Securing the cloud is nowhere near as complex as it may sound. There are many ways to protect your business while keeping your cloud secure and simultaneously taking advantage of all that it has to offer.
Cloud security begins with selecting the right service model that fits your organization’s needs. There are three unique service models and four deployment options in terms of cloud security offerings. Service model options include the following:
- Infrastructure as a Service (IaaS): The IaaS model enables a company to build its own virtual Data Center (vDC). A virtual data center offers cloud-based resources in lieu of the physical benefits a traditional data center can provide. There's no need for regular maintenance, updates, or servicing physical machines with a virtualized data center.
- Platform as a Service (PaaS): The PaaS model provides a variety of options that allow customers to provision, deploy, or create software.
Software as a Service (SaaS): With the SaaS model, customers are provided with software that doesn’t require the use of a computer or server to build it on. Examples include Microsoft 365 (formerly Office 365) and Gmail. With these options, customers only need a computer, tablet, or phone to access each applicationBusinesses use a variety of terms to highlight their products,from DRaaS (disaster recovery) to HSMaaS (hardware security module) to DBaaS (database) and, finally, XaaS (anything). Depending on what a company is marketing, it can be difficult to determine whether a product is SaaS or PaaS, but in the end, understanding a cloud provider’s contractual responsibilities is more important. Cloud providers extend their contracts to add security on cloud formations through services such as HSMaaS (hardware security module) or DRMaaS (digital rights management).
The four deployment models are:
- Public: Available to anyone for purchase. The best examples today are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
- Private: This is built for one company, and the hardware is not shared with anyone else. The private model could be built on a public cloud or within your own data center, or at a business that specializes in building private clouds, that is, a managed service provider.
- Community: This involves the concept of sharing between businesses. Service can be shared, or data can be shared on that service. One example might be government-built clouds shared by multiple agencies.
- Hybrid: This involves using at least two of the three deployment models listed above: public and private, private and community, or public and community. Another possibility is using all three.
Which aspect of cloud security is the most important?
All aspects of an individual cloud security policy are important, but there are certain pillars that every provider should offer. These are considered essential and some of the most important aspects of a cloud security infrastructure. Ensuring the provider you choose covers all of these pillars is tantamount to the most complete cloud security strategy you can implement.
Always-on monitoring: Cloud security providers can offer a glimpse into what's happening in your cloud platforms by keeping logs at all times. Should an incident occur, your security team can inspect and compare internal logs to your provider's records for insight into potential attacks or changes. This can help quickly detect and respond to any incidents that may occur.
Change management: Your cloud security provider should offer change management protocols to monitor compliance controls when changes are requested, assets are altered or moved, or new servers are provisioned or decommissioned. Dedicated change management applications can be deployed to automatically monitor unusual behavior so you and your team can move swiftly to mitigate and correct it.
Zero-trust security controls: Isolate your mission-critical assets and applications away from your cloud network. Keeping secure workloads private and inaccessible will help to enforce security policies that protect your cloud-based environment.
All-encompassing data protection: your provider should offer enhanced data protection with additional encryption for all transport layers, good data hygiene, continuous risk management monitoring, secure file sharing, and airtight communications. In short, your provider should be at the top of their game when it comes to protecting your business's data in every way, shape, and form.
Ask yourself: “What are my concerns?” This will help you determine what questions to ask your cloud provider that can help you understand the most important aspects to keep in mind.
Cloud architecture, simply put, is the result of multiple environments pooling together to share scalable resources across software applications, databases, and other services. Essentially, the term refers to the infrastructure and components that work in tandem to comprise the "cloud" as we know it.
The basic components required to create a cloud include networks, routers, switches, servers, firewalls, and intrusion detection systems. The cloud also includes all the elements within the servers: the hypervisor and virtual machines, for example, and of course, software. Cloud architecture also requires a cloud provider, cloud architect, and cloud broker to create, manage, sell and buy cloud services. There’s an entire ecosystem there to keep track of, but when people say “the cloud” it’s essentially referring to cloud architecture.
Many terms relating to cloud architecture just add the word “cloud” to an old and familiar term, such as cloud consumer. If you understand the definition of consumer, then the new term is clear; it means a consumer of cloud services as opposed to, say, phone services.
Here are some basic examples:
- Cloud consumer: The person or company that uses a cloud service from a cloud provider.
- Cloud provider: The person or company with the resources to provide the services that consumers require. That includes the technology to create the servers, virtual machines, data storage, or whatever resources customers need.
- Cloud broker: The person or company that manages delivery, use, and performance of the cloud for the consumer, negotiating the relationship with the provider on the consumer’s behalf.
- Cloud carrier: The carrier is the service provider that connects a business to the cloud, such as your internet service provider (ISP). For a business, this usually would be a multiprotocol label switching (MPLS) connection.
- Cloud auditor: The person or company that performs audits of a cloud provider’s environment. These audits include both privacy audits and security audits.
Cloud security architecture
Security in the cloud starts with cloud security architecture, which adds security elements to the basic architecture. Traditional security elements include firewalls (FW), anti-malware, and intrusion detection systems (IDS). Cloud auditors, security architects and security engineers are also needed to design secure structures within and through the cloud.
In other words, cloud security architecture is not limited to the hardware or software.
Cloud security architecture begins with risk management. Knowing what could possibly go wrong and how a business could be negatively impacted helps companies make responsible decisions. Three critical areas of discussion are business continuity, supply chain, and physical security.
For instance, what will happen to your business if your cloud provider has a failure? Putting servers, services, and data in the cloud does not eliminate the need for business continuity and/or disaster recovery planning.
What would happen if just anyone could walk into the cloud provider’s data center? At the big three – AWS, GCP and Azure – this would not be easy, but that is the point. They have invested heavily in data center security.
What about other cloud providers? Request a walkthrough of potential any cloud provider’s data center and to be involved in an audit. Note their answer. Were they willing to let you check out the data center the next day? If it’s easy to get into the data center, perhaps that provider deserves a second thought.
Smaller cloud providers may not have a physical data center. More likely, they use and effectively resell the capability of the big cloud providers. That is an advantage and part of the beauty of using the cloud. If the relationship between the cloud providers is unknown, additional issues could emerge regarding laws, regulations and contracts. Ask this simple question: Where is my data? If there are multiple levels to the cloud provider, the answer could be hard to determine. There could also be legal consequences, such as an issue with the European General Data Protection Regulation (GDPR).
The elements that comprise a business’s cloud security architecture may have cloud security services as well. It is possible to purchase services like data leak prevention (DLPaaS). Other tools assist with security, such as a scanning tool that searches for personally identifiable information so it can be secured properly. Cloud security management is necessary to ensure that these services are working as they should.
What is cloud-native application protection program (CNAPP)?
CNAPP is a group of security solutions meant to assist in identifying, assessing, prioritizing, and adapting to risk in a range of cloud-native applications.
As such, CNAPP gathers several of the most important features amassed from siloed products and platforms: Artifact Scanning, Runtime Protection, and Cloud Configuration. This can include the following:
- Misconfiguration checks for open Amazon S3 buckets, databases, and network ports
- Runtime monitoring and protection of your cloud workloads
- Automated detection of vulnerabilities within containers, virtual machines (VMs), or serverless functions
- Exposure scanning for CVEs, secrets, sensitive data, and malware
- Infrastructure as code (IaC) scanning
Trend Micro can be considered a CNAPP vendor, and products like Trend Micro Cloud One™, the security services platform meant for cloud builders, can fit neatly into CNAPP architecture.
Businesses need to must remain in compliance with the many laws, regulations, and contracts in place. When you put your data and services in someone else’s possession, there are certain complicated requirements that must be in place to ensure compliance.
From a legal standpoint, organizations must comply with the European Union General Data Protection Regulation (EU GDPR), Sarbanes-Oxley – U.S. financial data protection (SOX), the Health Information Portability and Accountability Act – U.S. health care (HIPAA), and others. Also, credit card protection falls under contract law with Payment Card Industry - Data Security Standard (PCI-DSS).
Once the compliance subject is identified, many actions can be taken, one of which is an audit. The audit should be conducted using a standardized approach and proven methodology, such as the American Institute of Certified Public Accountants’ SSAE 18 (Statement of Standards on Attestation Agreements, No. 18). The audit’s findings will indicate what may not be in compliance. When deciding on a cloud provider, it is important to read these reports to know the DC’s level of security and what to expect.