What is cloud security?
Cloud security is the complete set of interrelated policies, tools, processes, and personnel for protecting cloud computing environments from harm. It applies to every part of the cloud computing stack, from networking and storage (cloud infrastructure) all the way up to data and applications.
Cloud security shares some core concepts with traditional on-premises cybersecurity, but involves unique technologies and best practices of its own. The latter components help defend against certain sophisticated threats in the cloud, protect a dissipating network perimeter, and properly distribute security responsibilities between cloud service providers and their customers.
Explore additional cloud security topics:
As organizations shift more of their workloads into cloud computing environments, securing the applications and customer data in them is paramount. The high-level objectives of cloud security are to:
- Ensure cloud data, users, and underlying systems are sufficiently secured against threats such as bot-driven distributed denial-of-service (DDoS) attacks, API exploitation, and data corruption vulnerabilities
- Support regulatory compliance requirements with applicable statutes, like those governing where cloud data can be stored and what levels of user privacy cloud providers must respect
- Provide visibility across the cloud environment, so security teams know what requests are being made via APIs and user interfaces, while also being able to view related analytics
- Enforce access controls and authentication for cloud users and their devices, no matter their locations; this is often done via a zero trust security model
- Assign responsibilities to the cloud service provider and to the subscriber, as appropriate for the cloud service and deployment model(s) in question
Cloud security is inherently a shared responsibility. The specific portions of cloud computing security that the cloud provider and customer will manage determine the cloud security architecture for each business relationship.
A cloud security architecture is a structure for how security responsibilities are shared between the cloud provider and subscriber—basically, a determination of who secures what, and in which ways.
In each area for which it is responsible, the provider or customer will take care of specific technical components that either secure the cloud apps themselves or secure access to them.
Examples of security measures for apps include:
- Data encryption algorithms and protocols for securing cloud data in transit and at rest as needed
- Web application firewalls (WAFs) and bot management solutions for reducing the risk of various cyberattacks and improper data exposure
- Detection and removal of malware and ransomware, along with broader data loss prevention through security tools that ensure sensitive data is not improperly accessed and exfiltrated
- Monitoring and logging of requests, cybersecurity events and all other activities and endpoints across the cloud environment
Examples of security measures for access to apps include:
- Network security solutions, such as a customer’s secure access service edge (SASE)architecture that combines SD-WAN with a secure web gateway and cloud access security broker
- Authentication, typically with multi-factor authentication (MFA) and single sign-on (SSO) to provide strong yet streamlined protection beyond passwords alone
- Access management mechanisms that often entail alternatives to virtual private networks (VPNs), such as VPN-less proxies within secure digital workspaces
A coherent and well-supported cloud security architecture is important because cloud security is complex. Data may be accessed by unmanaged devices, there isn’t a traditional network perimeter to defend and there are complicated security risks such as advanced persistent threats (APTs), among other dangers.
The major service models are infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and desktop as a service (DaaS). Each major cloud service model has its own distinctive security architecture managed by the cloud provider and customer.
Cloud security architectures will also differ depending on whether the cloud in question is deployed as a public cloud, private cloud or hybrid cloud. Many organizations rely on one or more clouds in each category as part of a multi-cloud strategy.
It depends on the service and deployment model, although cloud security responsibilities will always be shared to some degree. For example, with IaaS from a public cloud services provider, that provider manages the physical network interfaces, hypervisors, and data storage, while the customer handles the operating systems, applications, and data that sit on top of them.
This architecture is sometimes described as the cloud provider overseeing the security “of” the cloud—such as essential hardware and software like databases and compute capacity in a datacenter—and the customer focusing on security “in” the cloud, namely, how that organization grants or denies access requests, configures its firewalls, and performs other activities in the normal course of using a cloud service.
For public cloud PaaS, SaaS, and DaaS, the cloud service provider handles a greater share of the security responsibilities relative to IaaS. In SaaS, for instance, the customer does not have to manage the underlying servers, databases, and related security mechanisms like encryption. At the same time, this setup does not mean that SaaS is risk-free, as customers still have to vet the cloud provider and ensure that application access is properly secured.
Private clouds and hybrid clouds, in which an organization maintains a set of resources exclusively for its own use, usually require more customer-side cybersecurity responsibility. There are some security benefits for private and hybrid cloud data, since it isn’t as dependent upon shared infrastructure as public cloud data. But keeping it safe may take more direct effort from the customer.
Even though some traditional cybersecurity practices, such as the use of SSO, fit well into a cloud security architecture, cloud security is fundamentally different from on-premises security on the customer side due to several factors.
Broader accessibility leads to larger-scale threats. Cloud applications are more widely accessible than traditional ones, being reachable over IP networks from virtually any location, and as such they attract more cyberattacks. SQL injection, distributed denial-of-service (DDoS) attacks and other threats are constant security concerns with cloud applications.
Multi-cloud environments are magnets for hackers and must be carefully monitored. For example, bot-enabled automated attacks can only be stopped with solutions for bot detection working in tandem with other security tools like WAFs and API protection. Improperly secured APIs can enable unauthorized access that precipitates data breaches.
Responsibility is shared between provider and customer. Cloud security is also different from traditional security because it is a shared responsibility. The cloud customer is not in complete control of security, even if they can control aspects related to access.
This shared responsibility is most apparent in public clouds, where the service provider handles data encryption and malware defense while the customer secures access. Accordingly, the service-level agreement from the provider and its own track record on security are both crucial components of cloud security.
There are different requirements for securing access. The highly centralized, perimeter-defined model of on-premises security does not scale to modern multi-cloud environments. Cloud app access cannot be fully secured with safeguards like VPNs or firewalls by themselves, which assume users inside a company network are trustworthy.
As one example, a VPN grants wide-ranging access to the network and puts a lot of trust in authorized users—an approach that is feasible in a limited on-premises context, but not in the world of broad cloud application access where the user could actually be a bot or security threat.
Overall, there are many security challenges that are either unique to the cloud or greatly amplified compared to how difficult they were on-premises, such as:
- Traffic filtering, monitoring, and blocking: WAFs are more important in cloud security because they’re needed for screening the vast amounts of traffic flowing to cloud apps. If not properly filtered, monitored and blocked, this traffic can carry malware and requests from malicious bots.
- API protection: If left open, the vast number of cloud APIs that connect different services can precipitate a costly data breach by, for instance, enabling improper data transfer.
- Bot identification and management: Botnets drive numerous automated cyberattacks, and as such they must be properly identified and managed to stop issues such as brute force logins.
- Malware, APTs, and cyberattacks: Because it’s publicly accessible, the cloud computing stack is under constant, widespread pressure from a variety of cybersecurity threats, which can disrupt access and compromise sensitive information.
- Improper or insufficient cloud security controls: When companies migrate applications to the cloud, they don’t always update their security controls accordingly, and may fail to account for the shared responsibility in a cloud security architecture.
- Misconfigurations: Cloud resources may be incorrectly configured, leading to security issues that go undiscovered for long periods of time.
- Network/WAN security: With the move from MPLS WANs to SD-WAN to support cloud applications, there’s the need for new security mechanisms and architectures, like SASE, to enable SaaS breakouts and replace the centralized security model of a traditional WAN.
The full range of cloud security best practices is vast, and many of them are not even under a customer’s direct control due to the shared responsibility within a cloud security architecture. Some of the most important components of a prudent cloud security strategy include:
Organizations can find and stop threats with a WAF. More specifically, a WAF provides holistic security for traffic and web services across cloud computing environments, shielding them from SQL injection, cross-site scripting (XSS) and more. It can protect cloud apps and APIs by applying consistent security policies across all appliances on which it is installed, for a uniform security posture.
Companies can lock down APIs with layered solutions that stop the most pressing types of cloud-focused cyberattacks. API protection helps defend against known and zero-day attacks, securing the APIs that would otherwise be among the biggest security soft spots in a cloud architecture. Better API protection means fewer data breaches.
Bot identification and management
Businesses can prevent botnets from completing brute force attacks or executing DDoS campaigns against critical cloud apps with bot management and mitigation tools. These tools use advanced rules to evaluate if a bot is legitimate (for example, a helpful chatbot) or a security liability that should be blocked to mitigate cyberattack risk.
Data protection and encryption
Organizations can protect data through encryption and monitoring. The exact encryption approach will vary depending on whether the cloud service is IaaS, PaaS, SaaS, or DaaS. Data sources should be carefully monitored to ensure that there is no leakage from a database misconfiguration.
Zero trust security
Organizations can manage access and authorization through zero trust security. This entails assessing users, devices, and requests contextually and continuously via mechanisms like MFA and the evaluation of multiple relevant criteria, including device patch level and user geographic location.
Solutions for endpoint management and network monitoring are important for knowing who is doing what and where. Such visibility is especially important in complex hybrid cloud and multi-cloud environments, where there are multiple deployments and services at play.
Citrix offers a variety of cloud security solutions that enable safer use of, and access to, applications of all types, helping support more efficient remote work environments and multi-cloud deployments. Citrix Secure Private Access and Citrix DaaS provide adaptive access and authentication for cloud users and their devices while supporting zero trust network access (ZTNA).