The main purpose of cloud security is to secure cloud computing systems. It requires establishing measures that keep data private and secure across cloud infrastructure, platforms, and applications. Cloud security may encompass one or more of the following responsibilities:
Cloud security is usually a collaborative effort between cloud providers and customers. A cloud customer may be an individual, a small-to-medium business (SMB), or an enterprise.
Cloud providers or vendors are trusted to secure the underlying computing infrastructure—including servers and connections. Vendors are also expected to provide customers with the capabilities needed to secure their workloads and data.
In this article:
The cloud centralizes the management of applications and data, including the security of these assets. This eliminates the need for dedicated hardware, reduces overhead, and increases reliability, flexibility, and scalability.
As cloud adoption grows, more business-critical applications and data migrate to the cloud. While most Content Security Policies (CSPs) offer standard security tools, such as monitoring and alerting features, these capabilities do not offer enough coverage. This can significantly increase the risk of data loss and theft.
Since it is not possible to eliminate all security threats and vulnerabilities, organizations need to balance the benefits of cloud adoption with a data security risk level that the organization can handle.
This typically involves setting up critical cloud security measures and policies—those required to prevent data breaches and noncompliance and any resulting losses and fines, as well as maintain business continuity.
Here are several key cloud security challenges.
In order to properly and consistently manage security in hybrid and multi-cloud environments, organizations need tools and techniques that work seamlessly across all cloud vendor environments and on-premise deployments. Additionally, geographically distributed organizations need branch office edge protection. Automation is central to cloud security, because in the cloud, computing resources are numerous and in constant flux.
The public cloud consists of many components and does not have a clear security perimeter. It is a big, complex and distributed environment, which can become further complicated when organizations implement multi-cloud, hybrid cloud, and serverless architectures. This creates a different security reality—and a larger and highly attractive attack surface.
Threat actors constantly target public clouds, looking for and finding vulnerabilities to exploit. Poorly secured cloud ingress ports, for example, help attackers gain unauthorized access and disrupt cloud-based workloads and data. Attackers also use other techniques, such as malicious software (malware), zero-day exploits, and account takeover, to breach public clouds.
Cloud vendors leverage their infrastructure to provide as-a-Service offerings. The Infrastructure-as-a-Service (IaaS) model enables cloud vendors to have full control over the infrastructure, and customers have no control over this layer. This model offers benefits such as scalability and flexibility, but it limits the control and visibility customers have over the environment.
Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) models present this challenge as well. The cloud vendor controls the infrastructure and many other components, and cloud customers cannot monitor and track. As a result, cloud customers cannot effectively identify and quantify cloud assets, let alone visualize the entire cloud environment.
Cloud resources are dynamically spun up and down. The cloud enables you to provision and decommission at scale and at velocity. Unfortunately, traditional security technology simply cannot enforce protection policies in this type of flexible and dynamic environment. The constant changes, coupled with ephemeral workloads, make it difficult for legacy security to keep up.
DevOps and DevSecOps teams thrive on quick and highly efficient work. To achieve this, they create CI/CD pipelines that are highly automated. In addition to enabling fast development cycles, automation also helps ensure security controls are properly identified and embedded in all code and templates early on in the software development cycle.
However, security-related changes that are implemented after the workload has already been deployed can undermine the overall security posture of the organization. They can also lengthen the time to market.
Cloud user roles are often configured very loosely—granting privileges beyond what is needed or intended. For example, giving database write or delete permissions to an untrained user or a user who has no business need to add or delete database assets.
Another critical risk—at the application level—may occur when improperly configured keys and privileges expose sessions to security risks.
The majority of cloud providers have audited their environments for compliance with well-known accreditation programs, such as GDPR, NIST 800-53, PCI 3.2, and HIPAA. However, cloud security and compliance is a joint responsibility and cloud customers are also responsible for ensuring that their workload and data are compliant.
Cloud compliance and governance present a critical challenge for organizations handling sensitive data (such as financial or healthcare data). The poor visibility and the dynamic nature of the cloud can turn the compliance audit process into a nearly impossible effort. Often, it requires the use of tools that continuously check compliance and issue real-time alerts about misconfigurations.
The following technologies form the basis of cloud security. While they are not enough to solve the challenges above, they provide the building blocks of a robust security strategy that can address the complexities of cloud environments.
The purpose of encryption is to scramble data until it becomes meaningless. Once data is encrypted, only authorized users (in possession of decryption keys) can use it. Since encrypted data is meaningless, it cannot be leaded, sold, or used to carry out other attacks.
You can encrypt data while it is stored (at rest) and also when it is sent from one location to another (in transit). Encrypting data in transit is critical when migrating data, sharing information, or securing communication between processes. Cloud environments require encryption of data at rest and in transit.
IAM tools are responsible for authorizing users and denying access to any unauthorized party. IAM assesses a user’s identity and access privileges and then determines whether the user is allowed access. Since it is not based on the device or location used during the attempted log in, IAM is highly useful in keeping cloud environments secure.
IAM can help mitigate a range of attacks, including insider threats and account takeover. Here are key capabilities offered by IAM tools:
A cloud firewall creates a layer that blocks malicious web traffic, including DDoS attacks, vulnerability exploits, and malicious bot activity. A cloud firewall is hosted within the cloud where it creates a virtual security barrier wrapped around your cloud infrastructure.
A virtual private cloud (VPC) provides a private cloud environment, which is contained in a public cloud. A VPC creates logically-isolated and highly configurable sections of a public cloud. You can gain access to VPC resources on demand and scale up as needed. To secure your VPC, you can use security groups.
Each security group serves as a virtual firewall that enables your instance to control outbound and inbound traffic. Note that these groups function at the instance level and do not work at the subnet level. This means you can assign each instance in a subnet within the VPC to a different set of security groups. You can assign a maximum of five security groups per instance.
Cloud monitoring lets you review, monitor, and manage your cloud workflow. You can implement manual and automated cloud monitoring services or tools as needed. Automated monitoring can help save time and ensure continuous visibility. Once an event occurs, administrators are notified and can apply mitigation measures. This can help ensure your cloud environment remains healthy and secure.
Calico Enterprise and Calico Cloud offer DNS policies, enterprise security controls, intrusion detection, and zero trust security. Calico delivers the following unique features for cloud security:
See our additional guides about cloud security topics.
Cloud Workload Protection Platforms (CWPP): An In-Depth Look
Cloud Workload Protection Platforms (CWPPs) provide the capabilities needed to secure workloads deployed in private, public, or hybrid clouds. CWPP solutions are designed to secure the application and any associated cloud resource.
Gartner defines the following four essential features of CWPP solutions:
Microsegmentation in the Cloud Native World
Networking is not the only area that has to change in a scale-out or cloud native world. One thing that needs to change is the concept of a single controller that is completely deterministic and the source of all truth in the infrastructure. What is needed, instead, is a system that enforces rules and policies based on the current state of the environment. Those rules and policies can be determined a priori and are independent of any specific state of the system. The number, location, and velocity of change of components in the system should be irrelevant to the operation of the system and the rendering of its policies.
The way that modern cloud native systems, such as Kubernetes, address this requirement is via zero-day configuration and metadata attached to workloads, services, hosts, etc. Depending on the state of the infrastructure and its applications, a given rule or policy may affect nothing in the infrastructure, everything in the infrastructure, or, more likely, some number in-between.
Read more: Microsegmentation in the Cloud Native World