional network security responsibilities fall upon the providers who otherwise delivered products live purely on end-user systems instead of their own.
Solving most cloud security issues means that users and cloud providers — both in personal and business environments — must both remain proactive about their own roles in cyber security. This two-pronged approach means users and providers mutually must address:
Secure system configuration and maintenance.
User safety education — both behaviorally and technically.
Ultimately, cloud providers and users must have transparency and accountability to ensure both parties stay safe.
Cloud security risks
What are the security issues in cloud computing? Because if you don’t know them, then how are you supposed to put proper measures in place? After all, weak cloud security can expose users and providers to all types of cyber security threats. Some common cloud security threats include:
- Risks of cloud-based infrastructure including incompatible legacy IT frameworks, and third-party data storage service disruptions.
- Internal threats due to human error such as misconfiguration of user access controls.
- External threats caused almost exclusively by malicious actors, such as malware, phishing, and DDoS attacks.
The biggest risk with the cloud is that there is no perimeter. Traditional cyber security focused on protecting the perimeter, but cloud environments are highly connected which means insecure APIs (Application Programming Interfaces) and account hijacks can pose real problems. Faced with cloud computing security risks, cyber security professionals need to shift to a data-centric approach.
Interconnectedness also poses problems for networks. Malicious actors often breach networks through compromised or weak credentials. Once a hacker manages to make a landing, they can easily expand and use poorly protected interfaces in the cloud to locate data on different databases or nodes. They can even use their own cloud servers as a destination where they can export and store any stolen data. Security needs to be in the cloud — not just protecting access to your cloud data.
Third-party storage of your data and access via the internet each pose their own threats as well. If for some reason those services are interrupted, your access to the data may be lost. For instance, a phone network outage could mean you can't access the cloud at an essential time. Alternatively, a power outage could affect the data center where your data is stored, possibly with permanent data loss.
Such interruptions could have long-term repercussions. A recent power outage at an Amazon cloud data facility resulted in data loss for some customers when servers incurred hardware damage. This is a good example of why you should have local backups of at least some of your data and applications.
Why Cloud security is important
In the 1990s, business and personal data lived locally — and security was local as well. Data would be located on a PC’s internal storage at home, and on enterprise servers, if you worked for a company.
Introducing cloud technology has forced everyone to reevaluate cyber security. Your data and applications might be floating between local and remote systems — and always internet-accessible. If you are accessing Google Docs on your smartphone, or using Salesforce software to look after your customers, that data could be held anywhere. Therefore, protecting it becomes more difficult than when it was just a question of stopping unwanted users from gaining access to your network. Cloud security requires adjusting some previous IT practices, but it has become more essential for two key reasons:
- Convenience over security. Cloud computing is exponentially growing as a primary method for both workplace and individual use. Innovation has allowed new technology to be implemented quicker than industry security standards can keep up, putting more responsibility on users and providers to consider the risks of accessibility.
- Centralization and multi-tenant storage. Every component — from core infrastructure to small data like emails and documents — can now be located and accessed remotely on 24/7 web-based connections. All this data gathering in the servers of a few major service providers can be highly dangerous. Threat actors can now target large multi-organizational data centers and cause immense data breaches.
Unfortunately, malicious actors realize the value of cloud-based targets and increasingly probe them for exploits. Despite cloud providers taking many security roles from clients, they do not manage everything. This leaves even non-technical users with the duty to self-educate on cloud security.
That said, users are not alone in cloud security responsibilities. Being aware of the scope of your security duties will help the entire system stay much safer.
Cloud security concerns – privacy
Legislation has been put in place to help protect end users from the sale and sharing of their sensitive data. General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) each do their own duties to protect privacy, limiting how data can be stored and accessed.
Identity management methods like data masking have been used to separate identifiable features from user data for GDPR compliance. For HIPAA compliance, organizations like healthcare facilities must make sure that their provider does their part in restricting data access as well.
The CLOUD act gives cloud providers their own legal limitations to adhere to, potentially at the cost of user privacy. US federal law now permits federal-level law enforcement to demand requested data from cloud provider servers. While this may allow investigations to proceed effectively, this may circumvent some rights to privacy and cause potential abuse of power.
How to Secure the Cloud
Fortunately, there is a lot that you can do to protect your own data in the cloud. Let’s explore some of the popular methods.
Encryption is one of the best ways to secure your cloud computing systems. There are several different ways of using encryption, and they may be offered by a cloud provider or by a separate cloud security solutions provider:
- Communications encryption with the cloud in their entirety.
- Particularly sensitive data encryption, such as account credentials.
- End-to-end encryption of all data that is uploaded to the cloud.
Within the cloud, data is more at risk of being intercepted when it is on the move. When it's moving between one storage location and another, or being transmitted to your on-site application, it's vulnerable. Therefore, end-to-end encryption is the best cloud security solution for critical data. With end-to-end encryption, at no point is your communication made available to outsiders without your encryption key.
You can either encrypt your data yourself before storing it on the cloud, or you can use a cloud provider that will encrypt your data as part of the service. However, if you are only using the cloud to store non-sensitive data such as corporate graphics or videos, end-to-end encryption might be overkill. On the other hand, for financial, confidential, or commercially sensitive information, it is vital.
If you are using encryption, remember that the safe and secure management of your encryption keys is crucial. Keep a key backup and ideally don't keep it in the cloud. You might also want to change your encryption keys regularly so that if someone gains access to them, they will be locked out of the system when you make the changeover.
Configuration is another powerful practice in cloud security. Many cloud data breaches come from basic vulnerabilities such as misconfiguration errors. By preventing them, you are vastly decreasing your cloud security risk. If you don’t feel confident doing this alone, you may want to consider using a separate cloud security solutions provider.
Here are a few principles you can follow:
- Never leave the default settings unchanged. Using the default settings gives a hacker front-door access. Avoid doing this to complicate a hacker’s path into your system.
- Never leave a cloud storage bucket open. An open bucket could allow hackers to see the content just by opening the storage bucket's URL.
- If the cloud vendor gives you security controls that you can switch on, use them. Not selecting the right security options can put you at risk.
Basic cyber security tips should also be built into any cloud implementation. Even if you are using the cloud, standard cyber security practices shouldn’t be ignored. So, it is worth considering the following if you want to be as secure as possible online:
- Use strong passwords. Including a mix of letters, numbers and special characters will make your password more difficult to crack. Try to avoid obvious choices, like replacing an S with a $ symbol. The more random your strings are, the better.
- Use a password manager. You will be able to give each application, database, and service you use separate passwords, without having to remember them all. However, you must make sure you protect your password manager with a strong primary password.
- Protect all the devices you use to access your cloud data, including smartphones and tablets. If your data is synchronized across numerous devices, any one of them could be a weak link putting your entire digital footprint at risk.
- Back up your data regularly so that in the event of a cloud outage or data loss at your cloud provider, you can restore your data fully. That backup could be on your home PC, on an external hard drive, or even cloud-to-cloud, as long as you are certain the two cloud providers don't share infrastructure.
- Modify permissions to prevent any individual or device from having access to all your data unless it is necessary. For instance, businesses will do this through database permission settings. If you have a home network, use guest networks for your children, for IoT devices, and for your TV. Save your 'access all areas' pass for your own usage.
- Protect yourself with anti-virus and anti-malware software. Hackers can access your account easily if malware makes its way into your system.
- Avoid accessing your data on public Wi-Fi, particularly if it doesn't use strong authentication. However, use a virtual private network (VPN) to protect your gateway to the cloud.
Cloud storage and the file sharing
Cloud computing security risks can affect everyone from businesses to individual consumers. For example, consumers can use the public cloud for storing and backing up files (using SaaS services like Dropbox), for services like email and office applications, or for doing tax forms and accounts.
If you use cloud-base services then you may need to consider how you share cloud data with others, particularly if you work as a consultant or freelancer. While sharing files on Google Drive or another service may be an easy way to share your work with clients, you may need to check that you are managing permissions properly. After all, you will want to ensure that different clients cannot see each other’s names or directories or alter each other’s files.
Remember that many of these commonly available cloud storage services don't encrypt data. If you want to keep your data secure through encryption, you will need to use encryption software to do it yourself before you upload the data. You will then have to give your clients a key, or they won't be able to read the files.
Check your cloud provider's security
Security should be one of the main points to consider when it comes to choosing a cloud security provider. That’s because your cyber security is no longer just your responsibility: cloud security companies must do their part in creating a secure cloud environment — and share the responsibility for data security.
Unfortunately, cloud companies are not going to give you the blueprints to their network security. This would be equivalent to a bank providing you with details of their vault — complete with the combination numbers to the safe.
However, getting the right answers to some basic questions gives you better confidence that your cloud assets will be safe. In addition, you will be more aware of whether your provider has properly addressed obvious cloud security risks. We recommend asking your cloud provider some questions of the following questions:
- Security audits: “Do you conduct regular external audits of your security?”
- Data segmentation: “Is customer data is logically segmented and kept separate?”
- Encryption: “Is our data encrypted? What parts of it are encrypted?”
- Customer data retention: “What customer data retention policies are being followed?”
- User data retention: “Is my data is properly deleted if I leave your cloud service?”
- Access management: “How are access rights controlled?”
You will also want to make sure you’ve read your provider’s terms of service (TOS). Reading the TOS is essential to understanding if you are receiving exactly what you want and need.
Be sure to check that you also know all the services used with your provider. If your files are on Dropbox or backed up on iCloud (Apple's storage cloud), that may well mean they are actually held on Amazon's servers. So, you will need to check out AWS, as well as, the service you are using directly.
Hybrid Cloud Security Solutions
Hybrid cloud security services can be a very smart choice for clients in SMB and enterprise spaces. They are most viable for SMB and enterprise applications since they are generally too complex for personal use. But it’s these organizations that could use the blend of scale and accessibility of the cloud with onsite control of specific data.
Here are a few security benefits of hybrid cloud security systems:
Segmentation of services can help an organization control how their data is accessed and stored. For example, placing more sensitive data onsite while offloading other data, applications, and processes into the cloud can help you layer your security appropriately. In addition, separating data can improve your organization’s ability to remain legally compliant with data regulations.
Redundancy can also be accomplished via hybrid cloud environments. By utilizing daily operations from public cloud servers and backing up systems in local data servers, organizations can keep their operations moving in the case that one data center is taken offline or infected with ransomware.
SMB Cloud Security Solutions
While enterprises can insist on a private cloud — the internet equivalent of owning your own office building or campus — individuals and smaller businesses must manage with public cloud services. This is like sharing a serviced office or living in an apartment block with hundreds of other tenants. Therefore, your security needs to be a prime concern.
In small to medium business applications, you will find cloud security is largely on the public providers you use.
However, there are measures you can take to keep yourself safe:
- Multi-tenant data segmentation: Businesses must be sure that their data cannot be accessed by any other clients of their cloud vendors. Whether housed in segmented servers, or carefully encrypted, be sure segmentation measures are in place.
- User access controls: Controlling permissions might mean throttling user access to an inconvenient level. However, going restrictive and working backward to find a balance can be much safer than allowing loose permissions to permeate your network.
- Legal data compliance: Keeping your data compliant with international regulations like GDPR is critical to avoid heavy fines and reputation damage. Make sure measures like data masking and classification of sensitive data is a priority for your organization.
- Careful scaling of cloud systems: With the rapid implementation of cloud systems, be sure you take time to check your organization's systems for security over convenience. Cloud services can quickly become sprawling to the point of lacking regulation.
Enterprise Cloud Security Solutions
Since cloud computing is now used by over 90% of larger enterprises, cloud security is a vital part of corporate cyber security. Private cloud services and other more costly infrastructure may be viable for enterprise-level organizations. However, you will still have to ensure your internal IT is on top of maintaining the entire surface area of your networks.
For large-scale enterprise use, cloud security can be far more flexible if you make some investments into your infrastructure.
There are a few key takeaways to keep in mind:
- Actively manage your accounts and services: If you don't use a service or software anymore, close it down properly. Hackers can gain easy access to an entire cloud network via old, dormant accounts through unpatched vulnerabilities.
- Multi-factor authentication (MFA): This could be biometric data such as fingerprints, or a password and separate code sent to your mobile device. It is time-consuming, but useful for your most sensitive data.
- Evaluate the cost-benefits of hybrid cloud: Segmenting your data is far more important in enterprise use, as you will be handling much larger quantities of data. You need to make sure your data is separate from other customers' data, whether it's separately encrypted or logically segmented for separate storage. Hybrid cloud services can help with this.
- Be wary of shadow IT: Educating your employees to avoid using unauthorized cloud services on your networks or for company work is essential. If sensitive data is communicated over unsecured channels, your organization may be exposed to malicious actors or legal issues.
So, whether you are an individual user, SMB user, or even Enterprise level cloud user — it is important to make sure that your network and devices are as secure as possible. This starts with having a good understanding of basic cyber security on an individual user level, as well as, ensuring that your network and all devices are protected using a robust security solution that is built for the cloud.
- Kaspersky Security Cloud
- Kaspersky Enterprise Hybrid Cloud Security
- Kaspersky Endpoint Security Cloud for SMBs