Cloud security is the complete set of interrelated policies, tools, processes, and personnel for protecting cloud computing environments from harm. It applies to every part of the cloud computing stack, from networking and storage (cloud infrastructure) all the way up to data and applications.
Cloud security shares some core concepts with traditional on-premises cybersecurity, but involves unique technologies and best practices of its own. The latter components help defend against certain sophisticated threats in the cloud, protect a dissipating network perimeter, and properly distribute security responsibilities between cloud service providers and their customers.
Explore additional cloud security topics:
As organizations shift more of their workloads into cloud computing environments, securing the applications and customer data in them is paramount. The high-level objectives of cloud security are to:
Cloud security is inherently a shared responsibility. The specific portions of cloud computing security that the cloud provider and customer will manage determine the cloud security architecture for each business relationship.
A cloud security architecture is a structure for how security responsibilities are shared between the cloud provider and subscriber—basically, a determination of who secures what, and in which ways.
In each area for which it is responsible, the provider or customer will take care of specific technical components that either secure the cloud apps themselves or secure access to them.
Examples of security measures for apps include:
Examples of security measures for access to apps include:
A coherent and well-supported cloud security architecture is important because cloud security is complex. Data may be accessed by unmanaged devices, there isn’t a traditional network perimeter to defend and there are complicated security risks such as advanced persistent threats (APTs), among other dangers.
The major service models are infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and desktop as a service (DaaS). Each major cloud service model has its own distinctive security architecture managed by the cloud provider and customer.
Cloud security architectures will also differ depending on whether the cloud in question is deployed as a public cloud, private cloud or hybrid cloud. Many organizations rely on one or more clouds in each category as part of a multi-cloud strategy.
Learn why comprehensive, cloud-delivered protection is essential in today's multi-cloud environments.
It depends on the service and deployment model, although cloud security responsibilities will always be shared to some degree. For example, with IaaS from a public cloud services provider, that provider manages the physical network interfaces, hypervisors, and data storage, while the customer handles the operating systems, applications, and data that sit on top of them.
This architecture is sometimes described as the cloud provider overseeing the security “of” the cloud—such as essential hardware and software like databases and compute capacity in a datacenter—and the customer focusing on security “in” the cloud, namely, how that organization grants or denies access requests, configures its firewalls, and performs other activities in the normal course of using a cloud service.
For public cloud PaaS, SaaS, and DaaS, the cloud service provider handles a greater share of the security responsibilities relative to IaaS. In SaaS, for instance, the customer does not have to manage the underlying servers, databases, and related security mechanisms like encryption. At the same time, this setup does not mean that SaaS is risk-free, as customers still have to vet the cloud provider and ensure that application access is properly secured.
Private clouds and hybrid clouds, in which an organization maintains a set of resources exclusively for its own use, usually require more customer-side cybersecurity responsibility. There are some security benefits for private and hybrid cloud data, since it isn’t as dependent upon shared infrastructure as public cloud data. But keeping it safe may take more direct effort from the customer.
Even though some traditional cybersecurity practices, such as the use of SSO, fit well into a cloud security architecture, cloud security is fundamentally different from on-premises security on the customer side due to several factors.
Broader accessibility leads to larger-scale threats. Cloud applications are more widely accessible than traditional ones, being reachable over IP networks from virtually any location, and as such they attract more cyberattacks. SQL injection, distributed denial-of-service (DDoS) attacks and other threats are constant security concerns with cloud applications.
Multi-cloud environments are magnets for hackers and must be carefully monitored. For example, bot-enabled automated attacks can only be stopped with solutions for bot detection working in tandem with other security tools like WAFs and API protection. Improperly secured APIs can enable unauthorized access that precipitates data breaches.
Responsibility is shared between provider and customer. Cloud security is also different from traditional security because it is a shared responsibility. The cloud customer is not in complete control of security, even if they can control aspects related to access.
This shared responsibility is most apparent in public clouds, where the service provider handles data encryption and malware defense while the customer secures access. Accordingly, the service-level agreement from the provider and its own track record on security are both crucial components of cloud security.
There are different requirements for securing access. The highly centralized, perimeter-defined model of on-premises security does not scale to modern multi-cloud environments. Cloud app access cannot be fully secured with safeguards like VPNs or firewalls by themselves, which assume users inside a company network are trustworthy.
As one example, a VPN grants wide-ranging access to the network and puts a lot of trust in authorized users—an approach that is feasible in a limited on-premises context, but not in the world of broad cloud application access where the user could actually be a bot or security threat.
Overall, there are many security challenges that are either unique to the cloud or greatly amplified compared to how difficult they were on-premises, such as:
The full range of cloud security best practices is vast, and many of them are not even under a customer’s direct control due to the shared responsibility within a cloud security architecture. Some of the most important components of a prudent cloud security strategy include:
Organizations can find and stop threats with a WAF. More specifically, a WAF provides holistic security for traffic and web services across cloud computing environments, shielding them from SQL injection, cross-site scripting (XSS) and more. It can protect cloud apps and APIs by applying consistent security policies across all appliances on which it is installed, for a uniform security posture.
Companies can lock down APIs with layered solutions that stop the most pressing types of cloud-focused cyberattacks. API protection helps defend against known and zero-day attacks, securing the APIs that would otherwise be among the biggest security soft spots in a cloud architecture. Better API protection means fewer data breaches.
Businesses can prevent botnets from completing brute force attacks or executing DDoS campaigns against critical cloud apps with bot management and mitigation tools. These tools use advanced rules to evaluate if a bot is legitimate (for example, a helpful chatbot) or a security liability that should be blocked to mitigate cyberattack risk.
Organizations can protect data through encryption and monitoring. The exact encryption approach will vary depending on whether the cloud service is IaaS, PaaS, SaaS, or DaaS. Data sources should be carefully monitored to ensure that there is no leakage from a database misconfiguration.
Organizations can manage access and authorization through zero trust security. This entails assessing users, devices, and requests contextually and continuously via mechanisms like MFA and the evaluation of multiple relevant criteria, including device patch level and user geographic location.
Solutions for endpoint management and network monitoring are important for knowing who is doing what and where. Such visibility is especially important in complex hybrid cloud and multi-cloud environments, where there are multiple deployments and services at play.
Citrix offers a variety of cloud security solutions that enable safer use of, and access to, applications of all types, helping support more efficient remote work environments and multi-cloud deployments. Citrix Secure Private Access and Citrix DaaS provide adaptive access and authentication for cloud users and their devices while supporting zero trust network access (ZTNA).