Cloud Security: What It Is and How to Implement It to Secure Data, Applications, and Infrastructure

Written by Genesio Di Sabatino, Head of Cloud Security, Swascan.

The increasing migration of data, applications and infrastructure to new technological environments poses cybersecurity challenges in completely unexplored contexts where cloud security plays a leading role. Here's everything you need to know.

In an increasingly data-driven and highly interconnected social and productive context, cloud-based services are inevitably very popular and important. Considering the growing use of as-a-service solutions, cloud security plays a leading role in protecting the incredible amount of data and investments made in this sector.

In fact, more and more companies of all sizes in all sectors have started to transition to the ‘cloud’ (accelerated as well by the global pandemic), with the substantial migration of data, applications and infrastructures to new technological environments.

Such migration poses cybersecurity challenges in entirely new contexts. While adoption of the cloud is driving organizations toward an increasingly robust digital transformation that allows them to expand operations and find innovative ways to connect to customers, it introduces new complexities and vulnerabilities that need to be recognized and managed by enterprise security professionals.

But what exactly is cloud security and how does it differ from the security of traditional computer systems?

What is cloud security?

Cloud security refers to the set of policies, procedures and technologies that interact with each other to ensure the protection of cloud-based systems, the underlying infrastructure (consisting of routers, electrical systems and hardware), applications and data from internal and external threats and cyber-attacks.

Cloud security is therefore a subset of cybersecurity, the purpose of which is to ensure the protection of all company assets located in the cloud.

In particular, the main objective of a correct cloud security strategy must be the total protection of all elements that somehow interact with the cloud itself.

However, we must also consider that from one organization to another, no two cloud environments are the same. Needs and practices vary by industry, geography, and the specific architecture of a single, multiple, or hybrid cloud.

Cloud computing and enterprise security

It is therefore clear that we cannot talk about cloud security without considering how cloud computing can affect corporate security.

Recall that, according to the definition given by NIST in SP 800-145, cloud computing is ‘a model that allows ubiquitous, cost-effective, on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be quickly made available and released with minimal management effort or interaction with the service provider.’

In the light of the most recent technological evolutions, four different cloud computing environments can be identified:

1. Public cloud environments, which are managed directly by Cloud Service Providers (CSPs) with servers that are shared among the various customers accessing the services (tenants). Customers therefore rely on services based on infrastructure that is not under their control or management.
2. Private cloud environments, which can be configured within a customer-owned data centre or managed by a CSP. In both cases, access to the servers is exclusive to each individual customer and the infrastructure is not shared with other companies.
3. Hybrid cloud environments: As the name implies, they are a combination of public cloud services and on-site data centres.
4. Multi-cloud environments, where multiple cloud services are managed by different CSPs.

According to the 2023 edition of the Cloud Security Report conducted by Cybersecurity Insiders and sponsored by Fortinet, 53% of the 752 cybersecurity professionals surveyed worldwide agree that their organizations have experienced greater flexibility and scalability, greater agility (45%), better availability and business continuity (44%), and accelerated deployment and provisioning (41%).

In contrast, the same Cloud Security Report highlights how rising costs, compliance requirements, hybrid- and multi-cloud complexities, reduced visibility, and a lack of skilled professionals are all factors causing organizations to curb or change their cloud adoption strategies.

With obvious security issues.

In fact, while enterprises continue to adopt the cloud and take advantage of its many benefits, nearly all companies surveyed by analysts in the Cloud Security Report state strong concerns about cloud security. For nearly half (43%), the most significant risks derive precisely from the use of the public cloud, believing on-site solutions to be more secure.

Not to mention that the push for increasing digital innovation in organizations brings with it a real transformation in information systems towards hybrid- and multi-cloud structures, effectively forcing organizations themselves to have their application portfolio spread among different providers.

How cloud security works

The cloud paradigm therefore presents obvious advantages in terms of IT and data security, but it also introduces new threats by greatly expanding the attack surface.

On the one hand, the adoption of a cloud environment reduces the operational burden of managing one’s own infrastructure. As a result, systems are easier to update and security itself becomes the direct responsibility of the Cloud Service Provider.

On the other hand, the cloud drastically changes the defensive perimeter of companies, which is obviously no longer limited to a single internal domain, forcing companies themselves to review and update their defensive strategies.

In fact, many organizations still use traditional network-based security technologies and systems to protect cloud environments that by nature are not bound to the infrastructure and do not have a static, well-defined perimeter.

Who is responsible for cloud security?

This last point highlights the main difference between cloud security and traditional security: the responsibility for cloud security and compliance is shared between Cloud Service Providers and customers.

This is the so-called shared responsibility model according to which CSPs generally provide physical security of the cloud infrastructure, while the customer, and the company's IT department in particular, is responsible for configuring access controls, managing security policies and protecting data in the cloud.

This responsibility also depends on the type of services that can be provided using cloud infrastructures that can be classified in three different types:

1. Infrastructure as a Service (IaaS). In this cloud service model, CSPs provide the computing power, network, and storage, making them responsible for the service. Customers who adopt this cloud solution are therefore required to secure the operating system, applications, development environment and data.
2. Platform as a Service (PaaS). In this case, cloud service providers provide customers with a development and deployment environment, thereby assuming responsibility for securing the runtime environment, operating system, and core cloud computing services. For their part, customers are responsible for the applications, data, user access, devices and networks formed by the users themselves.
3. Software as a Service (SaaS). This is the most complete cloud service. Users do not have to download or install anything, and the services can be used simply via an internet connection and web browser. Organizations therefore access such software with a ‘pay-as-you-go’ model: the most famous example is Microsoft 365. In this cloud service model, users must ensure only the security of data, users, and devices.

The right understanding of the shared responsibility model and the correct configuration of cloud access accounts are important for helping companies implement the necessary regulatory compliance and security policies.

Why cloud security is so important

It goes without saying that the correct application of the shared responsibility model between CSP and customers allows you to make the most of the benefits of cloud security and, consequently, mitigate the risks of an incorrectly configured cloud environment.

Advantages and disadvantages of remote work environments

To begin with, integrating cloud computing into your business infrastructure offers undoubted data accessibility, which is essential for ensuring flexibility and agility in production processes.

Conversely, insecure access to cloud resources by employees creates numerous weaknesses in the corporate security perimeter. This problem is exacerbated when employees use personal devices or take their work devices outside the company, exposing them to malware or Trojan horses that can compromise the entire cloud system.

Cloud security for safer data storage

Another undoubted advantage offered by the cloud is the ability to store your data and create backups that are easy to restore.

But what if the data is not adequately protected? First of all, the main risk is downloading damaged files, with obvious consequences for business continuity.

What if malicious files penetrate the cloud infrastructure? The risk is that all our archives may be compromised and not only the company's network and devices, but also of those of external customers may be damaged.

Top Security Vulnerabilities in Cloud Environments

According to research by Venafi, 81% of organizations have experienced a cloud-related security incident in the past year, while 45% said they have experienced four or more. These numbers show that many companies still do not understand the risks associated with the use of cloud technology, underestimating the main threats and critical issues.

Incorrect configurations

Most worrying is the lack of awareness that critical data and infrastructure risks are caused by misconfigured cloud environments.

Managing and eliminating misconfigurations is critical to thwarting cyberattacks. But while cloud service providers often provide tools to help manage the cloud, misconfigurations are the most prevalent vulnerability that threat actors can exploit to access data and services.

Errors in account permissions, storing and managing passwords, creating data archives that are not encrypted, etc., are the root cause of security breaches that could expose billions of records.

Vulnerability

Another major issue is running workloads on compute instances of vulnerable virtual machines exposed to the internet, which could lead to critical data leaks.

The recent case of the Log4Shell vulnerability is emblematic of how the lack of a proper patching policy can open the door to threat actors by empowering them to quickly create exploits and search for exposed devices, sites, apps and cloud instances to attack.

Compromised accounts

Access to privileged accounts can allow criminal hackers to evade control and detection systems and launch a myriad of attacks.

However, many organizations still do not adequately restrict user access privileges or enforce multi-factor authentication (MFA) systems.

Yet with most breaches starting with a phishing attack and the sophistication of these scams making them increasingly difficult to detect, it is critical to enhance access control to protect sensitive data, applications, and workloads in the cloud.

Not only that, intentional or accidental threats sometimes come from internal users (so-called insiders). To prevent this risk, it is important to limit sensitive data to managed devices only, use behavioural analytics to monitor activity, and frequently educate business users on cyber threats and risks.

Supply chain attacks

Many organizations have external users who can access the cloud environment with administrative permissions, increasing the risk of data exfiltration and exploits.

Sadly, organizations continue to migrate to the cloud and if cloud security does not extend to the supply chain and access still goes unchecked, the number of breaches due to supply chain attacks will only increase.

Cloud security best practices

To fully enjoy the benefits offered by cloud computing and yet mitigate the risks of its integration in the corporate infrastructure, it is necessary to respect some basic principles of cloud security to achieve the four main objectives of cloud security: protect, detect, contain and recover:

1. Data protection through IT technologies and tools such as encryption that guarantee access to data while limiting the visibility of confidential information.
2. Identity and access management to avoid compromising corporate information stored in the cloud and the infrastructure itself. In this sense, access control solutions such as multi-factor authentication or Identity & Access Management (IAM) systems that continuously monitor and control the behaviour of those accessing resources play a fundamental role.
3. Adoption of business continuity and disaster recovery tools and measures to ensure business operations even in the event of a security incident and restore it in the shortest possible time.

It is clear, however, that the technological component alone is not sufficient to define a correct cloud security strategy. It is also important to develop some important organizational and governance aspects:

1. Define policies to be integrated in product and service development processes by adopting DevOps and DevSecOps approaches, while requiring all business users to participate in identifying, classifying, and assuming responsibility for production assets to build awareness and raise the level of protection.
2. Properly configure cloud assets to separate data from operations, allowing access only to the people and systems that are strictly necessary to perform a given task.
3. Centralized management of cloud security for all services and Cloud Service Providers to have visibility of all access points and simplify the monitoring and identification of possible threats.
4. Continuous monitoring of user access to cloud platforms and various services to identify activities that could put the company infrastructure at risk.
5. Provide a maintenance plan that guarantees redundancy and data backups and includes a patching policy. Recall that it is the responsibility of service providers to manage software updates and security patches, while it is up to the organizations’ IT departments to update their services.

Conclusions

As we have seen, cloud security is taking on an increasingly important role over traditional on-site security.

It is true that cyber-attacks aimed at cloud environments are constantly increasing, but awareness about these issues is also increasing among companies that choose to migrate their infrastructure to this type of system.

On the other hand, the convenience and ease of using cloud technology has changed our world, enabled unprecedented scalability of business operations and offered the ability to work from anywhere and with greater productivity.

Companies must therefore do their part in the shared responsibility model and take all technical and organizational measures necessary to protect themselves from cloud security threats.