Cloud computing security encompasses the practices, technologies, controls, and applications used to protect cloud computing environments. These security measures are designed to protect data, services, applications, and the related infrastructure in the cloud from both internal and external threats, while at the same time safeguarding users’ privacy and enabling and maintaining compliance with all applicable rules and regulations. While cloud computing security needs vary widely from business to business, the primary goal is the protection of data and the control of access to that data. As more and more businesses take advantage of cloud computing and enjoy the reduced cost of doing business, increased agility, and the ability to quickly scale, they must ensure that they consider security straight from the get-go and choose the right type and level of security to actively prevent data loss and leakage.
Benefits of cloud computing security
Cloud computing, or the delivery of IT services over the internet, requires a completely different set of considerations than traditional on-premises security. In the past, enterprise security meant surrounding enterprise applications and data with firewalls and managing endpoint devices that operated within those firewalls—a model often referred to as a “walled garden.” But this model is fundamentally incompatible with cloud computing, which by definition requires data to move beyond the enterprise perimeter. Before, the focus was primarily on preventing malware. But today, with both managed and unmanaged devices pushing data to the cloud—and with data passing from one cloud to another—the security considerations have changed dramatically.
It might seem that this setup would result in a less secure environment, but in fact there are far more breaches in on-premises environments. Though on-premises architectures are very susceptible to malware attacks, cloud computing security often involves multiple firewalls and layers of protection, with the outer layers defending against threats like malware and the inner layers preventing errors and misconfigurations that occur as a result of human error.
In other words, while many still believe that on-premises data storage is superior due to a higher degree of control and visibility, there are in fact far fewer breaches on public clouds due to cloud security providers’ emphasis on security as part of their business models.
To fully realize the overall improved security that comes with the cloud, however, you must put the proper type of cloud security in place.
There are three main categories of cloud computing security controls:
- Deterrent/Preventative Controls
Preventative controls work to minimize vulnerabilities, such as through strong user authentication that positively identifies cloud users and helps eliminate access pathways for unauthorized users. Deterrent controls, a subset of preventative controls, function less as a fence and more as a “No Trespassing” sign, letting those attempting to attack the cloud system know that doing so will bring consequences.
- Detective Controls
These controls are designed to find and address in-progress threats. Depending on the nature of the attack, these controls will deploy either the corrective or preventative controls to eliminate the threat. Examples of detective controls include system/network security monitoring such as intrusion detection and prevention.
- Corrective Controls
These controls focus on damage control and remediation, either while an attack is in progress or after it has occurred. Rollback remediation that aids in restoring systems affected by ransomware is one example of a corrective control.
While there are many overall business efficiencies that can be realized by moving to the cloud, there are security-specific efficiencies that can be realized when one shifts their security considerations from one of a primarily on-premises architecture to a cloud-based one.
- Lower cost of doing business: By moving data to the cloud, enterprises are no longer required to purchase and maintain on-premises hardware.
- Less administrative responsibility: Given today’s cybersecurity talent shortage, the ability of analysts to forego manual security tasks and oversee updates is of particular benefit to some enterprises.
- Dependability and flexibility: Cloud-based security allows for central management of a wide variety of endpoints, allowing for greater visibility and more agile response. Once the proper security measures are in place, effective cloud computing security allows employees to access enterprise data and applications on the cloud on any device, from the boardroom to the coffee shop.
- Available immediately: Instead of having to order, await delivery of, and install hardware, cloud services are ready to go as soon as you’ve purchased them.
Types of cloud computing
When adopting cloud computing, enterprises give up some of the visibility and control they’ve typically had over their data—meaning that communication between the business and the cloud service provider, in particular the service agreement, should clearly delineate where the security responsibilities between the business stop and the cloud service provider begin.
While each business agreement is different, the division of responsibilities when it comes to security is typically dependent on the type of cloud computing being adopted. There are three main categories of cloud service models:
IaaS resembles the data center and server environments that many IT departments are used to managing on their own physical sites. IaaS is a standardized, highly automated instant computing infrastructure. The cloud computing resources (storage, network, and operating systems) are owned by a cloud service provider, who also manages the infrastructure itself. IaaS follows an on-demand model where resources are scalable with demand, allowing enterprises to pay based on use. In this model, the cloud service provider offers self-service interfaces, such as a graphical user interface and an API, allowing customers to buy, build, configure, and manage their own software, including OS, applications, and more.
Out of all the cloud computing models, the customer bears the most responsibility for security under this model. These responsibilities include user access, applications, data, operating systems, and network traffic. (The cloud service provider takes care of the hypervisor, infrastructure, and physical storage.)
In the case of IaaS, cloud service providers are providing a framework for users to build something on their cloud. With IaaS, the customer runs the operating system and has network traffic flowing within their environment that they also have to secure.
In other words, while cloud computing security in IaaS is about data, it’s also about infrastructure.
Examples: Amazon Web Services, Microsoft Azure
PaaS environments are similar to IaaS, but exist as predefined operating environments for developing, testing, and managing applications. PaaS environments are primarily useful for DevOps and support developers to construct and run web applications and services without requiring the related servers, databases, development tools, and other related infrastructure. PaaS environments are offered by many of the same providers as Iaas, but with PaaS, the cloud service providers provide the necessary infrastructure, while the developers provide the accompanying code. In the case of PaaS and IaaS, service providers are essentially furnishing a framework for you to build something on their cloud. With PaaS, you have to secure whatever application you build to put on it, but you aren’t running the operating system.
In the case of PaaS and IaaS, since you’re operating a virtual network on the cloud, you’re susceptible to network based threats—attackers and adversaries will scan for vulnerabilities in the cloud infrastructure and try to find open ports to exploit.
Examples: Heroku, OpenShift, AWS Elastic Beanstalk
SaaS describes third-party, hosted applications accessible from the client’s side via web browser (as opposed to living on a user’s endpoint device). In the 2019 McAfee Cloud Adoption and Risk Report, we found that organizations are using an average of 1,427 different cloud applications, most of which are SaaS applications. SaaS is primarily used by end users, sometimes without approval or authorization: so-called shadow IT—cloud services that employees use without the knowledge or approval of their IT departments—falls under the SaaS model.
When it comes to SaaS, the customer is only responsible for data and user access, and the cloud service provider covers the rest. In other words, the enterprise is responsible for how they use the app, who can access stored data, what sort of sign-on requirements are implemented (such as multifactor), and what data goes into it. Data access control and exfiltration are the primary areas of focus here—while malware could ostensibly make it into a business’s cloud content management/file sharing service or come from a URL that is hosted on a file storage site, most of the issues customers are solving with SaaS are data loss prevention problems.
Examples: Office 365, Salesforce, Gmail
Focus areas for cloud computing security
There are many things to consider when formulating your cloud computing strategy. Here are a few:
- Access control: Limit access to sensitive data to include only those who need a given piece of data to complete their work. Implementing more granular controls, including defining who has access to write or share versus who can only read a file, offers even greater security benefits.
- Social engineering: Phishing and other social engineering tactics are a major threat to cloud data security. Security awareness training can help employees learn to identify such attempts.
- Data security: With ransomware attacks on the rise, creating a secure backup of your data is crucial to ensuring continuity of operations.
- Misconfiguration: According to the 2019 McAfee Cloud Adoption and Risk Report, enterprises have an average of 2,269 individual misconfiguration incidents per month. And more than 1 in 20 AWS S3 buckets have world read permissions, making them open to the public.
- Compliance: You can outsource data storage, but you cannot outsource your compliance responsibilities. There may be restrictions on cloud usage that need to be met to maintain compliance with HIPAA and other regulations.
How can you secure your cloud?
While malware is still a concern in cloud computing (much less so in SaaS, somewhat more so for PaaS and IaaS), misconfiguration is the cause of most cloud security breaches. According to the Gartner Magic Quadrant for CASB, “Through 2023, at least 99 percent of cloud security failures will be the customer’s fault.” Developers can introduce risk through misconfigured IaaS, leaving data open to the public or vulnerable to attackers. Most organizations have around 14 misconfigured IaaS instances running at any given time.
For example, in an IaaS application scenario, an enterprise has a virtual private cloud with its own network connecting all of the pieces that make its application work together. The data goes into storage buckets—if someone in an enterprise leaves a port open, whether to the S3 bucket or their computer and server running in the cloud, the business must ensure that it isn’t left open in such a way that someone could find and exploit it. Misconfigurations such as this are not the responsibility of the cloud service provider—it’s up to the customer to correctly configure their settings and to ensure that negligence and human error do not leave their company open to a breach. Most of the security problems in the news are misconfigurations of resources in a platform like AWS—so while AWS is doing a lot for security infrastructure, customers must know how to configure what AWS provides in order to fit their business’s unique needs. If their storage is open to the public, and there are customer records in there, the results could be devastating.
In situations where a user is running an application that is not internally shielded and is in any way open to people, there are opportunities for attack. Someone could go online, upload a file, or engage with whatever the application is—on the application itself in the operating system—and try to run an exploit against the application or insert malware into the system. The goal would be to gain access to critical resources like corporate and consumer data, other connected databases, or anything else they might be able to access by moving laterally.
While there are certainly risks associated with cloud computing, many of these risks can be mitigated by following established best practices. However, for more comprehensive protection, enterprises should consider using a Cloud Access Security Broker (CASB) such as McAfee MVISION Cloud.
McAfee MVISION Cloud enables organizations to accelerate their business by giving them visibility and control over their data in the cloud. It also protects organizations from threats with a frictionless deployment model that’s easy to adopt. MVISION Cloud is cloud-native, giving IT a single place to view and control their data in the cloud. It’s a single enforcement point that works consistently across all your SaaS applications, IaaS environments, and shadow IT. With consistent cloud security across all cloud services, you can keep up with the velocity of cloud adoption at your company and enable business acceleration.
McAfee MVISION Cloud also allows those working in government organizations or industries like healthcare or financial services—who are subject to strict compliance regulations—to benefit from moving to the cloud. MVISION Cloud also helps enterprises meet internal policies for data protection to stay within the bounds of the company security policies.
Learn more about the security issues associated with cloud environments—and how you can help prevent them.