Definition

Cloud computing is the use of remote servers hosted by third parties (instead of local servers or computers) to store, process, and manage data and perform operations. It delivers on-demand computing services over the internet, eliminating the need for an organization to own its own computing infrastructure or data centers.

There are many advantages cloud computing provides, such as speed and efficiency via dynamic scaling. However, it also raises a range of concerns about security threats, such as: 

  • Data breaches
  • Malicious insiders
  • Account hijacking
  • Malware infections
  • Key management
  • DDoS attacks

Security is one reason some companies are reluctant to transition to cloud computing. However, data stored in reliable cloud services can be very secure.

Cloud computing providers deploy security controls to protect their environments, but cloud users are responsible for protecting their own data. You must remember that no matter where you host an application, its vulnerabilities will follow.


What is a cloud server?

A cloud server is a virtual server (server software that runs in a virtualized environment, rather than a physical server) that hosts websites or web applications. Cloud computing vendors provide the physical machines that these virtual servers run on. This arrangement offers flexibility, allowing you to spin up, or down, additional virtual machines as needed. Cloud computing allows you to pay for usage rather than hardware. So you can become more agile, reduce your time to market, and lower costs.

Cloud services are particularly attractive for smaller organizations and startups. In the case of a small organization, cloud services provide access to enterprise-class hardware and fault-tolerant features that might otherwise be cost-prohibitive. Similarly, startups benefit from cloud services because they can get their operations running quickly, without having to invest in on-premises data center resources. 


What is cloud deployment?

There are three main cloud deployment models:

  • Public cloud. Generally, the public cloud is internet-accessible, multitenant, and widely available for use. Public cloud providers offer network services, infrastructure, and business applications in the cloud. A few examples are Google Cloud, Amazon Web Services (AWS), Microsoft Azure, and Rackspace.
  • Private cloud. A private cloud is similar to a traditional on-premises data center but is created and maintained by an individual enterprise using cloud-native orchestration and instrumentation. Typically, it’s single-tenant with private networking, dedicated to the needs and goals of a single organization. A few options for those interested in deploying a private cloud include Red Hat OpenStack, Oracle Cloud Platform, and IBM Cloud Private.
  • Hybrid cloud. A hybrid cloud model combines elements of the public and private deployment models and typically involves two or more distinct cloud infrastructures. As described by the NIST Cloud Computing Standards Roadmap (2011), these infrastructures “remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.” This flexibility comes with increased complexity, warranting more security scrutiny as data and software components intersect and redefine trust boundaries.

What does cloud security really mean?

Cloud security is based on the same underlying principles as software security. You can increase the security of your applications in the cloud by building security into your applications before deploying them.

Most cloud providers take security seriously, providing a secure hosting platform for clients to implement services. However, security implementation changes from one cloud provider to another, and the use of cloud security services by no means removes your responsibility for securing your data and applications. It’s important to have a solid understanding of these security features and capabilities and use built-in cloud security features when possible. Here are some key features to look for when selecting a cloud provider:

  • Advanced perimeter firewall
  • Intrusion detection systems with event logging
  • Internal firewalls for individual applications and databases
  • Data-at-rest encryption
  • Tier IV data centers

Be sure to select a cloud services provider who has the necessary security features for the cloud infrastructures you’re deploying.

Plan: Cloud Maturity Action Plan

Assess: Cloud Architectural Risk Analysis

Assess: Cloud Configuration Review


How does cloud migration work?

Many companies have already transitioned to the cloud, while others are still planning their cloud migration. But data integrity, intellectual property, and customer data are often at risk during the transition to third-party hosted services. Many organizations work around this by using a hybrid infrastructure. In a hybrid environment, the most sensitive data is kept in-house while day-to-day operations take place in the cloud.

Migrating to the cloud can be a challenge for many businesses. Some vendors provide extensive integration to make it simple. For example, Office 365 is designed to sync with Active Directory to make migration as painless as possible. Moving a custom application may take additional time and effort. While this time and effort may be costly, the cost of migrating to the cloud is often offset by the reduced resource and hosting costs in the long term.

For some organizations, moving to the cloud may present challenges regarding data residency. Data residency refers to the physical location of data and documents. In the case of cloud computing, the physical cloud servers determine data residency, but a cloud provider’s servers are often spread across many locations. You must consider the data residency rules and requirements for both the locations in which you operate and the locations of your cloud service provider’s data centers.


When is cloud storage the best option?

When you’re deciding whether to migrate to the cloud,  it’s important to weigh security considerations against the need for more efficient computer storage and procedures for each task. If the task has strict security requirements (such as secret key generation for servers), the cloud isn’t appropriate. If an application calls for scaled web services, you should conduct a risk assessment based on additional information, including the type of data handled and how that data is stored.

Securing data in the cloud requires continuous and comprehensive security risk identification and mitigation. You can adapt the fundamentals of security risk management to the unique features of the cloud ecosystem with these services:

  • Cloud architecture risk analysis and threat modeling. Identify missing or weak security controls, understand secure design best practices, and fix security flaws that increase your risk of a breach.
  • Security testing. Test your cloud applications using static application security testing (SAST), software composition analysis (SCA), interactive application security testing (IAST), and fuzz testing.
  • Cloud configuration. Infrastructure and network considerations affect cloud security as much as application security. Together with your cloud provider, you must consider cloud features such as virtual private cloud architecture, operating system and cloud service hardening, storage architecture, key management, business continuity planning, and disaster recovery processes and adjust your cloud configuration as needed.
  • Developer and deployment training. Security begins before you start developing your application. By building security in, you can ensure that your applications are secure before moving them to the cloud. Effective training will help your team fix security flaws early in the SDLC, saving time and money. Your team should know how to identify and fix missing or weak cloud security controls and apply security best practices for your cloud services provider.

|

Resources to manage your AppSec risk at enterprise scale