Cloud security consists of the practices and technology that protect cloud computing environments from both external and internal cybersecurity threats. Cloud computing, which is the delivery of IT services over the internet, has become a mainstay for modern businesses and governments. To keep data and applications in the cloud secure from current and emerging threats, security solutions need to be put in place that prevent unauthorized access, along with best practices for managing those security resources.
Cloud security differs based on the category of cloud computing being used. There are three main categories of cloud computing:
- Public cloud services, operated by a public cloud provider — These include software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS).
- Private cloud services, operated by a public cloud provider — These services provide a computing environment dedicated to one customer, operated by a third party.
- Private cloud services, operated by internal staff — These services are an evolution of the traditional data center, where internal staff operates a virtual environment they control, and provide access to employees over the internet. Many organizations are moving to a software-defined data center (SDDC) to accomplish this.
When using a cloud computing service operated by a public cloud provider, data is being stored with a third party, which marks a fundamental difference between cloud computing and traditional IT, where most data was held within a self-controlled network. Understanding the separation of data from owner to public cloud provider is the first step to building a cloud security strategy.
The primary security issues in cloud computing
Since data in the public cloud is being stored by a third party and accessed over the internet, several issues arise in the ability to maintain a secure cloud. These are:
- Visibility into cloud data — In many cases, cloud services are accessed outside of the corporate network and from devices not managed by IT. This means that the IT team needs the ability to see into the cloud service itself to have full visibility over data, as opposed to traditional means of monitoring network traffic.
- Control over cloud data — In a third-party cloud service provider’s environment, IT teams have less access to data than when they controlled servers and applications on their own premises. They also have little to no oversight of bring-your-own-device (BYOD) technology that can access the cloud, as compared to managed devices such as laptops and smartphones they issued themselves. Cloud customers are given limited control by default, and access to underlying physical infrastructure is unavailable.
Cloud providers must do their part to create a secure cloud for their customers, as their business model depends on avoiding breaches that would erode customer trust. It is not possible for cloud providers to avoid all cloud security issues however, because they can’t predict how customers will use their services and what data they will place in the cloud. In each public cloud service type, there are different levels of shared responsibility for security between the cloud provider and cloud customer. By service type, these are:
- Software-as-a-service (SaaS) — Customers are responsible for securing their data and user access.
- Platform-as-a-service (PaaS) — Customers are responsible for securing their data, user access, and applications.
- Infrastructure-as-a-service (IaaS) — Customers are responsible for securing their data, user access, applications, operating systems, and virtual network traffic.
Across all public cloud services, customers are responsible for securing their data and controlling who can access that data. Data security in cloud computing is fundamental to successfully adopting and gaining the benefits of the cloud. Organizations considering popular SaaS offerings like Microsoft Office 365 or Salesforce need to plan for how they will fulfill their shared responsibility to protect data in the cloud. Those considering IaaS offerings like Amazon Web Services (AWS) or Microsoft Azure need a more comprehensive plan that starts with data, but also covers cloud app security, operating systems, and virtual network traffic—each of which can also introduce potential for data security issues.
Recommendations to address cloud computing security risks
Organizations seeking cloud security solutions should consider the following criteria to solve the primary cloud security challenges of visibility and control over cloud data.
- Visibility into cloud data — A complete view of cloud data requires direct access to the cloud service. Cloud security solutions accomplish this through an application programming interface (API) connection to the cloud service. With an API connection it is possible to view:
- What data is stored in the cloud.
- Who is using cloud data.
- The roles of users with access to cloud data.
- Who cloud users are sharing data with.
- Where cloud data is located.
- Where cloud data is being accessed and downloaded from, including from which device.
- Control over cloud data — Once you have visibility into cloud data, apply the controls that best suit your organization. These controls include:
- Data classification and data loss prevention (DLP) — Classify data on multiple levels as it is created in the cloud. Address confidentiality, compliance with Payment Card Industry (PCI) or Health Insurance Portability and Accountability Act (HIPAA) regulations, and many more categories, including those custom-written through regular expressions (regex). Once classified, data can be stopped from entering or leaving the cloud service.
- Collaboration controls — Manage controls within the cloud service, such as downgrading file and folder permissions for specified users to editor or viewer, removing permissions, and revoking shared links.
- Device access control — Block access when a personal, unauthorized device tries to access cloud data.
- Malicious behavior identification — Detect compromised accounts and insider threats with user behavior analytics (UBA) so that malicious data exfiltration does not occur.
- Malware prevention — Prevent malware from entering cloud services using techniques such as file-scanning, application whitelisting, machine learning-based malware detection, and network traffic analysis.
According to recent research, 1 in 4 users of public cloud services has experienced data theft by a malicious actor. An additional 1 in 5 has experienced an advanced attack against their public cloud infrastructure. In the same study, 83% of organizations indicated that they store sensitive information in the cloud. With 97% of organizations worldwide using cloud services today, it is essential that every one of them evaluates their cloud security and develops a strategy to protect their data.1
Cloud security from McAfee enables organizations to accelerate their business by giving them total visibility and control over their data in the cloud. Learn more about McAfee cloud security technology here.
Cloud security resources
1 McAfee, 2018. “Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security.” https://www.mcafee.com/enterprise/en-us/solutions/lp/cloud-security-report.html.