As organizations shift more of their workloads into cloud computing environments, securing the applications and data in them is paramount.

Cloud security shares some core concepts with traditional on-premises cybersecurity, but involves some unique technologies and best practices of its own. The latter components help defend against certain sophisticated threats in the cloud, protect a dissipating network perimeter and properly distribute security responsibilities between cloud service providers and their customers.

What is cloud security?

Cloud security is the complete set of interrelated policies, tools, processes and personnel for protecting cloud computing environments from harm. It applies to every part of the cloud computing stack, from networks and storage (cloud infrastructure) all the way up to data and applications.

The high-level objectives of cloud computing security are to:

  • Ensure cloud data, users and underlying systems are sufficiently secured against threats such as bot-driven distributed denial-of-service (DDoS) attacks, API exploitation and data corruption risks.
  • Support regulatory compliance with applicable statutes, like those governing where cloud data can be stored and what levels of user privacy cloud providers must respect.
  • Provide visibility across the cloud environment, so security teams know what requests are being made via APIs and user interfaces, while also being able to view related analytics.
  • Enforce access controls and authentication for cloud users and their devices, no matter their locations; this is often done via a zero trust security model.
  • Assign responsibilities to the cloud service provider and to the subscriber, as appropriate for the cloud service and deployment model(s) in question.

Cloud security is inherently a shared responsibility. The specific portions of the cloud computing stack that the cloud provider and customer will manage determine the cloud security architecture for their business relationship.

What is a cloud security architecture and why is it important?

A cloud security architecture is a structure for how security responsibilities are shared between, and borne by, the cloud provider and subscriber — basically, a determination of who secures what, and in which ways.

In each area for which it is responsible, the provider or customer will take care of specific technical components that either secure the cloud apps themselves or secure access to them. Some examples in each category include:

Securing the apps themselves

  • Data encryption algorithms, via ciphers like AES, Blowfish, etc., and protocols such as TLS, for securing cloud data in transit and at rest as needed.
  • Web application firewalls (WAFs) and bot management solutions for reducing the risk of various cyberattacks and improper data exposure.
  • Detection and removal of malware, along with broader data loss prevention through tools that ensure sensitive data is not improperly accessed and exfiltrated.
  • Monitoring and logging of requests, cybersecurity events and all other activities and endpoints across the cloud environment.

Securing access to apps

  • Network security solutions, such as a customer’s secure access service edge (SASE) combining SD-WAN with a secure web gateway and cloud access security broker.
  • Authentication, typically with multi-factor authentication (MFA) and single sign-on (SSO) to provide strong yet streamlined protection beyond passwords alone.
  • Access control mechanisms; in a zero trust world, these often entail alternatives to virtual private networks (VPNs), such as VPN-less proxies within secure workspaces.

A coherent and well-supported cloud security architecture is important because cloud security is complex. Data may be accessed by unmanaged devices, there isn’t a traditional network perimeter to defend and there are complicated risks such as advanced persistent threats (APTs), among other dangers.

The major service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Desktop as a Service (DaaS). Each major cloud service model has its own distinctive security architecture managed by the cloud provider and the customer.

Cloud security architectures will also differ depending on whether the cloud in question is deployed as a public cloud, private cloud or hybrid cloud. Many organizations rely on one or more clouds in each category as part of a multicloud strategy.

Who is responsible for cloud security?

It depends on the service and deployment model, although cloud security responsibilities will always be shared to some degree. For example, with IaaS from a public cloud provider, that provider manages the physical network interfaces, hypervisors and data storage, while the customer handles the operating systems, applications and data that sit on top of them.

This architecture is sometimes described as the cloud provider overseeing the security “of” the cloud — i.e., its essential hardware and software, such as databases and compute capacity in a data center — and the customer focusing on security “in” the cloud, namely, how that organization grants or denies access requests, configures its firewalls and performs other activities in the normal course of using a cloud service.

For public cloud PaaS, SaaS and DaaS, the cloud service provider handles a greater share of the security responsibilities relative to IaaS. In SaaS, for instance, the customer does not have to manage the underlying servers, databases and related security mechanisms like encryption. At the same time, this setup does not mean that SaaS is risk-free, as customers still have to vet the cloud provider and ensure that application access is properly secured.

Private clouds and hybrid clouds, in which an organization maintains a set of resources exclusively for its own use, usually require more customer-side cybersecurity responsibility. There are some security benefits for private and hybrid cloud data, since it isn’t as dependent upon shared infrastructure as public cloud data. But keeping it safe may take more direct effort from the customer.

What is different about cloud security?

Even though some traditional cybersecurity practices, such as the use of SSO, fit well into a cloud security architecture, cloud security is fundamentally different from on-premises security on the customer/user side, with the main differences being:

Broader accessibility, leading to larger-scale threats

Cloud applications are more widely accessible than traditional ones, being reachable over IP networks from virtually any location, and as such they attract more cyberattacks. SQL injection, distributed denial-of-service (DDoS) attacks and other threats (e.g., zero-days) are constant concerns with cloud applications. Multicloud environments are magnets for cyberattacks and must be carefully monitored.

For example, bot enabled automated attacks that can only be stopped with solutions for bot detection working in tandem with other tools like WAFs and API protection. Indeed, improperly secured APIs can enable unauthorized connections that precipitate data breaches.

Shared responsibility between provider and customer

Cloud security is also different from traditional security because it is a shared responsibility. The cloud customer is not in complete control of security, even if they can control aspects related to access.

This shared responsibility is most apparent in public clouds, where the service provider handles data encryption and malware defense, while the customer secures access. Accordingly, the service-level agreement from the provider and its own track record on security are both crucial components of cloud security.

Different requirements for securing access

The highly centralized, perimeter-defined model of on-prem security does not scale to modern multicloud environments. Cloud app access cannot be fully secured with safeguards like VPNs or firewalls by themselves, which assume that users inside a company network are trustworthy.

As one example, a VPN grants wide-ranging access to the network and puts a lot of trust in authorized users —an approach that is feasible in a limited on-premises context, but not in the world of broad cloud application access. What if a user is actually a bot or a security threat?

What are some unique challenges in cloud security?

Overall, there are many security challenges that are either unique to the cloud or greatly amplified compared to how difficult they were on-prem, such as:

  • Traffic filtering, monitoring and blocking: WAFs are more important in cloud security because they’re needed for screening the vast amounts of traffic flowing to cloud apps. If not properly filtered, monitored and blocked, this traffic can carry malware and requests from malicious bots.
  • API protection: If left open, the vast number of cloud APIs that connect different services can precipitate a costly data breach by, for instance, enabling improper data transfer.
  • Bot identification and management: Botnets drive numerous automated cyberattacks, and as such they must be properly identified and managed, to stop issues such as brute force logins.
  • Malware, APTs cyberattacks: Because it’s publicly accessible, the cloud computing stack is under constant, widespread pressure from a variety of cybersecurity threats, which can disrupt access and compromise sensitive information.
  • Improper or insufficient cloud security controls: When companies migrate applications to the cloud, they don’t always update their security controls accordingly, and/or fail to account for the shared responsibility in a cloud security architecture.
  • Misconfigurations: Cloud resources may be incorrectly configured, leading to security issues that go undiscovered for long periods of time.
  • Network/WAN security: With the move from MPLS WANs to SD-WAN to support cloud applications, there’s the need for new security mechanisms and architectures, like SASE, to enable SaaS breakouts and replace the centralized security model of a traditional WAN.

How should you approach cloud security?

The full range of cloud security best practices is vast, and many of them are not even under a customer’s direct control due to the shared responsibility within a cloud security architecture. Some of the most important components of a prudent cloud security strategy include:


Find and stop threats with a WAF. More specifically, a WAF provides holistic security for traffic and web services across cloud computing environments, shielding them from SQL injection, cross-site scripting (XSS) and more. It can protect cloud apps and APIs by applying consistent security policies across all appliances on which it is installed, for a uniform security posture.

API protection

Lock down APIs with layered solutions that stop the most pressing types of cloud-focused cyberattacks. API protection helps defend against known and zero-day attacks, securing the APIs that would otherwise be among the biggest security soft spots in a cloud architecture. Better API protection means fewer data breaches.

Bot identification and management

Prevent botnets from completing brute force attacks or executing DDoS campaigns against critical cloud apps. Bot identification and management tools use advanced rules to evaluate if a bot is legimtiate (e.g., a helpful chatbot) or a security liability that should be blocked to mitigate cyberattack risk.

Data encryption and protection

Protect data through encryption and monitoring. The exact encryption approach will vary depending on whether the cloud service is IaaS, PaaS, SaaS or DaaS. Data sources should be carefully monitored to ensure that there is no leakage from a database misconfiguration.

Zero trust security

Manage access and authorization through a zero trust security framework. This entails assessing users, devices and requests contextually and continuously, via mechanisms like MFA and the evaluation of multiple relevant criteria, including device patch level and user geographic location.

Comprehensive visibility

Maintain visibility. Solutions for endpoint management and network monitoring are important for knowing who is doing what and where. Such visibility is especially important in complex hybrid cloud and multicloud environments, in which there are multiple deployments and services at play.

Citrix and cloud security

Citrix offers a variety of cloud security solutions that enable safer use of, and access to, applications of all types, helping support more efficient remote work environments and multicloud deployments:

  • Citrix Web App Firewall helps you meet governance and compliance requirements by defending web apps and APIs across cloud environments.
  • Citrix Bot Management screens bot traffic to reliably block malicious bots while enabling legitimate ones to continue
  • Citrix Web App and API Protection defends critical APIs against DDoS, XSS and similar threats in the cloud.
  • Citrix Secure Internet Access and Citrix SD-WAN together create a SASE that protects users and data across all locations.
  • Citrix Workspace spans all of your content, applications, devices, building upon SSO and MFA to make it easier for cloud users to work remotely and recover from any disruptions.

Additional resources