Cloud security architecture is the umbrella term used to describe all hardware, software and infrastructure that protects the cloud environment and its components, such as data, workloads, containers, virtual machines and APIs.
The cloud security architecture provides documentation for how the organization will:
- Define security principles, rules, procedures and governance for all cloud services and applications from development through runtime
- Properly configure activities and operations within the cloud to maintain optimal security
- Define identity and access management (IAM) rights for all cloud users
- Secure data, applications and other assets
- Outline updating and patching procedures, roles and responsibilities
- Maintain compliance with relevant industry and government regulations
- Connect cloud security practices, tools and technologies with the broader enterprise architecture and enterprise security strategy
The cloud security architecture is a core component of every cloud security strategy, which protects everything within a cloud environment, including the cloud infrastructure, cloud data, and cloud applications.
Why is Cloud Security Architecture Important?
When migrating to the cloud, security can be an afterthought for many organizations. This leaves the organization open to risks and threats specific to the cloud environment that are not protected by traditional on-premise security measures and tools.
While many organizations have deployed a series of point solutions to improve security in the cloud, this patchwork approach can significantly limit visibility, which makes it difficult to achieve a strong security posture.
Organizations that have migrated to the cloud or are in the process of doing so must develop a comprehensive security strategy custom built for the cloud that integrates with the overarching enterprise security strategy and solutions.
4 Key Elements of Cloud Security Architecture
The cloud security architecture consists of all hardware, software and infrastructure to maintain security in the cloud environment. Four key elements of the cloud security architecture are:
Cloud security posture management (CSPM): Focuses on security of cloud APIs, preventing misconfigurations and integrations into the CI/CD pipeline.
Cloud Workload Protection Platform (CWPP): Oversees runtime protection and continuous vulnerability management of cloud containers.
Cloud Access Security Broker (CASB): Works to improve visibility across endpoints that includes who is accessing data and how it is being used.
Cloud application security: Application-level policies, tools, technologies, and rules to maintain visibility into all cloud computing activity and protect cloud-based applications throughout the development lifecycle.
Cloud Security Architecture and the Shared Responsibility Model
According to the Shared Responsibility Model, security and compliance is a shared responsibility between the customer and the cloud provider. The cloud service providers (CSP)—such as Amazon AWS, Microsoft Azure, and Google GCP—must monitor and respond to security threats related to the cloud’s underlying infrastructure. Meanwhile, the end users, including individuals and companies, are responsible for protecting the data and other assets they store in a public, hybrid, and multi-cloud environment.
Unfortunately, this point can be misunderstood, leading to the assumption that cloud workloads are fully protected by the cloud provider. This results in users unknowingly running workloads in a public cloud that are not fully protected, meaning adversaries can target the operating system and the applications to obtain access. Even securely configured workloads can become a target at runtime, as they are vulnerable to zero-day exploits.
For organizations that use a cloud-based model or are transitioning to the cloud, it is important to develop and deploy a comprehensive security strategy that is specifically designed to protect and defend cloud-based assets.
Cloud Security Architectures by Service Models
There are three main cloud service models, all of which are subject to the shared responsibility model.
- Software as a service (SaaS): SaaS is a software delivery model wherein the vendor centrally hosts an application in the cloud that can be used by a subscriber.
- Platform as a service (PaaS): PaaS is a platform delivery model that can be purchased and used to develop, run and manage applications. In the cloud platform model, the vendor provides both the hardware and software generally used by application developers; the service provider is also responsible for security of the platform and its infrastructure.
- Infrastructure as a service (IaaS): IaaS is an infrastructure delivery model wherein a vendor provides a wide range of compute resources such as virtualized servers, storage and network equipment over the internet. In this model, the business is responsible for maintaining security of anything they own or install on the infrastructure, such as the operating systems, applications, and middleware.
3 Security Principles for a Cloud Architecture
Maintaining a secure cloud architecture is based on three security principles: accessibility, integrity and availability.
- Accessibility: Ensuring cloud-based services, data and other assets are accessible only to authorized, authenticated users and devices
- Integrity: Ensuring the system and applications function consistently and efficiently
- Availability: Ensuring the system is available to users, including employees and customers, and protected from service-related attacks, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
Top Cloud Security Architecture Threats
Organizations that leverage the cloud or plan to do so must recognize that existing, traditional security measures will not protect cloud-based services, applications or assets. Designing and implementing a comprehensive security strategy to protect from an expanding array of threats and increasingly sophisticated attacks within the cloud environment is of critical importance.
A recent study from CrowdStrike and Enterprise Strategy Group (ESG) of 383 IT and information security (Infosec) professionals revealed that only 12% of organizations reported not experiencing any cyber incidents targeting their cloud-native apps or infrastructure over the past year.
Common security challenges within a cloud environment include:
According to our survey, the most commonly named challenge to cloud-native app security was maintaining security consistency between the data center and the public cloud environment where cloud-native applications are deployed. These security silos contribute to a lack of centralized controls and policies. This reality is exacerbated by a poor understanding of the threat model for cloud-native applications and infrastructure, as well as a lack of visibility into the public cloud infrastructure that is hosting cloud-native applications.
The shift to the cloud is a relatively recent phenomenon for many organizations. This means that many companies may not have the security maturity needed to operate safely in a multi-cloud environment. For example, some vulnerability scanners may not scan all assets, such as containers within a dynamic cluster. Others cannot distinguish real risk from normal operations, which produces a number of false alarms for the Infosec team to investigate.
In such cases, organizations must develop the tools, technologies and systems to inventory and monitor all cloud applications, workloads and other assets. They should also remove any assets not needed by the business in order to limit the attack surface.
Human error and misconfigurations
The majority of breaches in the cloud are caused by human error, such as misconfigurations. These errors transform cloud workloads into obvious targets that can be easily discovered with a simple web crawler. In the cloud, the absence of perimeter security can make those mistakes very costly. Multiple publicly reported breaches started with misconfigured S3 buckets that were used as the entry point.
According to our survey, the most common cloud misconfigurations in the last 12 months include: having a default or no password required for access to management consoles (30%); hosting externally facing server workloads (27%); overly permissive service accounts (25%); and overly permissive user accounts (25%).
Misunderstanding the “shared responsibility model”
As explained above, cloud service providers (CSPs) bear limited responsibility for security. In public clouds, much of the underlying infrastructure is secured by the cloud provider. However, everything from the operating system to applications and data are the responsibility of the user.
Shadow IT – when applications and infrastructure are managed and utilized without the knowledge of the enterprise’s IT department – is another major issue in cloud environments. In many instances, DevOps often contributes to this challenge as the barrier to entering and using an asset in the cloud — whether it is a workload or a container — is extremely low. Developers can easily spawn workloads using their personal accounts. These unauthorized assets are a threat to the environment, as they often are not properly secured and are accessible via default passwords and configurations, which can be easily compromised.
Lack of a comprehensive cloud security strategy
As workloads move to the cloud, administrators continue to try and secure these assets the same way they secure servers in a private or an on-premises data center. Unfortunately, traditional data center security models are not suitable for the cloud. With today’s sophisticated, automated attacks, only advanced, integrated security can prevent breaches. The organization must secure the entire IT environment, including multi-cloud environments as well as the organization’s data centers and mobile users. A consistent, integrated approach that provides complete visibility and granular control across the entire organization will reduce friction, minimize business disruption, and enable organizations to safely, confidently embrace the cloud.