With organizations increasingly shifting data and applications to the cloud, the security architecture is becoming critical in ensuring workloads are secure. A cloud security architecture is a framework that defines how an organization approaches cloud security for each cloud model it operates and what solutions and technologies it intends to use to create a secure environment.
Cloud security best practices should be a starting point for a cloud security architecture. Possible sources for standards are documents published by cloud providers, compliance standards by organizations like the National Institute of Standards and Technology (NIST), or security research organizations like the Center for Internet Security (CIS).
A cloud security architecture must also take into account the shared responsibility between your organization and the infrastructure as a service (IaaS) provider, specifying how the organization should perform its role in securing data and workloads on the cloud provider’s platform.
Cloud Security Challenges
Cloud security presents unique challenges for organizations. Here are some of the major challenges you should consider as you design your cloud security architecture:
- Identity and access: Cloud systems are not secured by default, and it is too easy for employees to create resources on the cloud and leave them unattended. All cloud providers offer robust identity and access management (IAM) capabilities, but it is up to the organization to set them up correctly and apply them consistently for all workloads.
- Unsecured APIs: Everything in the cloud has an API, and this is both powerful and extremely dangerous. APIs not sufficiently secured or using weak authentication can allow attackers access and control over entire environments. APIs are a front door to the cloud, which is often left wide open.
- Misconfiguration: Cloud environments have a huge number of moving parts, including compute instances, storage buckets, databases, containers, and serverless functions. Most of these are short-lived, with new instances spinning up and shutting down every day. Any of these resources could be misconfigured, allowing attackers to access them through public networks, exfiltrate data and cause damage to critical systems.
- Compliance risks: You must ensure your cloud provider supports all relevant compliance requirements and understand what controls and services you can use to meet your compliance obligations.
- Invisible control plane: In the cloud, the control plane is not under the organization's control. While cloud providers take responsibility for the security of their infrastructure, they do not provide information about data flows and internal architecture, meaning that security teams are flying blind.
Tips for Building Your Cloud Security Architecture
Here are a few tips that will help you build a solid cloud security architecture.
1) Conduct Due Diligence
Before migrating to a cloud provider or expanding a cloud deployment to additional cloud providers, organizations should carefully investigate the security and resilience properties of the cloud provider as a whole and specific services they intend to use.
The due diligence process should include:
- Defining security and availability benchmarks based on data from organizations in the same industry
- Discovering the cloud provider’s security best practices and their impact on the organization
- Trying out the cloud provider’s security capabilities, such as encryption, logging, and identity and access management (IAM)
- Understanding how the cloud provider can help meet your compliance obligations and which standards it is certified for
- Learning the specifics of the shared responsibility model for your cloud provider and which security elements your organization is responsible for
- Evaluating first-party security services (offered by the cloud platform) and comparing them to third party alternatives
- Assessing if existing security tools are relevant for the new cloud environment
2) Determine Which Data is the Most Sensitive
For most organizations, it is not feasible to apply stringent security measures for all data. Some data can remain unsecured, but you must determine which data categories must be protected to prevent breaches and compliance violations. It is critical to understand what you need to protect, using data detection and classification.
This is commonly achieved using automated data classification engines. These tools are designed to find sensitive content across networks, endpoints, databases, and the cloud, allowing organizations to identify sensitive data and establish the necessary security controls.
3) Bring Employee Cloud Usage Out of the Shadows
Just because you have a corporate cloud security strategy does not mean employees will comply with it. Employees rarely consult with the IT department before using common cloud services such as Dropbox or web-based email.
An organization's web proxy, firewall, and SIEM logs are good resources for measuring the shadow use of the cloud by employees. These can provide a comprehensive view of which services are being used and by which employees. When discovering shadow cloud usage, you can assess a service’s added value against the risks it poses. You can choose to “legalize” shadow cloud services or crack down and take measures to disallow them.
Another aspect of shadow usage is access to legitimate cloud resources from untrusted endpoint devices. Because any device connected to the internet can conceivably access any cloud service, personal mobile devices can create a gap in your security strategy. To prevent data from escaping from a trusted cloud service to an unmanaged device, require device security verification before enabling access.
4) Protect Cloud Endpoints
Many organizations are deploying endpoint protection platforms with multi-layered protection, including endpoint detection and response (EDR), next-generation anti-virus (NGAV), and user and entity behavior analysis (UEBA).
Endpoint protection is even more important in the cloud. In the cloud, endpoints are compute instances, storage volumes and buckets, and managed services such as Amazon RDS.
Cloud deployments have a large number of endpoints, which change much more frequently than on-premises, and thus require a higher level of visibility. Endpoint protection tools can help organizations get control of their cloud workloads and protect the weakest links in their security posture.
5) Understand Your Part in Compliance Obligations
Remember that regulatory compliance is—at the end of the day—your organization’s sole responsibility. No matter how many business functions you shift to the cloud, it is up to you to select a cloud architecture platform that helps you comply with all the regulatory standards applicable to your industry, whether it is PCI DSS, GDPR, HIPAA, CCPA, or any other standards or regulation.
Understand the tools and services offered by your cloud provider to ensure compliance and which third-party tools you can use to create cloud systems that are compliant and can be proved to be compliant via auditing.
Building a cloud security architecture is no easy task. You need to address your organization's security policies, relevant compliance standards, and security best practices for your cloud environment while contending with the high complexity and dynamic nature of cloud infrastructure. We provided five tips that can make your cloud security architecture a success:
- Conduct due diligence for security and compliance implications before using a cloud provider or cloud service
- Determine which of the data stored in your cloud environment is sensitive and requires protection
- Bring employee cloud usage to light and prevent shadow IT by either “legalizing” or blocking cloud services
- Protect endpoints in the cloud using cloud-compatible endpoint protection technology
- Understand the share of responsibility between your organization and the cloud provider with regard to compliance obligations, and make sure you are doing your part
I hope this will be helpful as you construct a robust, effective cloud security strategy for your organization.