What is cloud security?
Cloud security is the set of strategies and practices for protecting data and applications that are hosted in the cloud. Like cyber security, cloud security is a very broad area, and it is never possible to prevent every variety of attack. However, a well-designed cloud security strategy vastly reduces the risk of cyber attacks.
Even with these risks, cloud computing is often more secure than on-premises computing. Most cloud providers have more resources for keeping data secure than individual businesses do, which lets cloud providers keep infrastructure up to date and patch vulnerabilities as soon as possible. A single business, on the other hand, may not have enough resources to perform these tasks consistently.
Note: Cloud security is not the same thing as Security-as-a-Service (SECaaS or SaaS), which refers to security products hosted in the cloud.
What are the main cloud security risks?
Most cloud security risks fit into one of these general categories:
- Data is exposed or leaked
- An unauthorized user from outside the organization has access to internal data
- An internal, authorized user has too much access to internal data
- A malicious attack, such as a DDoS attack or a malware infection, cripples or destroys cloud infrastructure
The goal of a cloud security strategy is to reduce the threat posed by these risks as much as possible by protecting data, managing user authentication and access, and staying operational in the face of an attack.
What are some of the key technologies for cloud security?
A cloud security strategy should include all of the following technologies:
Encryption: Encryption is a way of scrambling data so that only authorized parties can understand the information. If an attacker hacks into a company's cloud and finds unencrypted data, they are able to do any number of malicious actions with the data: leak it, sell it, use it to carry out further attacks, etc. However, if the company's data is encrypted, the attacker will only find scrambled data that cannot be used unless they somehow discover the decryption key (which should be almost impossible). In this way, encryption helps prevent data leakage and exposure, even when other security measures fail.
Data can be encrypted both at rest (when it is stored), or in transit (while it is sent from one place to another). Cloud data should be encrypted both at rest and in transit so that attackers cannot intercept and read it. Encrypting data in transit should address both data traveling between a cloud and a user, and data traveling from one cloud to another, as in a multi-cloud or hybrid cloud environment. Additionally, data should be encrypted when it is stored in a database or via a cloud storage service.
If the clouds in a multi-cloud or hybrid cloud environment are connected at the network layer, a VPN can encrypt traffic between them. If they are connected at the application layer, SSL/TLS encryption should be used. SSL/TLS should also encrypt traffic between a user and a cloud (see What Is HTTPS?).
Identity and access management (IAM): Identity and access management (IAM) products track who a user is and what they are allowed to do, and they authorize users and deny access to unauthorized users as necessary. IAM is extremely important in cloud computing because a user's identity and access privileges determine whether they can access data, not the user's device or location.
IAM helps reduce the threats of unauthorized users gaining access to internal assets and authorized users exceeding their privileges. The right IAM solution will help mitigate several kinds of attacks, including account takeover and insider attacks (when a user or employee abuses their access in order to expose data).
IAM may include several different services, or it may be a single service that combines all of the following capabilities:
- Identity providers (IdP) authenticate user identity
- Single sign-on (SSO) services help authenticate user identities for multiple applications, so that users only have to sign in once to access all their cloud services
- Multi-factor authentication (MFA) services strengthen the user authentication process
- Access control services allow and restrict user access
Firewall: A cloud firewall provides a layer of protection around cloud assets by blocking malicious web traffic. Unlike traditional firewalls, which are hosted on-premises and defend the network perimeter, cloud firewalls are hosted in the cloud and form a virtual security barrier around cloud infrastructure. Most web application firewalls fall into this category.
Cloud firewalls block DDoS attacks, malicious bot activity, and vulnerability exploits. This reduces the chances of a cyber attack crippling an organization's cloud infrastructure.
What other practices are important for keeping cloud data secure?
Implementing the above technologies (plus any additional cloud security products) is not enough, on its own, to protect cloud data. In addition to standard cyber security best practices, organizations that use the cloud should follow these cloud security practices:
Proper configuration of security settings for cloud servers: When a company does not set up their security settings properly, it can result in a data breach. Misconfigured cloud servers can expose data directly to the wider Internet. Configuring cloud security settings properly requires team members who are experts in working with each cloud, and may also require close collaboration with the cloud vendor.
Consistent security policies across all clouds and data centers: Security measures have to apply across a company's entire infrastructure, including public clouds, private clouds, and on-premises infrastructure. If one aspect of a company's cloud infrastructure — say, their public cloud service for big data processing — is not protected by encryption and strong user authentication, attackers are more likely to find and target the weak link.
Backup plans: As with any other type of security, there must be a plan for when things go wrong. To prevent data from getting lost or tampered with, data should be backed up in another cloud or on-premises. There should also be a failover plan in place so that business processes are not interrupted if one cloud service fails. One of the advantages of multi-cloud and hybrid cloud deployments is that different clouds can be used as backup — for instance, data storage in the cloud can back up an on-premises database.
User and employee education: A large percentage of data breaches occur because a user was victimized by a phishing attack, unknowingly installed malware, used an outdated and vulnerable device, or practiced poor password hygiene (reusing the same password, writing their password down in a visible location, etc.). By educating their internal employees about security, businesses that operate in the cloud can reduce the risk of these occurrences. (The Cloudflare Learning Center is a good resource for security education.)
How does Cloudflare provide cloud computing security?
Cloudflare acts as a unified control plane for security across all types of cloud infrastructure, including multi-cloud and hybrid cloud environments. The Cloudflare product stack runs on a global proxy network that spans 200 cities in more than 100 countries, enabling companies to apply consistent security policies across all their clouds while also blocking DDoS attacks and vulnerability exploits. Using Cloudflare also reduces the risk of vendor lock-in.