ユースケース別
As organizations shift more of their workloads into cloud computing environments, securing the applications and data in them is paramount.
Cloud security shares some core concepts with traditional on-premises cybersecurity, but involves some unique technologies and best practices of its own. The latter components help defend against certain sophisticated threats in the cloud, protect a dissipating network perimeter and properly distribute security responsibilities between cloud service providers and their customers.
Cloud security is the complete set of interrelated policies, tools, processes and personnel for protecting cloud computing environments from harm. It applies to every part of the cloud computing stack, from networks and storage (cloud infrastructure) all the way up to data and applications.
The high-level objectives of cloud computing security are to:
Cloud security is inherently a shared responsibility. The specific portions of the cloud computing stack that the cloud provider and customer will manage determine the cloud security architecture for their business relationship.
A cloud security architecture is a structure for how security responsibilities are shared between, and borne by, the cloud provider and subscriber — basically, a determination of who secures what, and in which ways.
In each area for which it is responsible, the provider or customer will take care of specific technical components that either secure the cloud apps themselves or secure access to them. Some examples in each category include:
A coherent and well-supported cloud security architecture is important because cloud security is complex. Data may be accessed by unmanaged devices, there isn’t a traditional network perimeter to defend and there are complicated risks such as advanced persistent threats (APTs), among other dangers.
The major service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Desktop as a Service (DaaS). Each major cloud service model has its own distinctive security architecture managed by the cloud provider and the customer.
Cloud security architectures will also differ depending on whether the cloud in question is deployed as a public cloud, private cloud or hybrid cloud. Many organizations rely on one or more clouds in each category as part of a multicloud strategy.
It depends on the service and deployment model, although cloud security responsibilities will always be shared to some degree. For example, with IaaS from a public cloud provider, that provider manages the physical network interfaces, hypervisors and data storage, while the customer handles the operating systems, applications and data that sit on top of them.
This architecture is sometimes described as the cloud provider overseeing the security “of” the cloud — i.e., its essential hardware and software, such as databases and compute capacity in a data center — and the customer focusing on security “in” the cloud, namely, how that organization grants or denies access requests, configures its firewalls and performs other activities in the normal course of using a cloud service.
For public cloud PaaS, SaaS and DaaS, the cloud service provider handles a greater share of the security responsibilities relative to IaaS. In SaaS, for instance, the customer does not have to manage the underlying servers, databases and related security mechanisms like encryption. At the same time, this setup does not mean that SaaS is risk-free, as customers still have to vet the cloud provider and ensure that application access is properly secured.
Private clouds and hybrid clouds, in which an organization maintains a set of resources exclusively for its own use, usually require more customer-side cybersecurity responsibility. There are some security benefits for private and hybrid cloud data, since it isn’t as dependent upon shared infrastructure as public cloud data. But keeping it safe may take more direct effort from the customer.
Even though some traditional cybersecurity practices, such as the use of SSO, fit well into a cloud security architecture, cloud security is fundamentally different from on-premises security on the customer/user side, with the main differences being:
Cloud applications are more widely accessible than traditional ones, being reachable over IP networks from virtually any location, and as such they attract more cyberattacks. SQL injection, distributed denial-of-service (DDoS) attacks and other threats (e.g., zero-days) are constant concerns with cloud applications. Multicloud environments are magnets for cyberattacks and must be carefully monitored.
For example, bot enabled automated attacks that can only be stopped with solutions for bot detection working in tandem with other tools like WAFs and API protection. Indeed, improperly secured APIs can enable unauthorized connections that precipitate data breaches.
Cloud security is also different from traditional security because it is a shared responsibility. The cloud customer is not in complete control of security, even if they can control aspects related to access.
This shared responsibility is most apparent in public clouds, where the service provider handles data encryption and malware defense, while the customer secures access. Accordingly, the service-level agreement from the provider and its own track record on security are both crucial components of cloud security.
The highly centralized, perimeter-defined model of on-prem security does not scale to modern multicloud environments. Cloud app access cannot be fully secured with safeguards like VPNs or firewalls by themselves, which assume that users inside a company network are trustworthy.
As one example, a VPN grants wide-ranging access to the network and puts a lot of trust in authorized users —an approach that is feasible in a limited on-premises context, but not in the world of broad cloud application access. What if a user is actually a bot or a security threat?
Overall, there are many security challenges that are either unique to the cloud or greatly amplified compared to how difficult they were on-prem, such as:
The full range of cloud security best practices is vast, and many of them are not even under a customer’s direct control due to the shared responsibility within a cloud security architecture. Some of the most important components of a prudent cloud security strategy include:
Find and stop threats with a WAF. More specifically, a WAF provides holistic security for traffic and web services across cloud computing environments, shielding them from SQL injection, cross-site scripting (XSS) and more. It can protect cloud apps and APIs by applying consistent security policies across all appliances on which it is installed, for a uniform security posture.
Lock down APIs with layered solutions that stop the most pressing types of cloud-focused cyberattacks. API protection helps defend against known and zero-day attacks, securing the APIs that would otherwise be among the biggest security soft spots in a cloud architecture. Better API protection means fewer data breaches.
Prevent botnets from completing brute force attacks or executing DDoS campaigns against critical cloud apps. Bot identification and management tools use advanced rules to evaluate if a bot is legimtiate (e.g., a helpful chatbot) or a security liability that should be blocked to mitigate cyberattack risk.
Protect data through encryption and monitoring. The exact encryption approach will vary depending on whether the cloud service is IaaS, PaaS, SaaS or DaaS. Data sources should be carefully monitored to ensure that there is no leakage from a database misconfiguration.
Manage access and authorization through a zero trust security framework. This entails assessing users, devices and requests contextually and continuously, via mechanisms like MFA and the evaluation of multiple relevant criteria, including device patch level and user geographic location.
Maintain visibility. Solutions for endpoint management and network monitoring are important for knowing who is doing what and where. Such visibility is especially important in complex hybrid cloud and multicloud environments, in which there are multiple deployments and services at play.
Citrix offers a variety of cloud security solutions that enable safer use of, and access to, applications of all types, helping support more efficient remote work environments and multicloud deployments: