What is cloud security?

Learn more about the technologies, procedures, policies, and controls that help you protect your cloud-based systems and data.

Cloud security defined

Cloud security is a discipline of cybersecurity that focuses on protecting cloud systems and data from internal and external threats, including best practices, policies, and technologies that help companies prevent unauthorized access and data leaks. When developing a cloud security strategy, companies must take into account four types of cloud computing environments:

 

Public cloud environments

Are run by cloud service providers. In this environment servers are shared by multiple tenants.

 

Private cloud environments

Can be in a customer-owned data center or run by a public cloud service provider. In both instances, servers are single tenant, and organizations don’t have to share space with other companies.

 

Hybrid cloud environments

Are a combination of on-premises data centers and third-party clouds.

 

Multicloud environment

Include two or more cloud services operated by different cloud service providers.

 

No matter which type of environment or combination of environments an organization uses, cloud security is intended to protect physical networks, including routers and electrical systems, data, data storage, data servers, applications, software, operating systems, and hardware.

Why is cloud security important?

The cloud has become an integral part of online life. It makes digital communication and work more convenient and has spurred rapid innovation for organizations. But when friends share photographs, coworkers collaborate on a new product, or governments deliver online services, it’s not always clear where the data itself is being stored. People may inadvertently move data to a less secure location, and with everything internet accessible, assets are at greater risk of unauthorized access.

 

Data privacy is also increasingly important to people and governments. Regulations like the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) require organizations that collect information to do so transparently and put in place policies that help prevent data from being stolen or misused. Failure to comply can result in expensive fines and reputational harm.

 

To remain competitive, organizations must continue to use the cloud to iterate rapidly and make it easy for employees and customers to access services, while protecting data and systems from the following threats:

  • Compromised accounts: Attackers often use phishing campaigns to steal employee passwords and gain access to systems and valuable corporate assets.
  • Hardware and software vulnerabilities: Whether an organization uses a public or private cloud, it’s critical that the hardware and software is patched and up to date.
  • Internal threats: Human error is a big driver of security breaches. Misconfigurations can create openings for bad actors, and employees often click on bad links or inadvertently move data to locations with less security.

How does cloud security work?

Cloud security is a shared responsibility between cloud service providers and their customers. Accountability varies depending on the type of services offered:

 

Infrastructure as a service

In this model, cloud service providers offer computing, network, and storage resources on demand. The provider is responsible for securing the core computing services. Customers must secure everything on top of the operating system including applications, data, runtimes, middleware, and the operating system itself.

 

Platform as a service

Many providers also offer a complete development and deployment environment in the cloud. They take responsibility for protecting the runtime, middleware, and operating system in addition to the core computing services. Customers must safeguard their applications, data, user access, end-user devices, and end-user networks.

 

Software as a service

Organizations can also access software on a pay-as-you go model, such as Microsoft Office 365 or Google Drive. In this model, customers still need to provide security for their data, users, and devices.

 

No matter who’s responsible, there’re four primary aspects to cloud security:

  • Limiting access: Because the cloud makes everything internet accessible, it’s incredibly important to ensure that only the right people have access to the right tools for the right amount of time.
  • Protecting data: Organizations need to understand where their data is located and put the appropriate controls in place to safeguard both the data itself and the infrastructure where the data is hosted.
  • Data recovery: A good backup solution and data recovery plan is critical in case there’s a breach.
  • Response plan: When an organization is attacked, they need a plan to reduce the impact and prevent other systems from becoming compromised.

Types of cloud security tools

Cloud security tools address vulnerabilities from both employees and external threats. They also help mitigate errors that occur during development and reduce the risk that unauthorized people will gain access to sensitive data.

  • Cloud security posture management

    Cloud misconfigurations happen frequently and create opportunities for compromise. Many of these errors occur because people don’t understand that the customer is responsible for configuring the cloud and securing applications. It’s also easy to make a mistake in big corporations with complex environments.

     

    A cloud security posture management solution helps reduce risk by continuously looking for configuration errors that could lead to a breach. By automating the process, these solutions reduce the risk of mistakes in manual processes and increase visibility into environments with thousands of services and accounts. Once vulnerabilities are detected, developers can correct the issue with guided recommendations. Cloud security posture management also continuously monitors the environment for malicious activity or unauthorized access.

  • Cloud workload protection platform

    As organizations have instituted processes that help developers build and deploy features faster, there’s a greater risk that security checks will be missed during development. A cloud workload protection platform helps secure the computing, storage, and networking capabilities needed by applications in the cloud. It works by identifying workloads in public, private, and hybrid cloud environments and scanning them for vulnerabilities. If vulnerabilities are discovered the solution will suggest controls to fix them.

  • Cloud access security broker

    Because it’s so easy to find and access cloud services, it can be difficult for IT to keep on top of all the software used in the organization.

     

    Cloud access security brokers (CASB) help IT gain visibility into cloud app usage and provide a risk assessment of each app. These solutions also help protect data and meet compliance goals with tools that show how data is moving through the cloud. Organizations also use these tools to detect unusual user behavior and remediate threats.

  • Identity and access

    Controlling who has access to resources is critical to protecting data in the cloud. Organizations must be able to ensure that employees, contractors, and business partners all have the right access whether they are onsite or working remotely.

     

    Organizations use identity and access solutions to verify identities, limit access to sensitive resources, and enforce multifactor authentication and least privilege policies.

  • Cloud infrastructure entitlement management

    Identity and access management gets even more complicated when people access data across multiple clouds. A cloud infrastructure entitlement management solution helps a company gain visibility into which identities are accessing which resources across their cloud platforms. IT teams also use these products to apply least privilege access and other security policies.

What are the challenges of cloud security?

The interconnectedness of the cloud makes working and interacting online easy, but it also creates security risks. Security teams need solutions that help them address the following key challenges in the cloud:

  • Lack of visibility into data

    To keep organizations productive, IT needs to give employees, business partners, and contractors access to company assets and information. Many of these people work remotely or outside the company network, and in large enterprises the list of authorized users is in constant flux. With so many people using multiple devices to access company resources across a variety of public and private clouds, it can be difficult to monitor which services are being used and how data is moving through the cloud. Tech teams need to ensure that data doesn’t get moved to storage solutions that are less secure, and they need to prevent the wrong people from getting access to sensitive information.

  • Complex environments

    The cloud has made deploying infrastructure and apps much easier. With so many different providers and services, IT can choose the environment that is the best fit for the requirements of each product and service. This has led to a complex environment across on-premises, public and private cloud. A hybrid, multicloud environment requires security solutions that work across the entire ecosystem and protect people who access different assets from different locations. Configuration errors are more likely, and it can be challenging to monitor threats that move laterally across these complex environments.

  • Rapid innovation

    A combination of factors has enabled organizations to quickly innovate and deploy new products. AI, machine learning, and internet of things technology have empowered businesses to collect and use data more effectively. Cloud service providers offer low-code and no-code services to make it easier for companies to use advanced technologies. DevOps processes have shortened the development cycle. And with more of their infrastructure hosted in the cloud, many organizations have reallocated resources to research and development. The downside to rapid innovation is that technology is changing so fast that security standards often get skipped or overlooked.

  • Compliance and governance

    Although most major cloud service providers comply with several well-known compliance accreditation programs, it is still the responsibility of cloud customers to ensure their workloads are compliant with government and internal standards.

  • Insider threats

    Employees are one of a company’s biggest security risks. Many breaches start when a worker clicks on a link that downloads malware. Unfortunately, organizations also need to watch out for insiders who purposely leak data.

Implementing cloud security

Reducing the risk of a cyberattack against your cloud environment is possible with the right combination of processes, controls, and technology.

 

A cloud-native application platform that includes a cloud workload protection platform, cloud infrastructure entitlement management and cloud security posture management will help you reduce errors, strengthen security and effectively manage access. 

 

To support your technology investment, conduct regular training to help employees recognize phishing campaigns and other social engineering techniques. Make sure it’s easy for people to notify IT if they suspect they’ve received a malicious email. Run phishing simulations to monitor the effectiveness of your program.

 

Develop processes that help you prevent, detect, and respond to an attack. Regularly patch software and hardware to reduce vulnerabilities. Encrypt sensitive data and develop strong password policies to reduce your risk of a compromised account. Multifactor authentication makes it much hard for unauthorized users to gain access, and passwordless technologies are simpler to use and more secure than a traditional password.

 

With hybrid work models that give employees the flexibility to work in the office and remotely, organizations need a new security model that protects people, devices, apps, and data no matter where they’re located. A Zero Trust framework starts with the principle that you can no longer trust an access request, even if it comes from inside the network. To mitigate your risk, assume you’ve been breached and explicitly verify all access requests. Employ least privilege access to give people access only to the resources they need and nothing more.

Cloud security solutions

Although the cloud introduces new security risks, the right cloud security solutions, processes, and policies can help you significantly reduce your risk. Start with the following steps:

  • Identity all the cloud service providers in use in the organization and familiarize yourself with their responsibilities regarding security and privacy.
  • Invest in tools like a cloud app security broker to gain visibility into the apps and data that your organization uses.
  • Deploy a cloud security posture management to help you identify and fix configuration errors.
  • Implement a cloud workload protection platform to build security into the development process.
  • Regularly patch software and institute policies to keep employee devices up to date.
  • Institute a training program to ensure employees are aware of the latest threats and phishing tactics.
  • Implement a Zero Trust security strategy and use identity and access management to manage and protect access.

Learn more about Microsoft Security

Microsoft Defender for Cloud

Monitor and help protect workloads across your multicloud and hybrid environments.

Learn more

Microsoft Defender for Cloud Apps

Get deep visibility and control of cloud apps with a leading CASB.

Learn more

GitHub Advanced Security

Build more secure apps faster with threat modeling, vulnerability scanning, and unit testing.

Learn more

Azure Active Directory

Protect all your users and data with single sign-on, multifactor authentication, and conditional access.

Learn more

Microsoft Entra Permissions Management

Discover, remediate, and monitor permission risks in your multicloud infrastructure.

Learn more

Risk IQ

Uncover and assess threats across your entire enterprise—on-premises, Azure, and other clouds.

Learn more

Frequently asked questions

|

Cloud security is a shared responsibility between cloud service providers and their customers. Accountability varies depending on the type of services offered:

 

Infrastructure as a service. In this model, cloud service providers offer computing, network, and storage resources on demand. The provider is responsible for security for the core computing services. Customers must secure everything on top of the operating system including applications, data, runtimes, middleware, and the operating systems itself.

 

Platform as a service. Many providers also offer a complete development and deployment environment in the cloud. They take responsibility for protecting the runtime, middleware, and operating system in addition to the core computing services. Customers must safeguard their applications, data, user access, end-user devices, and end-user networks.

 

Software as a service. Organizations can also access software on a pay-as-you go model, such as Microsoft Office 365 or Google Drive. In this model, customers still need to provide security for their data, users, and devices.

Four tools help companies protect their resources in the cloud:

  • A cloud workload protection platform helps secure the computing, storage, and networking capabilities needed by applications in the cloud. It works by identifying workloads in public, private, and hybrid cloud environments and scanning them for vulnerabilities. If vulnerabilities are discovered the solution will suggest controls to fix the issues.
  • Cloud app security brokers help IT gain visibility into cloud app usage and provide a risk assessment of each app. These solutions also help protect data and meet compliance goals with tools that show how data is moving through the cloud. Organizations also use cloud app security brokers to detect unusual user behavior and remediate threats.
  • A cloud security posture management solution helps reduce risk by continuously looking for configuration errors that could lead to a breach. By automating the process these solutions reduce the risk of mistakes in manual processes and increase visibility into environments with thousands of services and accounts. Once vulnerabilities are detected, these solutions provide guided recommendations to help developers correct the issue.
  • Identity and access management solutions provide tools to manage identities and apply access policies. Organizations use these solutions to limit access to sensitive resources and to enforce multifactor authentication and least privilege access.

There are four areas that organizations need to consider when putting in place procedures and policies to protect their clouds:

  • Limiting access: Because the cloud makes everything internet accessible, it’s incredibly important to make sure that only the right people have access to the right tools for the right amount of time.
  • Protecting data: Organizations need to understand where their data is located and put the appropriate controls in place to safeguard both the infrastructure where the data is hosted and stored and the data itself.
  • Data recovery: A good backup solution and data recovery plan is critical in case there’s a breach.
  • Response plan: When an organization is breached, they need a plan to reduce the impact and prevent other systems from becoming compromised.

Organizations need to watch out for the following cloud risks:

  • Compromised accounts: Attackers often use phishing campaigns to steal employee passwords and gain access to systems and valuable corporate assets.
  • Hardware and software vulnerabilities: Whether an organization uses a public or private cloud, it’s critical that the hardware and software is patched and up to date.
  • Internal threats: Human error is a big driver of security breaches. Misconfigurations can create openings for bad actors. Employees often click on bad links or inadvertently move data to locations with less security.