What is Cloud Security? Defined, Explained, and Trends
Troy Cogburn
Chief Technology Evangelist
April 7, 2022
14 Minutes
Cloud computing has revolutionized enterprise digital work environments. During the Covid-19 pandemic, cloud computing gave many businesses a way to conduct business under challenging circumstances as it gave employees a way to connect to the corporate network from their home office. This ability to deliver computing services, on-demand and remotely, is also a cybercriminal’s dream as it massively increases the attack surface. Cloud security, therefore, covers all the tools, procedures, methods, and policies needed to prevent cloud-based threats. We've teamed up with Arrow to break down what is cloud security, the processes, and trends you should know about.
Why is cloud security important?
According to a 2021 Ermetic survey, almost all companies using a cloud infrastructure experienced cloud data breaches in the 18-months prior to the report. To offer remote access to corporate resources, the protective perimeter of the traditional corporate network has largely been removed. In addition to this, APIs (Application Programming Interfaces) and new methods of delivering Software-as-a-Service (SaaS) that utilize Continuous Integration and Continuous Deployment (CI/CD) processes, along with cloud-native apps such as distributed containers, provide even more opportunities for hackers. The positive aspects of cloud computing are apparent, but the negatives of remote, on-demand access mean new, robust cloud security controls that fit the expanded infrastructure are needed.
What type of cloud security solutions and technology are there?
As the cloud environment and cloud service providers mature, new cloud security technologies have evolved to deliver much-needed security. Some of the latest cloud computing security solutions are:
Cloud Access Security Broker (CASB)
A Gartner, Inc. report stated that “90% of organizations that fail to control public cloud use will inappropriately share sensitive data”. A CASB acts to secure the traffic between a device and the cloud environment. To do so, a CASB provides visibility into data movement between devices and the cloud and acts to protect this sensitive data by enforcing data security policies via complementary solutions such as encryption and Data Loss Prevention (DLP).
Cloud Infrastructure Entitlement Management (CIEM)
Access control is a vital part of managing cyber threats. A CIEM solution is used to enforce the principle of least privilege to create granular and effective identity management. This principle ensures that access to resources is on a need-to-know basis. It is also a crucial part of developing a zero-trust approach to security. CIEM can help alleviate both internal and external threats.
Cloud Security Posture Management (CSPM)
Misconfiguration of a cloud environment, such as improperly configured S3 buckets, is a serious security vulnerability. According to VMware, 1 in 6 companies have experienced a security breach associated with a misconfiguration. A CSPM solution automatically identifies security threats and helps to rectify them. A CSPM solution provides visibility across public clouds, continually monitors the network for new resources, identifies unusual behavior, and then alerts administrators to potential threats.
Cloud Workload Protection Platform (CWPP)
Cloud computing is based on a model of “shared responsibility.” This model delineates who is responsible for security in a client-provider service, e.g., the cloud provider would be responsible for the security of the infrastructure, and the client (company using the cloud) would take responsibility for the data and applications. Cloud workload protection of data and applications is typically leveraged by the client’s DevOps teams, who utilize these workloads as part of their development lifecycle. A CWPP provides visibility of cloud workloads and then performs a vulnerability scan on the workloads. The scan results provide an opportunity to close the security gaps using appropriate measures.
Cloud-Native Application Security
Cloud-native technologies have opened opportunities for firms to innovate products and increase employee productivity. These cloud-native apps include microservices, APIs, and containers. The top three threats found among the OWASP Top Ten Cloud-Native Application Security Threats are misconfiguration, injection attacks, and improper authentication and authorization. A CNAPP (Cloud-Native Application Protection Platform) enables an integrated ecosystem approach to deliver visibility and security enforcement to cloud-native apps. CNAPP platforms are typically based on zero trust principles and use policies that reflect these principles to detect, prevent, and respond to threats related to cloud-native applications.
Container Security
Container technology, such as Docker, is used to deliver cloud-based services quickly. Containers have been steadily increasing in use. A 2021 survey from the Cloud Native Computing Foundation shows that 96% of organizations are now evaluating or using Kubernetes, a system used to orchestrate containers. Container security must be holistic as containers are vulnerable across the entire ecosystem of the container: from container management, to the container itself, to the applications running within it. This holistic approach means container security utilizes several measures, from secure coding practices to container image scanning.
Infrastructure as Code (IaC) Security
The infrastructure of any cloud service is fundamental to its smooth and secure operation. Infrastructure includes servers, load balancers, databases, container clusters, and so on; basically, anything required to deliver a cloud-based service. This sort of infrastructure is not a static system; it is a fundamental part of the development process. IaC uses software code to automate the process to provision and manage this infrastructure. IaC security is the discipline of embedding security into the code and processes associated with IaC to detect and prevent cloud configuration issues. IaC is typically automated to detect any security flaws, and this insight is used to remove these vulnerabilities.
SaaS Security Posture Management (SSPM)
A security posture describes the state of preparedness of an organization in terms of security. An SSPM platform is used to continuously monitor, improve, and adapt cloud security to reduce the chances of a breach or cyber-attack. An SSPM platform is a set of automated security tools that provide visibility and monitoring of an organization's entire SaaS stack.
Secure Service Edge (SSE)
Gartner introduced the concept of Secure Service Edge (SSE) in 2021 in a roadmap report on SASE (Secure Access Server Edge), another term they coined. SSE is an integrated collection of technologies that includes zero-trust network access (ZTNA), cloud secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service (FWaaS). SSE is designed to deliver security to edge devices connected to cloud apps and services.
Trends and disruptions within cloud security solutions
Several recent trends in cloud security are the result of world events and new threats:
Work from home and Hybrid workforce has amplified cloud security challenges
The widespread remote work culture spawned by the Covid-19 pandemic has shifted working patterns for the foreseeable future, making the hybrid workforce a reality. Cloud computing has facilitated this but has also brought new data security threats along with it. In 2020, 61% of malware was delivered via cloud apps. Access from remote locations is driving the uptake of cloud app security, SSE, and other remote device-focused security measures.
Security perimeter continues to expand with cloud computing environments
The days of the traditional enterprise perimeter are long gone. The mix of IoT, hybrid working, satellite home offices, and multi-cloud environments have created a massively expanded network to make the concept of a perimeter fuzzy at best. Ensuring the security of this expanded perimeter requires an in-depth defense approach that uses new technologies and approaches such as zero-trust, cloud access security broker (CASB), and firewall-as-a-service (FWaaS).
Shift to cloud-native applications
Cloud-native apps are a driving force behind the adoption of cloud computing. These apps are designed to leverage the scalability and flexibility inherent in cloud computing and can be delivered swiftly via the cloud-native model. A survey from RedHat into the use of cloud-native models of development states that “collaboration and security are crucial for future growth.”
The move towards a Zero Trust model to strengthen cloud security
The fundamental principle behind zero-trust, “never trust, always verify,” has disrupted the dominant approach to cloud security. Some of the other disruptive forces behind better cloud security are:
Secure Access Service Edge (SASE)/Hybrid workforce Security
In 2019, Gartner Inc. introduced a framework known as Secure Access Service Edge (SASE). SASE integrates security technologies such as Firewall-as-a-Service (FWaaS), Zero-trust Network Architecture (ZTNA), and Extended Detect and Repose (XDR) solutions into network technologies such as SD-WAN to protect data from cloud-based security vulnerabilities
Zero-Trust Network Access (ZTNA)
ZTNA uses the principles of zero-trust security to control access to cloud-based resources. ZTNA solutions monitor network traffic and enforce granular access controls based on zero-trust principles across an expanded cloud-based network. A ZTNA is often used with a Privileged Access Management (PAM) solution to apply ‘least privilege’ to resource access. As per the NIST Risk Management Framework, PAM and ZTNA deliver ‘default deny,’ least privilege access.
ZTNA can circumvent the need for a VPN to enable secure working from anywhere using any device. predicts that by 2023, 60% of organizations will replace a VPN with ZTNA technologies. In this space, two disruptors are Axis Security and Banyan Security. Axis provides an SSE platform to support zero-trust principles for remote employee access to cloud apps from anywhere and any device. Banyan provides a ZTNA solution designed with DevOps in mind.
Home Network Security
Employees’ homes have become satellite offices for many organizations. These new micro-offices require excellent cybersecurity to prevent cyber-incidents. But the unification of security policy management and enforcement of security is a challenge in this environment. Vendors have entered this challenging space to answer this challenge. Two such disrupters are Okyo (Palo Alto Networks) and Cujo AI. Okyo provides a unified security platform designed for home workers and small companies. It is based on a SASE model. Cujo is an AI-Driven cloud security solution that can be used across remote devices and the expanded cloud network.
Remote Browser Isolation
Browser vulnerabilities lead to malware infection. Because of the proliferation of devices used to access network resources, the browser is a focal point of cyber attack. Remote Browser Isolation is used to create an isolated virtual environment that protects the corporate network from malware. Disruption in the space comes in the form of vendor Island.io, which has extended the reach of browser isolation to deliver high levels of browser control to IT teams, including data protection and multifactor authentication. Menlo Security is another disruptive force in the space, which provides a zero-trust approach to browser isolation.
eXtended Detection and Response (XDR)
XDR (Extended Detection and Response) offers deep visibility across the extended environments of the cloud. XDR applies intelligent data analytics and machine learning (ML) to analyze network data for patterns and anomalies that signify a threat. Disruptive vendors in the space include Uptycs and Hunters. Uptycs provides an XDR platform for cloud-native apps and endpoints, detecting misconfigurations and other vulnerabilities across a cloud infrastructure. Hunters is a vendor-agnostic platform that provides security intelligence across the entire extended cloud infrastructure.
Public Cloud Services and SaaS Security
Public cloud is increasingly popular, with the Flexera 2022 State of the Cloud Report describing public cloud adoption as ‘continuing to escalate.’ Cloud security concerns are top of mind, and disruption is happening to mitigate threats:
SaaS Security Posture Management
Assessment of the risk to all aspects of cloud infrastructure is a vital component of creating a positive security posture. Two disruptors in this space taking SSPM forward are Atmosec and AppOmni. Atmosec has revolutionized SSPM by being highly reactive to a changing cloud ecosystem; the service automatically detects any changes to the ecosystem, including third-party services, and spots anomalous behavior. AppOmni ensures better cloud security for business-critical SaaS data by continuously monitoring third-party apps, configurations, and user permissions.
Infrastructure as Code Security
IaC provides an automated mechanism to mitigate vulnerabilities in a cloud infrastructure. Oak9 and Bridgecrew (Palo Alto Networks) are innovating in the IaC space. Oak9 provides the tools to fix gaps in security before deployment. Bridgecrew uses automation to detect security issues in code before deployment.
Cloud-Native Applications Protection Platforms
A CNAPP integrates the security of development and runtime into a single solution. This unified approach requires multiple tools to detect, respond to, and mitigate security issues. Currently disrupting the space are Lightspin and Orca. Lightspin works across multiple cloud environments to identify attack paths across the cloud stack, which it then prioritizes and remediates. Orca visualizes cloud resources and identifies vulnerabilities, misconfigurations, and data vulnerabilities.
Cloud Data Backup
Backing up data in the cloud is essential for business continuity and disaster recovery. Companies such as OwnBackup and Druva are innovating in this area, bringing elegant and secure data backup solutions to the enterprise. OwnBackup automates data backup across the entire cloud stack. It also locates data exposure risks and acts to mitigate this. Druva operates an at-scale SaaS data resiliency platform, performing 2.5 billion backups per year.
What are CXO priorities on cloud security solutions?
A cloud-first enterprise needs a cloud-first approach to security; this sets the scene for CXO priorities. Looming CXO priorities in cloud security are:
Integrating cloud security with on-premises solutions
Vulnerabilities can be common across both on-premises and cloud environments. The synergy between environments should be sought out, and securing a transition phase from on-premises to the cloud should be a priority for business continuity and resilience. Look for “single pane of glass” solutions to help manage the integration of cloud security with on-premises.
Managing Access to Cloud-Based Resources
Zero-trust has set the bar for robust access management of cloud-based resources. Identity and Access Management (IAM) technology is keeping pace with cloud computing, with new adaptive orchestration technologies that can enforce policies such as least privilege. Zero trust is not one-size-fits-all— it is more of a process and framework. Look at SaaS solutions that can link to third-party services to verify an individual to authorize access.
Protecting data that resides within the cloud
Massive amounts of data is generated, shared, analyzed, and stored across cloud infrastructures. Often this data moves across multiple types of cloud environments and between many cloud apps. For effective data protection to be applied, data in the cloud must be visible. Cloud data visibility should be prioritized by evaluating current new era solutions that can see out into the expanded network and remote devices.
Preventing Misconfiguration in IaaS and SaaS environments
Misconfiguration of cloud resources opens security holes that can be and are exploited. Fortunately, there are a number of solutions available that help organizations close those security holes by automatically scanning across their cloud real estate for security issues.
Find and develop cloud security skills to bridge the current gap
Cloud security skills are in demand, with skilled security professionals at a premium. A report from (ISC)2 identified a shortfall of 3.12 million security professionals. CXOs should prioritize the recruitment of said individuals. Alternatively, look to train existing employees who show aptitude and interest in the area. Another fix for the security skills gap is to look to external specialist companies that can offer managed cloud security services.
