Chapter 29. An Introduction to Security in the Cloud
Gwyneth Peña-Siguenza
The building of the fundamental infrastructure for cloud services on a global scale has been one of the most significant architectural achievements in the past decade.1 Its connections to the global internet rely on the capacity and security of all its networks, and it is essential that everyone assesses their cloud security in order to develop a strategy to protect their data.
Cloud security is a centralized security system that protects cloud-based systems against external and internal cybersecurity threats. It offers all of the functionality of traditional IT security, delivers 24/7 protection, and reduces administrative overhead.2 Cloud security and security management best practices are designed to prevent unauthorized access to keep data private and safe across cloud-based infrastructure, applications, and platforms. The assessment of business resources and needs, through joint responsibility of the cloud customer and cloud solution provider, will determine the approach for integrating a comprehensive security strategy.
The full scope of cloud security, regardless of responsibility, is designed to protect the following components: physical networks, data storage, data servers, computer virtualization frameworks, operating systems, middleware, runtime environments, data, applications, and end-user hardware. These components are grouped into four main categories of cloud computing, with different levels of shared responsibility for security.
These include:
Public cloud services (SaaS, IaaS, and PaaS; operated by a public cloud provider)3
Software as a service: it is the customer’s responsibility to secure their data and user access.
Infrastructure as a service: it is the customer’s responsibility to secure their data, user access, applications, operating systems, and virtual network traffic.
Platform as a service: it is the customer’s responsibility to secure their data, user access, and applications.
Private cloud services (operated by a third party)
Private cloud services (operated by internal staff)
Hybrid cloud services (operated by internal staff and optional public cloud solution provider)
Cloud customers may choose a model based on their particular needs and will find that different types of data require different levels of security.
The emergence of various new tools allows attackers to detect and target vulnerabilities in the cloud. Challenges that arise in maintaining a secure cloud include:4
Full visibility into the cloud service or cloud data.
In a third-party cloud solution provider environment, there is limited control by cloud customers by default and no access to the underlying physical infrastructure.
User access can be from any location or device; this privileged access by cloud provider personnel could bypass internal security controls.
The cloud environment must adhere to regulatory requirements and internal compliance as well as risk management processes.
The exploitation of errors or vulnerabilities in the cloud deployment without the use of malware can enable attackers access through weakly configured or protected interfaces.
Misconfigurations such as lack of access restrictions, vulnerable APIs due to inadequate or insufficient authorization, data loss, or poor access management.
Cloud security is networked, concentrated, and shared and the responsibility for risk in the cloud is shared between customers and cloud solution providers.5 Security issues in the cloud cover a spectrum ranging from failure and unavailability to limited performance or effects limited to subsets of data and services. Consequences vary vastly across incidents depending on which customers and which data or services are affected. It is essential that organizations have full confidence in their cloud computing security, and that all data, systems, and applications are protected from data theft, leakage, corruption, and deletion.6
The widespread adoption of cloud computing transformed both companies and hackers, bringing a gamut of opportunities as well as security risks.7 Through comprehensive security policies, solutions, and an organizational culture of security, companies can leverage the benefits of cloud computing necessary to stimulate innovation and collaboration.8
1 Tim Maurer and Garrett Hinck, “Cloud Security: A Primer for Policymakers,” Carnegie Endowment for International Peace, 29-38, August 2020, https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597.
2 “What Is Cloud Security?,” Forcepoint, https://www.forcepoint.com/cyber-edu/cloud-security.
3 “What Is Cloud Security?,” McAfee, https://www.mcafee.com/enterprise/en-us/security-awareness/cloud.html.
4 Ibid.
5 Maurer and Hinck, “Cloud Security: A Primer for Policymakers.”
6 “What Is Cloud Security?,” Forcepoint.
7 Cypress Data Defense, “7 Cloud Computing Security Vulnerabilities and What to Do About Them,” Towards Data Science, July 13, 2020, https://towardsdatascience.com/7-cloud-computing-security-vulnerabilities-and-what-to-do-about-them-e061bbe0faee.
8 “What Is Cloud Security?,” Forcepoint.