The 5 pillars of cloud security

Cloud security is the top concern of leaders and technologists. Why? Because of a perfect security superstorm: cybersecurity attacks are rising, but cybersecurity is still the top skills gap for technologists. The cloud providers are doing everything they can to secure their platforms, but there’s only so much they can do. According to Gartner, 99% of cloud security failures will be the customer’s fault. Leaders need to stop questioning whether the cloud is secure and start questioning whether they’re using the cloud securely.

• What is cloud security?

• How do you secure the cloud?

• What are the 5 pillars of cloud security?

• How can you evaluate cloud service providers?

Cloud security is a shared responsibility between cloud providers and individual organizations, where cloud providers are responsible for security of the cloud and organizations are responsible for the security of the applications in the cloud. Each cloud provider has their own shared responsibility, sometimes also called a joint responsibility, model where they outline what is and isn’t the responsibility of your organization. To complicate matters even further, none of them are the same.

For example, if we think about an application running on a virtual server in the cloud, the cloud provider is responsible for securing the physical hardware that we’re running that server on, while organizations are responsible for configuring the operating system and patching and securing it. It’s our job to configure our applications in a secure way and configure the networks that access that application in a secure way, as well.

Cybersecurity combines tools and policies to protect networks and devices from cyberattack. Cloud security is a form of cybersecurity that focuses on protecting data inside cloud computing environments with encryption and threat detection tools. The biggest difference between the two is in responsibility ownership. 

With cybersecurity, each organization owns their practices and policies. They may bring in a third party or MSSP to assist with their cybersecurity goals, but at the end of the day, organizations own those outcomes.

Cloud security, however, works under a shared responsibility model between organizations and the cloud providers. The providers are responsible for security of the cloud, while organizations focus on protecting access to data and applications within the cloud.

Organizations have adopted cloud computing at record rates in the last several years, now hosting critical applications and sensitive data in cloud environments. But securing cloud environments is completely different from securing on-premises environments, and many organizations are just now catching up. They’re now realizing they face some tough challenges to secure their new cloud environments:

• There aren’t enough technologists versed in cloud computing and security

• Maintaining regulatory compliance across all cloud environments

• The shared responsibility models cloud providers put in place require completely new security solutions, processes, and tooling

• Complexity within single or multicloud environments creates opportunities for misconfiguration and vulnerabilities

• Maintaining consistent, accurate records of cloud-based assets, permissions, and credentials across all cloud environments

• Monitoring workloads and user activity, including audit logs, with limited visibility, especially in multicloud environments

Level up your cloud security skills with a security certification

We’ve created paths and courses to help you build the skills you’ll need to ace it.

For every cloud solution, there’s a baseline of security best practices you should follow. These are the security practices that AWS, Azure, and GCP all agree are critical to securing your cloud solutions:

• Protect your privileged credentials with multifactor authentication

• Stay up to date on all operating system and application patches

• Restrict public access to only what’s required

Once you’ve established your security baseline, you can start building your cloud security strategy around these five primary pillars:

• Identity and access management

• Infrastructure protection

• Data protection

• Detection controls

• Incident response

It’s easy to forget to decommission accounts if you’re not keeping track of them. People really can be our weakest link, and they will take every inch you give them. Too often, we give them more permissions than they need and allow them access to do things they don’t completely understand. 

Identity and access management (IAM) ensures that all users and components are able to access cloud resources only in the manner intended. Use least privilege to give developers access only to the services they need to deploy their applications. Role based access controls mapped to job functions help define access to cloud resources. Logging is what lets you monitor it all to make sure your IAM policies are being enforced. 

What IAM tools are available?

• AWS: Identity and Access Management, CloudTrail, and CloudWatch Logs

• Azure: Azure Active Directory, Azure Audit Logs, Azure Monitor, and Anomaly Reports

• GCP: Identity and Access Management, Recommender, Cloud Audit Logs, and Cloud Monitoring

We can never completely remove the risk to our applications because they still need to talk to our customers, partners, and third parties. They don’t exist in isolation, which is why Zero Trust is great in theory and problematic in execution. Instead, we should focus on this idea of variable trust. Who do we trust to access our networks and data? What are they allowed to do once given access?

When it comes to infrastructure protection, we want defense in depth. It’s how we control access to the networks we build in the cloud similarly to how we would when building applications in a data center. We want to protect our points of ingress and egress. All of the major cloud providers offer tools like Web Application Files (WAF) and DDoS protection services for this purpose. 

You can also utilize managed services for DNS services, load balancing, or content delivery networks. You’ll generally find managed services have built-in elasticity, web application file integration, and other security protocols so you can offload some of the security responsibilities to these managed services.

What infrastructure protection tools are available?

• AWS: Security Groups, Network ACLs, AWS WAF, and AWS Shield

• Azure: Azure Firewall, Azure WAF, and Azure DDoS Protection

• GCP: Google Cloud Firewall, and Cloud Armour

Data protection is all about encryption. There are two different types of encryption every organization should be using: data in transit and data at rest. Data in transit is data moving across your network, while data at rest is data that’s held in persistent storage. 

For encryption in transit, all of the main cloud providers support the industry standard Transport Layer Security (TLS) and IPsec. These two cloud security protocols protect your data as it moves from one place to another, whether that’s within the cloud or traveling between an on-premise data center and cloud resources. Encryption in transit protects your organization against man-in-the-middle attacks, which can result in credential theft, data theft, or data corruption.

Encryption at rest protects the data held within buckets, databases, or data lakes within a cloud provider. All the cloud providers support the industry standard AES 256-bit encryption. This type of encryption means an attacker cannot access or read your data without an encryption key. (You can’t either, so be careful where and how you store your encryption keys.)

What data protection tools are available?

• AWS: Key Management Service (KMS), Cloud HSM, and Macie

• Azure: Azure Key Vault and Azure Dedicated HSM

• GCP: Cloud KMS and Cloud HSM

Detection controls identify flaws in your organizational or application security so you can act on them. The goal is to identify threats, weaknesses, vulnerabilities, and incidents. 

It’s widely accepted that misconfigurations are the primary cause of data breaches. The good news is all the cloud providers offer native tooling to actively scan for vulnerabilities, misconfigurations, suspicious activities, and compromised instances. Many of these tools will also notify you if an instance is contacting a known bad network, contacting a command and control server, or otherwise behaving strangely. 

What detection controls are available?

• AWS: GuardDuty, Inspector, and Security Hub

• Azure: MS Defender for Cloud and Azure Detection

• GCP: Cloud Security Command Center, Security Health Analytics, and Security Scanner

When it comes to incident response, the goal is to automate as much as possible. Each of the cloud providers has serverless functions that can, for example, programmatically remediate common scenarios like a compromised EC2 instance. With serverless technology and an event-driven architecture, you could isolate it from the network and send a notification to the appropriate team. Automating the most basic remediation tasks allows your security team to focus on the unique, sensitive incidents that only humans can accurately manage.

On that note, it’s difficult to discern security blindspots when we all think the same, so build a team with diverse cultures, experiences, and backgrounds, especially your incident response team. This culture of diversity encourages your experts to question the status quo and challenge the standards or norms to improve your cloud security standing. 

What incident response tools are available?

• AWS: AWS Config and EventBridge

• Azure: Microsoft Sentinel for SIEM and Azure Functions

• GCP: Security Command Center - Security Automation and Cloud Functions

The best cloud security plan still needs to be tested, partly to make sure everyone on your team knows their role and can react quickly and confidently in the event of a security incident. But also because technology isn’t infallible. You should regularly test to ensure your tools and automations work correctly. If you build out these five pillars and perform regular tests, though, your cloud security strategy is in really good shape.

The “Big 3” cloud providers—AWS, Azure, and GCP—set the standard for cloud security. If you choose one of these cloud computing leaders for your cloud environment (and understand their specific shared responsibility models), you can be sure you’re getting the best security available on the market. Does that mean they’re always perfect? No. But between them, they spend billions of dollars every year proactively securing their cloud platforms. 

Leaders have often questioned whether the cloud is secure. They’re asking the wrong question. They should be asking “Are we using the cloud securely?” The biggest risk in your cloud environments isn’t whether the providers are doing their job; The biggest risk is misconfiguration of your solutions inside the cloud platforms. That said, you should still continuously vet cloud providers to ensure your needs are being met.

Review their security and privacy policies, which should both be available through their website. Do your own due diligence and find third-party reviews from industry analysts, reports, and publications. Walk through the provider’s Service-level Agreement (SLA) with a fine-tooth comb for specifics on what security responsibilities are yours and which they own. 

Then ask for proof that they’re adhering to common standards like ISO-27001, ISO-27002, ISO-27017, and ISO-27018 to ensure they follow security best practices, actively strive to reduce risk, and protect personally identifiable information. If you’re in a regulated industry, ask for evidence that they meet all government and regulatory protocols like GDPR, CCPA, HIPAA, and PCI DSS. 

Cloud security is a combined effort between you and whatever cloud providers you engage with. It’s not wholly their responsibility, and it’s not wholly yours. Like every other business partnership, make sure you know what you’re getting into before you sign on the dotted line. And then hold up your end of the bargain.