Professional Documents
Culture Documents
CLOUD SECURITY
CLOUD SECURITY
Cloud Security
Cloud security, also known as cloud computing security, is the practice of protecting
cloud-based data, applications, and infrastructure from cyber attacks and cyber threats.
Cybersecurity, of which cloud security is a subset, has the same goals. Where cloud
security differs from traditional cybersecurity is in the fact that administrators must
secure assets that reside within a third-party service provider's infrastructure.
Cloud providers host services on their servers through always-on internet connections.
Since their business relies on customer trust, cloud security methods are used to keep
client data private and safely stored. However, cloud security also partially rests in the
client’s hands as well. Understanding both facets is pivotal to a healthy cloud security
solution.
• Data security
• Identity and access management (IAM)
• Governance (policies on threat prevention, detection, and mitigation)
• Data retention (DR) and business continuity (BC) planning
• Legal compliance
1|Page
Cloud security may appear like legacy IT security, but this framework actually demands a
different approach. Before diving deeper, let’s first look at what cloud security is.
Cloud security is the whole bundle of technology, protocols, and best practices that
protect cloud computing environments, applications running in the cloud, and data held
in the cloud. Securing cloud services begins with understanding what exactly is being
secured, as well as, the system aspects that must be managed.
The full scope of cloud security is designed to protect the following, regardless of your
responsibilities:
With cloud computing, ownership over these components can vary widely. This can make
the scope of client security responsibilities unclear. Since securing the cloud can look
different based on who has authority over each component, it’s important to understand
how these are commonly grouped.
To simplify, cloud computing components are secured from two main viewpoints:
• The core of any third-party cloud service involves the provider managing the
physical network, data storage, data servers, and computer virtualization
frameworks. The service is stored on the provider’s servers and virtualized via
their internally managed network to be delivered to clients to be accessed
remotely. This offloads hardware and other infrastructure costs to give clients
access to their computing needs from anywhere via internet connectivity.
2|Page
• Software-as-a-Service (SaaS) cloud services provide clients access to applications
that are purely hosted and run on the provider's servers. Providers manage the
applications, data, runtime, middleware, and operating system. Clients are only
tasked with getting their applications. SaaS examples include Google Drive, Slack,
Salesforce, Microsoft 365, Cisco WebEx, Evernote.
2. Cloud environments are deployment models in which one or more cloud services
create a system for the end-users and organizations. These segments the management
responsibilities — including security — between clients and providers.
• Private third-party cloud environments are based on the use of a cloud service
that provides the client with exclusive use of their own cloud. These single-tenant
environments are normally owned, managed, and operated offsite by an external
provider.
• Multi-cloud environments include the use of two or more cloud services from
separate providers. These can be any blend of public and/or private cloud
services.
3|Page
By framing it from this perspective, we can understand that cloud-based security can be
a bit different based on the type of cloud space users are working in. But the effects are
felt by both individual and organizational clients alike.
Many of the same tools used in on-premises environments should be used in the cloud,
although cloud-specific versions of them may exist. These tools and mechanisms include
encryption, IAM and single sign-on (SSO), data loss prevention (DLP), intrusion prevention
and detection systems (IPSes/IDSes) and public key infrastructure (PKI).
• Cloud access security brokers (CASBs). A CASB is a tool or service that sits
between cloud customers and cloud services to enforce security policies and,
as a gatekeeper, add a layer of security.
Secure Access Service Edge (SASE) and zero-trust network access (ZTNA) are also
emerging as two popular cloud security models/frameworks.
1. IAM
2. DLP
3. web security
4. email security
5. security assessments
4|Page
6. intrusion management
8. encryption
Encryption: Encryption is a way of scrambling data so that only authorized parties can
understand the information. If an attacker hacks into a company's cloud and finds
unencrypted data, they are able to do any number of malicious actions with the data:
leak it, sell it, use it to carry out further attacks, etc. However, if the company's data is
encrypted, the attacker will only find scrambled data that cannot be used unless they
somehow discover the decryption key (which should be almost impossible). In this way,
encryption helps prevent data leakage and exposure, even when other security measures
fail.
Data can be encrypted both at rest (when it is stored) or in transit (while it is sent from
one place to another). Cloud data should be encrypted both at rest and in transit so that
attackers cannot intercept and read it. Encrypting data in transit should address both
data traveling between a cloud and a user, and data traveling from one cloud to another,
as in a multi-cloud or hybrid cloud environment. Additionally, data should be encrypted
when it is stored in a database or via a cloud storage service.
If the clouds in a multi-cloud or hybrid cloud environment are connected at the network
layer, a VPN can encrypt traffic between them. If they are connected at the application
layer, SSL/TLS encryption should be used. SSL/TLS should also encrypt traffic between a
user and a cloud (see What Is HTTPS?).
Identity and access management (IAM): Identity and access management (IAM) products
track who a user is and what they are allowed to do, and they authorize users and deny
access to unauthorized users as necessary. IAM is extremely important in cloud
5|Page
computing because a user's identity and access privileges determine whether they can
access data, not the user's device or location.
IAM helps reduce the threats of unauthorized users gaining access to internal assets and
authorized users exceeding their privileges. The right IAM solution will help mitigate
several kinds of attacks, including account takeover attacks and insider threats (when a
user or employee abuses their access in order to expose data).
IAM may include several different services, or it may be a single service that combines all
of the following capabilities:
• Single sign-on (SSO) services help authenticate user identities for multiple
applications, so that users only have to sign in once to access all their cloud
services
Firewall: A cloud firewall provides a layer of protection around cloud assets by blocking
malicious web traffic. Unlike traditional firewalls, which are hosted on-premise and
defend the network perimeter, cloud firewalls are hosted in the cloud and form a virtual
security barrier around cloud infrastructure.
Cloud firewalls block DDoS attacks, malicious bot activity, and vulnerability exploits. This
reduces the chances of a cyber attack crippling an organization's cloud infrastructure.
Putting the right cloud security mechanisms and policies in place is critical to prevent
breaches and data loss, avoid noncompliance and fines, and maintain business
continuity (BC).
6|Page
A major benefit of the cloud is that it centralizes applications and data and
centralizes the security of those applications and data as well. Eliminating the need
for dedicated hardware also reduces organizations' cost and management needs,
while increasing reliability, scalability and flexibility.
As a result, cloud security mechanisms take two forms: those supplied by CSPs and
those implemented by customers. It is important to note that handling of security is
rarely the complete responsibility of the CSP or the customer. It is usually a joint
effort using a shared responsibility model.
Customers should always check with their CSPs to understand what the
provider covers and what they need to do themselves to protect the
organization.
7|Page
The shared responsibility model outlines the security responsibilities of the
CSP and the customer.
In general, CSPs are always responsible for servers and storage. They secure
and patch the infrastructure itself, as well as configure the physical data
centers, networks and other hardware that power the infrastructure, including
virtual machines (VMs) and disks. These are usually the sole responsibilities
of CSPs in IaaS environments.
The details of security responsibilities can vary by provider and customer. For
example, CSPs with SaaS-based offerings may or may not offer customers
8|Page
visibility into the security tools they use. IaaS providers, on the other hand,
usually offer built-in security mechanisms that enable customers to access
and view CSP security tools, which may also provide customer-alerting
functionality.
Data security and identity and access management (IAM) are always the
responsibility of the customer, however, regardless of cloud delivery
model. Encryption and compliance are also the responsibility of the customer.
Yet, because CSPs control and manage the infrastructure customer apps and
data operate within, adopting additional controls to further mitigate risk can be
challenging. IT security staff should get involved as early as possible when
evaluating CSPs and cloud services. Security teams must evaluate the CSP's
default security tools to determine whether additional measures will need to be
applied in-house.
9|Page
administrators from having to recreate security policies in the cloud using
disparate security tools. Instead, a single security policy can be created once
and then pushed out to identical security tools, regardless of whether they are
on premises or in the cloud.
The steps required to secure data in the cloud vary. Factors, including the type and
sensitivity of the data to be protected, cloud architecture, accessibility of built-in and
third-party tools, and number and types of users authorized to access the data must
be considered.
Some general best practices to secure business data in the cloud include the
following:
• Log and monitor all aspects of data access, additions and changes.
10 | P a g e
Many of the traditional cybersecurity challenges also exist in the cloud. These can
include the following:
• insider threats
• data loss
• data breaches
• IAM
• key management
• access control
• phishing
• malware
• shadow IT
As for cloud security challenges specifically, administrators have to deal with issues
that include the following:
• misconfigurations;
11 | P a g e
• multi-tenancy concerns;
• cloud governance.
Security administrators must have plans and processes in place to identify and curb
emerging cloud security threats. These threats typically revolve around newly
discovered exploits found in applications, OSes, VM environments and other network
infrastructure components. To handle these security challenges and eliminate
emerging threats, organizations must quickly and properly update and patch
software that they control.
There are separate SaaS best practices, PaaS best practices and IaaS best
practices. Organizations should also adhere to a number of general cloud security
best practices, including the following:
2. Choose your CSPs wisely. Know what security controls they offer,
and review contracts and service-level agreements (SLAs) diligently.
12 | P a g e
5. Maintain cloud visibility through continuous monitoring.
Most cloud security risks fit into one of these general categories:
The goal of a cloud security strategy is to reduce the threat posed by these risks as
much as possible by protecting data, managing user authentication and access, and
staying operational in the face of an attack.
What other practices are important for keeping cloud data secure?
Implementing the above technologies (plus any additional cloud security products) is
not enough, on its own, to protect cloud data. In addition to standard cyber security
best practices, organizations that use the cloud should follow these cloud security
practices:
13 | P a g e
in working with each cloud, and may also require close collaboration with the cloud
vendor.
Consistent security policies across all clouds and data centers: Security measures
have to apply across a company's entire infrastructure, including public
clouds, private clouds, and on-premises infrastructure. If one aspect of a company's
cloud infrastructure — say, their public cloud service for big data processing — is not
protected by encryption and strong user authentication, attackers are more likely to
find and target the weak link.
Backup plans: As with any other type of security, there must be a plan for when
things go wrong. To prevent data from getting lost or tampered with, data should be
backed up in another cloud or on-premise. There should also be a failover plan in
place so that business processes are not interrupted if one cloud service fails. One of
the advantages of multi-cloud and hybrid cloud deployments is that different clouds
can be used as backup — for instance, data storage in the cloud can back up an on-
premise database.
User and employee education: A large percentage of data breaches occur because
a user was victimized by a phishing attack, unknowingly installed malware, used an
outdated and vulnerable device, or practiced poor password hygiene (reusing the
same password, writing their password down in a visible location, etc.). By educating
their internal employees about security, businesses that operate in the cloud can
reduce the risk of these occurrences. (The Cloudflare Learning Center is a good
resource for security education.)
Data security is an aspect of cloud security that involves the technical end of
threat prevention. Tools and technologies allow providers and clients to insert barriers
between the access and visibility of sensitive data. Among these, encryption is one of the
most powerful tools available. Encryption scrambles your data so that it's only readable
by someone who has the encryption key. If your data is lost or stolen, it will be effectively
14 | P a g e
unreadable and meaningless. Data transit protections like virtual private networks (VPNs)
are also emphasized in cloud networks.
Data storage: The biggest distinction is that older models of IT relied heavily
upon onsite data storage. Organizations have long found that building all IT
frameworks in-house for detailed, custom security controls is costly and rigid.
Cloud-based frameworks have helped offload costs of system development and
upkeep, but also remove some control from users.
Scaling speed: On a similar note, cloud security demands unique attention when
scaling organization IT systems. Cloud-centric infrastructure and apps are very
15 | P a g e
modular and quick to mobilize. While this ability keeps systems uniformly adjusted
to organizational changes, it does poses concerns when an organization’s need for
upgrades and convenience outpaces their ability to keep up with security.
Proximity to other networked data and systems: Since cloud systems are a
persistent connection between cloud providers and all their users, this substantial
network can compromise even the provider themselves. In networking
landscapes, a single weak device or component can be exploited to infect the rest.
Cloud providers expose themselves to threats from many end-users that they
interact with, whether they are providing data storage or other services. Additional
network security responsibilities fall upon the providers who otherwise delivered
products live purely on end-user systems instead of their own.
Solving most cloud security issues means that users and cloud providers — both in
personal and business environments — must both remain proactive about their
own roles in cyber security. This two-pronged approach means users and providers
mutually must address:
Ultimately, cloud providers and users must have transparency and accountability
to ensure both parties stay safe.
The biggest risk with the cloud is that there is no perimeter. Traditional cyber
security focused on protecting the perimeter, but cloud environments are highly
16 | P a g e
connected which means insecure APIs (Application Programming Interfaces) and
account hijacks can pose real problems. Faced with cloud computing security
risks, cyber security professionals need to shift to a data-centric approach.
Third-party storage of your data and access via the internet each pose their own
threats as well. If for some reason those services are interrupted, your access to
the data may be lost. For instance, a phone network outage could mean you can't
access the cloud at an essential time. Alternatively, a power outage could affect
the data center where your data is stored, possibly with permanent data loss.
In the 1990s, business and personal data lived locally — and security was local as
well. Data would be located on a PC’s internal storage at home, and on enterprise
servers, if you worked for a company.
17 | P a g e
Unfortunately, malicious actors realize the value of cloud-based targets and
increasingly probe them for exploits. Despite cloud providers taking many security
roles from clients, they do not manage everything. This leaves even non-technical
users with the duty to self-educate on cloud security.
That said, users are not alone in cloud security responsibilities. Being aware of the
scope of your security duties will help the entire system stay much safer.
Legislation has been put in place to help protect end users from the sale and
sharing of their sensitive data. General Data Protection Regulation (GDPR)
and Health Insurance Portability and Accountability Act (HIPAA) each do their own
duties to protect privacy, limiting how data can be stored and accessed.
Identity management methods like data masking have been used to separate
identifiable features from user data for GDPR compliance. For HIPAA compliance,
organizations like healthcare facilities must make sure that their provider does
their part in restricting data access as well.
The CLOUD act gives cloud providers their own legal limitations to adhere to,
potentially at the cost of user privacy. US federal law now permits federal-level law
enforcement to demand requested data from cloud provider servers. While this
may allow investigations to proceed effectively, this may circumvent some rights
to privacy and cause potential abuse of power.
Fortunately, there is a lot that you can do to protect your own data in the cloud.
Let’s explore some of the popular methods.
Encryption is one of the best ways to secure your cloud computing systems. There
are several different ways of using encryption, and they may be offered by a cloud
provider or by a separate cloud security solutions provider:
• Communications encryption with the cloud in their entirety.
• Particularly sensitive data encryption, such as account credentials.
• End-to-end encryption of all data that is uploaded to the cloud.
Within the cloud, data is more at risk of being intercepted when it is on the move.
When it's moving between one storage location and another, or being transmitted
to your on-site application, it's vulnerable. Therefore, end-to-end encryption is the
best cloud security solution for critical data. With end-to-end encryption, at no
point is your communication made available to outsiders without your encryption
key.
18 | P a g e
You can either encrypt your data yourself before storing it on the cloud, or you can
use a cloud provider that will encrypt your data as part of the service. However, if
you are only using the cloud to store non-sensitive data such as corporate graphics
or videos, end-to-end encryption might be overkill. On the other hand, for financial,
confidential, or commercially sensitive information, it is vital.
If you are using encryption, remember that the safe and secure management of
your encryption keys is crucial. Keep a key backup and ideally don't keep it in the
cloud. You might also want to change your encryption keys regularly so that if
someone gains access to them, they will be locked out of the system when you
make the changeover.
1. Never leave the default settings unchanged. Using the default settings gives a
hacker front-door access. Avoid doing this to complicate a hacker’s path
into your system.
2. Never leave a cloud storage bucket open. An open bucket could allow hackers
to see the content just by opening the storage bucket's URL.
3. If the cloud vendor gives you security controls that you can switch on, use them.
Not selecting the right security options can put you at risk.
Basic cyber security tips should also be built into any cloud implementation. Even
if you are using the cloud, standard cyber security practices shouldn’t be ignored.
So, it is worth considering the following if you want to be as secure as possible
online:
• Use strong passwords. Including a mix of letters, numbers and special
characters will make your password more difficult to crack. Try to avoid
obvious choices, like replacing an S with a $ symbol. The more random your
strings are, the better.
• Use a password manager. You will be able to give each application,
database, and service you use separate passwords, without having to
remember them all. However, you must make sure you protect your
password manager with a strong primary password.
• Protect all the devices you use to access your cloud data, including
smartphones and tablets. If your data is synchronized across numerous
devices, any one of them could be a weak link putting your entire digital
footprint at risk.
• Back up your data regularly so that in the event of a cloud outage or data loss
at your cloud provider, you can restore your data fully. That backup could be
on your home PC, on an external hard drive, or even cloud-to-cloud, as long
as you are certain the two cloud providers don't share infrastructure.
19 | P a g e
• Modify permissions to prevent any individual or device from having access
to all your data unless it is necessary. For instance, businesses will do this
through database permission settings. If you have a home network, use
guest networks for your children, for IoT devices, and for your TV. Save your
'access all areas' pass for your own usage.
• Protect yourself with anti-virus and anti-malware software. Hackers can
access your account easily if malware makes its way into your system.
• Avoid accessing your data on public Wi-Fi, particularly if it doesn't use
strong authentication. However, use a virtual private network (VPN) to
protect your gateway to the cloud.
If you use cloud-base services then you may need to consider how you share cloud
data with others, particularly if you work as a consultant or freelancer. While
sharing files on Google Drive or another service may be an easy way to share your
work with clients, you may need to check that you are managing permissions
properly. After all, you will want to ensure that different clients cannot see each
other’s names or directories or alter each other’s files.
Remember that many of these commonly available cloud storage services don't
encrypt data. If you want to keep your data secure through encryption, you will
need to use encryption software to do it yourself before you upload the data. You
will then have to give your clients a key, or they won't be able to read the files.
Unfortunately, cloud companies are not going to give you the blueprints to their
network security. This would be equivalent to a bank providing you with details of
their vault — complete with the combination numbers to the safe.
However, getting the right answers to some basic questions gives you better
confidence that your cloud assets will be safe. In addition, you will be more aware
of whether your provider has properly addressed obvious cloud security risks. We
recommend asking your cloud provider some questions of the following questions:
• Security audits: “Do you conduct regular external audits of your security?”
20 | P a g e
• Data segmentation: “Is customer data is logically segmented and kept
separate?”
• Encryption: “Is our data encrypted? What parts of it are encrypted?”
• Customer data retention: “What customer data retention policies are being
followed?”
• User data retention: “Is my data is properly deleted if I leave your cloud
service?”
• Access management: “How are access rights controlled?”
You will also want to make sure you’ve read your provider’s terms of service (TOS).
Reading the TOS is essential to understanding if you are receiving exactly what you
want and need.
Be sure to check that you also know all the services used with your provider. If your
files are on Dropbox or backed up on iCloud (Apple's storage cloud), that may well
mean they are actually held on Amazon's servers. So, you will need to check out
AWS, as well as, the service you are using directly.
While enterprises can insist on a private cloud — the internet equivalent of owning
your own office building or campus — individuals and smaller businesses must
manage with public cloud services. This is like sharing a serviced office or living in
an apartment block with hundreds of other tenants. Therefore, your security needs
to be a prime concern.
In small to medium business applications, you will find cloud security is largely on
the public providers you use.
21 | P a g e
However, there are measures you can take to keep yourself safe:
Since cloud computing is now used by over 90% of larger enterprises, cloud
security is a vital part of corporate cyber security. Private cloud services and other
more costly infrastructure may be viable for enterprise-level organizations.
However, you will still have to ensure your internal IT is on top of maintaining the
entire surface area of your networks.
For large-scale enterprise use, cloud security can be far more flexible if you make
some investments into your infrastructure.
• Actively manage your accounts and services: If you don't use a service or
software anymore, close it down properly. Hackers can gain easy access to
an entire cloud network via old, dormant accounts through unpatched
vulnerabilities.
• Multi-factor authentication (MFA): This could be biometric data such as
fingerprints, or a password and separate code sent to your mobile device. It
is time-consuming, but useful for your most sensitive data.
• Evaluate the cost-benefits of hybrid cloud: Segmenting your data is far more
important in enterprise use, as you will be handling much larger quantities of
data. You need to make sure your data is separate from other customers'
data, whether it's separately encrypted or logically segmented for separate
storage. Hybrid cloud services can help with this.
• Be wary of shadow IT: Educating your employees to avoid using unauthorized
cloud services on your networks or for company work is essential. If
22 | P a g e
sensitive data is communicated over unsecured channels, your organization
may be exposed to malicious actors or legal issues.
So, whether you are an individual user, SMB user, or even Enterprise level cloud
user — it is important to make sure that your network and devices are as secure as
possible. This starts with having a good understanding of basic cyber security on
an individual user level, as well as, ensuring that your network and all devices are
protected using a robust security solution that is built for the cloud.
Computing?
Cloud computing—the cloud—now dominates worldwide as a means of accessing
resources over the internet. It allows organizations to entrust some of their data,
apps, and infrastructure to third-party cloud providers that may store, manage, or
secure those resources.
23 | P a g e
• Infrastructure as a service (IaaS): Virtualized infrastructure, managed by a
third party, onto which an organization can install software
• Functions as a service (FaaS): Similar to PaaS, but suited to individual
functions of apps, which can be spun up or down very quickly
This is where cloud security comes in, bringing a whole slate of benefits, but not
without some potential risks. Let’s look briefly at some of the most notable points.
Pros
Cons
24 | P a g e
At a glance, these cons might seem alarming—but with due diligence and the right
partner, you can eliminate them.
Cloud Security vs. Traditional Network Security
Network security stacks were designed to protect enterprise networks, not the
cloud. They can’t provide the comprehensive cybersecurity today’s SaaS apps,
high-bandwidth services, and mobile users need. To do that without added costs or
complexity, you need a multitenant security platform that scales elastically. You’ll
never get that with a traditional network security architecture.
The best way to secure apps, workloads, cloud data, and users—no matter where
they are—is to move security and access controls to the cloud.
Cloud providers continue to add more services, and the average number of distinct
entitlements for these services now exceeds 5,000. This volume of entitlements
can be challenging to manage using traditional identity and access management
(IAM) approaches.
Queueing and notification services often hold sensitive information before it’s
processed and proper security measures are applied. The sensitivity of this is
frequently overlooked—many services lack server-side encryption.
25 | P a g e
4. Cloud Ransomware
Sharing data and access with third parties, such as suppliers and contractors,
opens cloud environments to greater risk of supply chain attacks, making the
monitoring and management of third-party access a key priority for security teams.
68% of organizations have external users (from outside the organization, via role
delegation or guest users) with admin permissions to the cloud environment.
a. Enterprise-Wide Protection
Cloud-based security extends users the same protection whether they’re in the
HQ, branch offices, on the road, or at home.
b. Integrated Security
c. User Experience
With appliance-based security, every appliance between your users and the
internet causes latency. If users have to VPN into the data center, their experience
is even worse.
26 | P a g e
Cloud-based security with Zscaler provides fast local breakouts, and our Single-
Scan Multi-Action technology enables our security services to scan
simultaneously for faster performance.
d. IT Complexity
e. Intelligence
f. Value
Zscaler cloud-based security moves security from capex to opex for about the
price of a cup of coffee per user per month.
27 | P a g e
These are core security technologies, but with today’s savvy threat actors and
growing compliance requirements, cloud security has had to evolve to keep up.
SSE solves fundamental challenges related to remote work, the cloud, secure edge
computing, and digital transformation, providing secure access to the internet,
SaaS and cloud apps, and your organization’s private apps.
Zero trust, a key component of SSE, is also also seeing rapid adoption. Based on
the idea that no user or entity should be inherently trusted, a zero trust approach
grants access to data and apps based on specific context—identity, content,
location, device, and more—while delivering enhanced user experiences.
Work with groups and roles rather than at the individual IAM level to make it
easier to update IAM definitions as business requirements change. Grant
28 | P a g e
only the minimal access privileges to assets and APIs that are essential for a
group or role to carry out its tasks. The more extensive privileges, the higher
the levels of authentication. And don’t neglect good IAM hygiene, enforcing
strong password policies, permission time-outs, and so on.
This will granularly inspect and control traffic to and from web application
servers, automatically updates WAF rules in response to traffic behavior
changes, and is deployed closer to microservices that are running
workloads.
Enhanced data protection with encryption at all transport layers, secure file
shares and communications, continuous compliance risk management, and
maintaining good data storage resource hygiene such as detecting
misconfigured buckets and terminating orphan resources.
29 | P a g e
6. Threat intelligence that detects and remediates known and
unknown threats in real-time
Third-party cloud security vendors add context to the large and diverse
streams of cloud-native logs by intelligently cross-referencing aggregated
log data with internal data such as asset and configuration management
systems, vulnerability scanners, etc. and external data such as public threat
intelligence feeds, geolocation databases, etc. They also provide tools that
help visualize and query the threat landscape and promote quicker incident
response times. AI-based anomaly detection algorithms are applied to
catch unknown threats, which then undergo forensics analysis to determine
their risk profile. Real-time alerts on intrusions and policy violations shorten
times to remediation, sometimes even triggering auto-remediation
workflows.
CloudGuard Solutions
30 | P a g e
CLOUD SECURITY OBJECTIVES?
Cloud security objectives are the specific goals that an organization sets out
to achieve in order to protect its cloud-based infrastructure, applications, and
data. These objectives should be aligned with the organization's overall
security strategy and business goals.
In addition to these general objectives, organizations may also have specific cloud
security objectives related to their own unique needs and environment. For example,
an organization that stores sensitive customer data in the cloud may have an
31 | P a g e
objective to achieve PCI DSS compliance. Or, an organization that relies heavily on
cloud-based applications may have an objective to maintain 99.99% uptime.
By setting clear and measurable cloud security objectives, organizations can better
protect their data, applications, and systems from a wide range of threats.
1. Confidentiality
2. Integrity
Integrity is the assurance that data is accurate and complete, and that it has
not been tampered with. In the context of cloud security, this means ensuring
that cloud-based data and applications are not modified or corrupted without
authorization. This can be achieved through a variety of measures, such as:
32 | P a g e
• Data hashing: Data hashing is a technique that creates a unique
fingerprint of a piece of data. This fingerprint can be used to verify the
integrity of the data by comparing it to the original fingerprint.
• Digital signatures: Digital signatures are a type of cryptography that can
be used to verify the authenticity and integrity of digital data.
• Audit logging: Audit logging tracks all activity on cloud resources. This
can be used to detect unauthorized changes to data or applications.
3. Availability
4. Compliance
5. Risk Mitigation
33 | P a g e
Risk mitigation is the reduction of the likelihood and impact of security
incidents. In the context of cloud security, this means implementing a variety
of measures to protect cloud-based resources from threats. This can include
measures such as:
Software Requirements of a
secure cloud
The software requirements of a secure cloud vary depending on the
specific needs of the organization. However, there are some general
software requirements that are essential for all secure clouds. These
include:
34 | P a g e
• Cloud access security broker (CASB): A CASB is a security
gateway that sits between the cloud environment and the internet.
It can be uszsed to enforce security policies, control access to
cloud resources, and inspect traffic for malicious activity.
When choosing software for a secure cloud, it is important to consider the following
factors:
35 | P a g e
• Security monitoring: Tracks all activity on cloud resources and
alerts on suspicious activity.
A SIEM solution collects and analyzes security logs from across the
cloud environment. This helps organizations to:
36 | P a g e
A CASB is a security gateway that sits between the cloud environment
and the internet. It can be used to:
• Data loss prevention (DLP): DLP software monitors and blocks the
unauthorized movement of sensitive data. This may be required
for organizations that must comply with regulations such as PCI
DSS or HIPAA.
37 | P a g e
• Security policies and procedures: Organizations should have written
security policies and procedures in place that cover all aspects of
cloud security. These policies and procedures should be regularly
reviewed and updated to ensure that they are effective.
38 | P a g e
• Segmentation: Segmentation divides the cloud environment into
multiple segments, each with its own security controls. This helps
to contain the impact of a security breach in one segment from
spreading to other segments of the environment.
39 | P a g e
Cloud security is a critical requirement for all organizations. Especially
with the latest research from (ISC)2 reporting 93% of organizations are
moderately or extremely concerned about cloud security, and one in
four organizations confirming a cloud security incident in the past 12
months.
40 | P a g e
security and identify the certifications and training to improve your cloud
security.
41 | P a g e
Thankfully, there are a widely established set of strategies and tools
you can use to achieve a robust cloud security setup, these include:
Physical Security
Encryption
Using cloud technology, you are sending data to and from the cloud
provider’s platform, often storing it within their
infrastructure. Encryption is another layer of cloud security to protect
your data assets, by encoding them when at rest and in transit. This
ensures the data is near impossible to decipher without a decryption
key that only you have access to.
42 | P a g e
Another practice to maintain and improve cloud security is vulnerability
and penetration testing. These practices involve you – or your provider
– attacking your own cloud infrastructure to identify any potential
weaknesses or exploits. You can then implement solutions to patch
these vulnerabilities and improve your security stance.
Micro-Segmentation
Next-Generation Firewalls
43 | P a g e
Here at Kinsta, we secure all websites behind the Google Cloud
Platform (GCP) Firewall. Offering state-of-the-art protection and the ability
to integrate closer with other GCP security solutions.
What are the cloud security requirements? Why is cloud security necessary?
44 | P a g e
ensure that cloud resources are used in a secure and efficient manner.
Furthermore, cloud security is necessary to ensure that cloud services
are compliant with applicable laws and regulations.
• Encrypting sensitive data before storing it in the cloud: This will help
to protect the data in case it is accessed by unauthorized users.
45 | P a g e
• Educating employees about data privacy and integrity: Employees
should be trained on how to protect data from unauthorized access and
disclosure.
By taking these steps, organizations can help to ensure that their data is
protected in the cloud.
Here are some additional tips for protecting data privacy and integrity in
the cloud:
Choose a reputable cloud provider: Make sure that the cloud provider
you choose has a good track record of security and compliance.
Read the cloud provider's terms of service and privacy policy: Make
sure that you understand the cloud provider's policies on data privacy and
security.
Have a plan for responding to security incidents: Make sure that you
have a plan in place to respond to security incidents in your cloud
environment.
Data integrity in the cloud is the practice of ensuring that data is accurate and
complete. This is important because inaccurate or incomplete data can lead to bad
decisions being made.
46 | P a g e
Cloud providers typically have a number of security measures in place to protect
data integrity, including:
• Error detection and correction (EDC): EDC systems detect and correct
errors in data.
By taking these steps, organizations can help to ensure that their data
privacy and integrity are protected in the cloud.
Additional tips for protecting data privacy and integrity in the cloud:
• Choose a reputable cloud provider: Make sure that the cloud provider
you choose has a good track record of security and compliance.
• Use a cloud access security broker (CASB): A CASB can help you to
enforce security policies and monitor activity on your cloud resources.
47 | P a g e
• Have a plan for responding to security incidents: Make sure that you
have a plan in place to respond to security incidents in your cloud
environment.
By following these tips, organizations can help to protect their data privacy
and integrity in the cloud.
Data integrity is also a complex issue, and there are a number of different
factors that organizations need to consider when moving their data to the
cloud. One of the most important factors is the cloud provider's disaster
recovery plan. Organizations need to make sure that the cloud provider has
a plan in place to recover data in the event of a disaster.
48 | P a g e
• Identify security risks: CSPM tools can scan cloud environments for
security risks, such as misconfigurations, vulnerabilities, and suspicious
activity.
• Monitor cloud environments for security risks: CSPM tools can monitor
cloud environments for security risks and alert organizations to any
potential threats.
• Monitor cloud activity: CASBs can monitor cloud activity for suspicious
activity.
CONCLUSION
Data privacy and integrity are two of the most important concerns for
organizations that are considering moving their data to the cloud. By taking the
necessary precautions, organizations can help to protect their data and ensure
that it is used in a responsible and ethical manner.
49 | P a g e
Your Guide to Data Privacy
and Information Protection
on Cloud
By Team Cloud4c
25 Apr, 2023
• About Us
• Insights
• Blogs
50 | P a g e
• Identity, authentication, and access management - These issues
include not deploying multi-factor authentication, improperly
configuring access points, employing weak passwords, non-availability
of scalable identity management systems, and not automating the
regular rotation of cryptographic keys, passwords, and certificates.
• Vulnerable public APIs - Application programming interfaces must be
protected against both unintentional and intentional attempts for
accessing sensitive data, starting from authentication and access
control to encryption and activity monitoring.
• Account turnover- Attackers may attempt to monitor user
interactions and transactions, manipulate data, provide false
information, and direct users to malicious websites.
• Malicious insiders - A present or former employee or contractor with
access to a company's network, systems, or data may purposefully
misuse that access in a way that it amounts to data breach or
hampers the organization's information systems' availability.
• Data sharing - A lot of cloud services are designed to make data
sharing seamless between businesses. This expands the attack
surface areas for hackers who now have more potential targets for
breaching sensitive data.
51 | P a g e
Best Practices for data privacy and protection on Cloud
Selecting a Trustworthy Cloud Service Provider
Selecting a trustworthy cloud service provider is one of the most crucial
steps in ensuring data privacy and protection. Companies should check if the
cloud service providers enjoy a good reputation and strictly comply with
data privacy laws. An adequate security system, including data encryption,
access control, and multi-factor authentication, should be offered by
the cloud service provider.
Maintaining Data Confidentiality
A fundamental aspect of data protection is preserving data confidentiality.
Usually there’s great risk associated with data breaches in remote data
storage, a lack of network perimeter, third-party cloud service providers,
multi-tenancy, and extensive infrastructure sharing. Hence preserving the
confidentiality of sensitive data and information of all users, associates
connected with it is crucial. Additionally, because enterprise cloud
landscapes often combine new technologies and legacy systems together in a
hybrid model, it will invariably create new security risks because of flaws in
both system design and implementation. Data security versus usability,
system scalability, and dynamics present challenges in providing satisfying
security assurance in terms of data confidentiality.
Is Data Encryption the best Way? Key Questions to Answer
The simplest way to guarantee data confidentiality is to encrypt all
sensitive data when it is being stored, processed, and transmitted by cloud
servers. However, there are several subtle and difficult issues to be
addressed with data encryption which we can list as follows.
52 | P a g e
users because typically the data owner must remain online to provide the
key distribution service. Additionally, user revocation, which is a problem in
conventional cryptography, is yet another deterrent. User revocation
frequently entails broadcasting to every user in the system and/or re-
encrypting any cloud-stored data that has already been encrypted. In
large-scale systems, the ideal solution is one that can make data encryption
an independent task with little impact on the key distribution process,
meaning that any data modification or re-encryption does not result in an
update or new distribution of the decryption key. Special consideration
should be given to the system design and selection of the underlying
cryptographic primitive(s) for this purpose. Such a problem is specifically
connected to data access control based on cryptography.
Data access privileges for encryption-based solutions are based on
necessary decryption key(s). This makes it possible for malicious users who
have access to data to abuse it by giving data decryption keys to
unauthorized users. One way to stop such key abuse is to protect the data
decryption key with temper-resistant hardware from the user's end. This
will help in preventing the potentially malicious user from accessing the key
while allowing him or her to decrypt data. Temper-resistant devices are
made in such a way that when tampered with, the sensitive data, such as
the decryption key, is zeroed out or the chip simply breaks. This severely
restricts the ability of attackers because now the only way a malicious user
can misuse the key is by sharing the physical device with others. However,
because the malicious attacker is in physical possession of the device, it is
possible to launch vicious attacks that can get past the device's internal
security system, such as chosen message attacks, fingerprinting attacks
and others. As an alternative to using proactive methods, people can deal
with the problem of key abuse by using reactive methods.
Data Prioritization Methods
Removing sensitive data and only storing non-sensitive data in the cloud is
an alternative strategy for maintaining data confidentiality. For instance, to
protect user privacy when working with data containing personally
identifiable information (PII), this uniquely identifying information would be
removed. This method is comparable to the principles of database k-
anonymity and its improvements. This approach keeps data processing's
efficiency and flexibility intact in comparison to data encryption. Since key
distribution and management are no longer necessary, this method also
greatly reduces the complexity of system management. The main drawback
of this solution is that by removing the sensitive information, it will result
in information loss. This process will render the data useless in many
application scenarios while maintaining data confidentiality.
53 | P a g e
Another technique is referred to as "information-centric" protection. With
this approach, the data is encrypted with a usage policy of some sort. The
system will launch a program that checks the environment against the data
usage policy each time the data is accessed. The data will be decrypted,
and a secure virtualization environment will be created if the verifying
program determines that the environment is secure enough. Applications in
this secure environment can access the data in plaintext.
Enabling Data Integrity on Cloud
Another crucial security concern in cloud computing is data integrity. Data
integrity is required for data stored on cloud servers as well as for
communications between cloud users and cloud servers. Particularly when
outsourcing valuable data assets for storage in the cloud, cloud users may
have serious concerns about data integrity. The potential long lifespan of
outsourced data would make it more susceptible to intentional or
unintentional modification, corruption, or deletion, due to sloppy system
maintenance or the efforts of reducing costs.
While the problem of data integrity for communications can be solved using
pre-made methods like message integrity code, the problem of data
integrity for data storage appears to be more challenging for the following
reasons:
First, it's possible that cloud users won't be ready to fully rely on cloud
service providers to protect data integrity. This is due to the fact that
cloud services are typically offered by independent contractors who do not
necessarily fall under the same level of trust as cloud users. Although
service level agreements and other mechanisms help cloud users and cloud
service providers build trust relationships, these practices may occasionally
engage in intentional or unintentional misconduct that prevents cloud users
from having complete confidence in the integrity of their data.
Second, timely service for data integrity should be offered. This is due to
the fact that in practical applications, it is frequently too late for cloud
users to discover data corruption at the point of data retrieval. This is
especially true for the long-term storage of large volumes of data because
many portions or blocks of data may not be accessed frequently over an
extended period of time.
Third, cloud users must not only actively participate in the "self-served"
data integrity check but also provide the necessary knowledge and
computing power. But in the world of cloud, users' skill levels and resources
range widely. It turns out that the majority of cloud users might not be
able to perform a data integrity check on their own.
The best solution would be for a data integrity protection mechanism to
support frequent data integrity checks on large volumes of data while
54 | P a g e
allowing third-party verification and data dynamics. Cryptographic
techniques can be used to offer robust data integrity protection. Precisely,
this is how message authentication codes (MAC) should be used for data
integrity. A small number of MACs are initially locally generated and kept
on hand by data owners (cloud users) for the data files that will be
outsourced. Recalculating the MAC of the received data file and comparing
it to the locally pre-computed value allows the data owner to check the
data integrity whenever they need to retrieve the file.
Ensuring Data Availability
The ability of cloud users to store and process data will be greatly
enhanced by the limitless and elastic resources provided by cloud computing.
For instance, cloud users can benefit from robust data storage that may
not be available locally due to limited resources by creating multiple replicas
of data in the cloud. Cloud users (data owners) may replicate data on
geographically dispersed cloud servers and permit their customers to access
data effectively via local cloud servers (the use of which is similar to the
content distribution networks (CDNs)). This enables them to offer high-
quality data services to their own customers. By giving the task of data
maintenance to the cloud service provider, who might be more skilled at it,
cloud users can also save time and effort. In other words, cloud computing
allows users to operate high-quality, massive data services with little local
deployment and maintenance work.
Securing Data Access
Cloud computing requires that cloud data storage and sharing services
facilitate secure, effective, and reliable distribution of data content to a
potentially large number of authorized users on behalf of the data owners.
This is because different sensitive data information is pooled in the cloud.
Role-Based Access Control (RBAC) is one such access control mechanism
that can be implemented by cloud servers as a solution to this problem. The
aim of data access control can be successfully accomplished because mature
techniques like RBAC's access control mechanisms are capable of handling
fine-grained access control in large-scale systems. Alternatively,
cryptographic techniques are a different approach to offering secure data
access services. This type of solution encrypts data before it is stored in
the cloud, and the data owner (cloud user) keeps the secret key to
themselves. The data decryption key is given to authorized users to enable
data access. By doing this, we are able to facilitate end-to-end security
without revealing its contents to the cloud servers.
Deploying Multi-Factor Authentication
Multi-factor authentication needs users to provide two or more forms of
authentication before they can access data. Cloud service providers should
55 | P a g e
enable multi-factor authentication to allow only authorized personnel to
access their clients' data. Multi-factor authentication should include a
blend of something the user knows, such as a password, something the user
has, such as a security token, and something the user is, such as biometric
data
Adhering to Regulations and Compliance
Sensitive data storage and access are strictly regulated for mission-critical
applications. Before moving sensitive data into the cloud, the data owner
and the cloud service provider should both be aware of the underlying
laws/compliances:
56 | P a g e
sensitive data can be stored in the cloud, the cloud service provider may
need to obtain security certification and/or accreditation. This type of
security certification typically includes a thorough evaluation of the service
provider's operational and/or technical security controls. For instance,
FISMA mandates that such certification or accreditation be obtained prior
to the agents using cloud services for data processing or storage. Firms are
also increasingly opting for compliance-as-a-service offerings to remain
compliant all time, across any activity at less manual hassle.
Streamlining Auditing
The entire service architecture design must be both secure and practical to
enable public auditing from a systematic standpoint. Considering this, we
can briefly describe a set of suggested desirable properties that satisfy
this kind of design principle below. Note that these specifications are
desirable ends. They may not even be entirely feasible or in tandem with
the current technology.
57 | P a g e
The Path Forward
The Cloud computing model has received a lot of attention from businesses
and the academic community. Data security is a critical concern when
deploying applications to the cloud. With Cloud4C, one of the leading
managed services providers, gain end-to-end data protection for your
enterprise IT landscape, regardless of the scope and complexity of your IT
infrastructure. Prevent Data leaks (Data Loss Prevention) in hosted systems
and assets, examine databases and dataflows across multiple assets, assess
logs and telemetry from various sources, study information to find malicious
links and hidden threats, and predict vulnerabilities for preventive
maintenance. For the strictest data protection, integrate cutting-edge
intelligent security solutions, cloud-native tools, and proprietary platforms.
Utilize round-the-clock assistance from top cybersecurity professionals to
safeguard sensitive data and workflows. To know more, get in touch with us
today.
to protect cloud systems along with their data and architecture is called
traffic to maintain the data security, authorization rules for devices to log in
to the same cloud directory, keep up with all the regulations and compliance
rules are followed to protect the security of the cloud systems. Cloud security
is provided by the cloud owner and cloud users need not worry about the
58 | P a g e
List of Cloud Security Services
Data Encryption
A huge amount of data is stored in the cloud systems by enterprises and this
data is crucial for the survival of the enterprise itself. If the data get stolen, it
can be sold to the competitive company and they can make use of this data
that is no longer used in the daily activities, we can call this Data at rest. It is
good to encrypt the data at rest as this data will have all the charts and
studies about the market trends and the upcoming products of the same
as it alerts the users when hackers try to access the data at rest.
Firewall Protection
When the user initially tries to access any cloud system from the system, they
registered in the firewall security settings after which the user can access the
data in the cloud system. This internal and external firewall protection is
59 | P a g e
by the firewall. When data is sent across the same IP address, the source and
destination of the packet are verified by the firewall. Also, the stability of the
firewalls will check the content of the data packet to establish that there are
form.
Monitoring
All the IDs that are being logged into the system are monitored and noted in
the cloud logging system so that when any security threat occurs and if it is
from inside, this tracking helps to identify the individual who logged in at a
particular time. Even firewall rules are updated to prevent suspicious logging
attempts thus making the data secure in the cloud storage. Monitoring
usually checks for the authentication rules and IP addresses so that if any
suspicious logins are detected, they are prevented from accessing the data in
the storage. This is done at the granular level so that permissions are not
60 | P a g e
responsibilities are shared. This helps in monitoring the activities of other
people and notifying the security team of any unauthorized data modulation.
hackers to access data via server directly. This does not check for firewall
protection and there are no authentication rules. This is why all the physical
servers are monitored closely by physical security and watched using CCTV
cameras 24 hours a day. Biometrics are also present in the server rooms
where only authorized security personnel and maintenance officials can enter
and check the servers working. Also, logs are enabled for those who enter
and leave the room and the time taken inside the server room. When the
concerned personnel proceeds with more time than permitted, alerts are sent
to the security so that they can check the server rooms for unauthorized
personnel.
Isolated networks
When there is an important deployment in the cloud system and the data
61 | P a g e
good to do the deployment in virtually isolated networks. Security policies
should be implemented in all the networking systems and the system itself
should be protected from malicious threats and virus attacks. The accesses
Anomaly detection
When the logs are huge, it is difficult to manage the logs manually for which
logging pattern. This helps to manage the logging details and monitor the
discrepancies in the logs. Also, vulnerability can be scanned and thus made
to know which computing service has less security systems. This makes the
system improve security and protect the data to the core. The location of the
databases can be kept under surveillance so that we can be sure that data is
deployment of data into the cloud and higher environments to ensure that
the data is kept in the proper cloud storage and in the proper format of
folder details.
62 | P a g e
Protection through APIs
To protect data from the hands of unauthorized personnel, cloud users can
employ APIs and web apps for the security of data. This helps in protecting
the containers and virtual machines from unsecured logins. Auto incidents
can be raised for unofficial logins which helps to protect the systems and
thus the cloud-stored data. And if the threats pose heavy risks, real-time
alerts can be set in the cloud storage to prevent them to access the data.
All our data in our systems, mobile devices, and storage disks are becoming
cloud storage data and hence it is crucial to have good cloud security
services arranged for these devices. Cloud providers offer cloud security and
if one is not satisfied with the same, users can sort out the help of private
64 | P a g e
providers that offer online security services, should have a disaster recovery or
business continuity plan of their own. These strategies must guarantee to
continue operations on PaaS, IaaS, and SaaS platforms.
A Safety Tip – Being a responsible online user, it is your responsibility to
demand an SLA from CSP. This agreement comprises the backup and recovery
plan that is covered under the RTO/RPO section.
This is actually a good question because the answer to this question comprises
of the points that a security-as-a-service vendor should have in them. So, let
us read out the following bullets that cover the need of today’s business to
achieve prevention against Cyber threats 2020:
65 | P a g e
• Security Data & Event Management – Online apps contribute themselves
to monitoring and auditing procedure, and these features are core in SIEM.
It is accomplished by the events and security data collected from traditional
IT security systems (like anti-malware, IDP), network systems, and
management systems. Administrators must ensure that the log file data
meets particular regulatory and compliance requirements at the time
of shifting data to the cloud.
Cloud security services are a set of services designed to mitigate risk and improve
compliance of cloud environments. Since these environments can be quite
complex, involving a wide range of technologies and processes and, at the same
time, exposed to a variety of threats, they can’t be protected by a one-size-fits-all
solution. Rather, most of these services tackle specific areas. We’ll elaborate on
that in a moment.
• Your IT staff no longer have to handle cyber incidents and can focus
instead on supporting your core business operations.
66 | P a g e
Rather, most of these services tackle specific areas. Some of the most common
types of cloud security services include data loss prevention (DLP), identity and
access management (IAM), email security, web security, and intrusion detection.
With so much data being uploaded to and generated by cloud services, and
with so many applications and devices accessing that data, the chance of
data loss is enormous. DLP services are built to detect the presence of
sensitive data—credit card data, electronic Protected Health Information
(ePHI), social security numbers, etc.—and prevent them from falling into the
wrong hands.
Email Security
As the weakest link in the security chain, users are often the targets in
cyberattacks. And because practically all users use email, many of these
attacks—such as phishing and Trojans—are carried out through that medium.
Some of these attacks may compromise your cloud environment. For
instance, a spear phishing attack may be aimed at acquiring cloud
administrator credentials. One way to mitigate these threats is by employing
a capable email security service that can detect phishing emails and malicious
attachments.
Web Security
67 | P a g e
Increased usage of cloud services is an added burden to IT administrators,
who now have to deal with a much larger attack surface. Users access cloud
services from different locations—in their headquarters, at home, in branch
offices, or just about anywhere. Web security solutions, which sit between
users (regardless of location) and the internet in typical scenarios, provide
administrators the means to secure these connections and protect them
against cyber threats.
Intrusion Detection
Intrusion-detection solutions monitor inbound and outbound traffic for
suspicious activities and detect potential threats. Usually, detection is done
through pattern recognition mechanisms that identify specific signatures and
behaviors. Traditional intrusion detection is usually applied to the network
layer. However, we’re now seeing more solutions applying this kind of
protection to the host layer (i.e., to the virtual machines themselves). By
detecting threats before they can exploit vulnerabilities, businesses can
prevent threat actors from establishing a beachhead in the targeted system.
Encryption
68 | P a g e
Portability and Accountability Act (HIPAA), Payment Card Industry Data Security
Standard (PCI DSS), and General Data Protection Regulation (GDPR).
With so many different cloud security services in the market today, it can be
difficult to put them together into an effective layer of defense. In the following
subsections, we’ll share with you some best practices that will help you make the
most of using cloud security services.
69 | P a g e
what portions of the cloud environment are your responsibility and which
ones are for your cloud provider. Generally speaking, your provider will
oversee the security of the cloud, and you will be responsible for security in
the cloud.
Different cloud service offerings like Software as a Service (SaaS) and IaaS
have different takes on this model, so make sure you’re looking at the right
one. Your provider should have this information.
While large cloud providers have several security controls in place, the
presence of these controls and the extent of their coverage may vary from
one provider to another. Hence, it’s important to know exactly which controls
exist as well as the details pertinent to these controls.
What’s their disaster recovery plan? Do they have information that maps
their security controls with specific regulatory requirements? What access
control, encryption, and backup mechanisms are readily available? What is
the extent of their technical support? Do they have 24/7 support? These are
some of the questions you should ask.
70 | P a g e
Since users are the weakest link in the security chain, something must be
done to strengthen that link. Otherwise, your cloud security initiatives will
only go to waste. Now, since it’s their lack of security awareness that’s likely
exposing them to threats, education is the best solution.
Ensure all your users undergo security awareness training, and keep them
updated with the latest threats, particularly those that target end users (e.g.,
phishing, spear phishing, and other social engineering attacks). You can even
incorporate it into your onboarding process so that they can be equipped
with the right mindset from day one.
71 | P a g e
Not all organizations have dedicated cybersecurity teams, let alone a full-
fledged security operations center (SOC), that can architect and implement a
defense-in-depth strategy as well as manage its cloud security solutions and
take charge of threat monitoring, detection, and response.
If you lack (or have no) in-house cybersecurity staff, the best option would
be to outsource cloud security services. Third parties such as managed
security service providers (MSSPs) can manage existing cloud security
services and also offer cloud security services themselves. By outsourcing
your security responsibilities, you can focus more on your core business.
Superior Encryption
Monitoring Tools
Parallels RAS also provides monitoring tools that enable IT administrators to gain
in-depth visibility into user sessions. This allows them to monitor what users are
doing on the network. In addition, Parallels RAS also auto-baselines its VDI
72 | P a g e
environment. You can use this to trigger alert notifications should user activities
deviate from the baseline, i.e., when abnormal actions are detected.
Since users access cloud-based VDI desktops and applications remotely from any
device, it’s important to make sure that the person logging in is really who that
user claims to be. Parallels RAS mitigates the risk of unauthorized logins by
adding several multifactor authentication (MFA) options, including Azure MFA,
Duo, FortiAuthenticator, TekRADIUS, RADIUS, Deepnet, Google Authenticator, or
Gemalto (formerly SafeNet). With MFA, even if a threat actor manages to acquire
a legitimate user’s login password, that person will still be unable to log in if the
second factor fails to match what Parallels RAS expects.
Client Policies
73 | P a g e
others, enables companies to conform with data privacy/protection laws and
regulations such as the HIPAA, PCI DSS, and GDPR.
When delivering virtual applications and desktops from the cloud, it’s not enough
to rely on cloud security services. Enhance the protection provided by your cloud
security services with a highly secure, cloud-ready VDI solution.
Public cloud infrastructure is, in many ways, more vulnerable than on-
premises infrastructure because it can easily be exposed to public networks,
and is not located behind a secure network perimeter. However, in a private or
hybrid cloud, security is still a challenge, as there are multiple security
concerns due to the highly automated nature of the environment and
numerous integration points with public cloud systems.
74 | P a g e
• Securing workloads and data, fully complying with relevant compliance
standards, and ensuring all activity is logged to enable auditing.
• Ensuring cloud configurations remain secure, and any new resources on the
cloud are similarly secured, using automated tools such as a Cloud Security
Posture Management (CSPM) platform.
• Understanding which service level agreements (SLA), supplied by your cloud
provider, deliver relevant services and monitoring.
• If you use services, machine images, container images, or other software
from third-party providers, performing due diligence on their security
measures and replacing providers if they are insufficient.
• Use cloud native monitoring tools to gain visibility over any anomalous
behavior in your running workloads.
• Monitor privileged accounts and resources for suspicious activity to detect
insider threats. Malicious users or compromised accounts can have severe
consequences in a private cloud, because of the ease at which resources can
be automated.
• Ensure complete isolation between virtual machines, containers, and host
operating systems, to ensure that compromise of a VM or container does not
allow compromise of the entire host.
• Virtual machines should have dedicated NICs or VLANs, and hosts should
communicate over the network using a separate network interface.
• Plan ahead and prepare for hybrid cloud by putting security measures in place
to ensure that you can securely integrate with public cloud services
• Ensure public cloud systems are secured using all the best practices.
• Private cloud systems should follow private cloud security best practices, as
well as traditional network security measures for the local data center.
• Avoid separate security strategies and tools in each environment—adopt a
single security framework that can provide controls across the hybrid
environment.
• Identify all integration points between environments, treat them as high-risk
components and ensure they are secured.
75 | P a g e
➢ Securing 7 Key Components of Your Cloud
Infrastructure
Here are key best practices to securing the key components of a typical cloud
environment.
1. Accounts
Service accounts in the cloud are typically privileged accounts, which may
have access to critical infrastructure. Once compromised, attackers have
access to cloud networks and can access sensitive resources and data.
Service accounts may be created automatically when you create new cloud
resources, scale cloud resources, or stand up environments using
infrastructure as code (IaC). The new accounts may have default settings,
which in some cases means weak or no authentication.
Use identity and access management (IAM) to set policies controlling access
and authentication to service accounts. Use a cloud configuration monitoring
tool to automatically detect and remediate non-secured accounts. Finally,
monitor usage of sensitive accounts to detect suspicious activity and respond.
2. Servers
While a cloud environment is virtualized, behind the scenes it is made up of physical
hardware deployed at multiple geographical locations. This includes physical
servers, storage devices, load balancers, and network equipment like switches and
routers.
Here are a few ways to secure a cloud server, typically deployed using a compute
service like Amazon EC2:
76 | P a g e
perform specific operations, needed for their role. Avoid using the root user—
any operation should be performed using identified user accounts.
3. Hypervisors
A hypervisor runs on physical hardware, and makes it possible to run several
virtual machines (VMs), each with a separate operating system.
All cloud systems are based on hypervisors. Therefore, hypervisors are a key
security concern, because compromise of the hypervisor (an attack known as
hyperjacking) gives the attacker access to all hosts and virtual machines
running on it.
In private cloud systems, the hypervisor is always under your responsibility. Here
are a few ways to ensure your hypervisor is secure:
4. Storage
In cloud systems, virtualization is used to abstract storage from hardware systems.
Storage systems become elastic pools of storage, or virtualized resources that can
be provisioned and scaled automatically.
77 | P a g e
• Remove unused data—cloud storage can easily scale and it is common
to retain unnecessary data, or entire data volumes or snapshots that are
no longer used. Identify this unused data and eliminate it to reduce the
attack surface and your compliance obligations.
• Carefully control access to data using identity and access management
(IAM) systems, and applying consistent security policies for cloud and
on-premises systems.
• Use cloud data loss prevention (DLP) tools to detect and block
suspicious data transfers, data modification or deletion, or data access,
whether malicious or accidental.
5. Databases
Databases in the cloud can easily be exposed to public networks, and almost always
contain sensitive data, making them an imminent security risk. Because databases
are closely integrated with the applications they serve and other cloud systems,
those adjacent systems must also be secured to prevent compromise of the
database.
6. Network
Here are a few ways you can secure cloud networks:
Cloud systems often connect to public networks, but also use virtual networks to
enable communication between components inside a cloud. All public cloud
78 | P a g e
providers let you set up a secure, virtual private network for your cloud resources (
called a VPC in Amazon and a VNet in Azure).
• Use security groups to define rules that define what traffic can flow
between cloud resources. Keep in mind that security groups are tightly
connected to compute instances, and compromise of an instance grants
access to the security group configuration, so additional security layers
are needed.
• Use Network Access Control Lists (ACL) to control access to virtual
private networks. ACLs provide both allow and deny rules, and provide
stronger security controls than security groups.
• Use additional security solutions such as firewalls as a service (FWaaS)
and web application firewalls (WAF) to actively detect and block
malicious traffic.
• Deploy Cloud Security Posture Management (CSPM) tools to
automatically review cloud networks, detect non-secure or vulnerable
configurations and remediate them.
7. Kubernetes
When running Kubernetes on the cloud, it is almost impossible to separate the
Kubernetes cluster from other cloud computing layers. These include the application
or code itself, container images, compute instances, and network layers. Each layer
is built on top of the previous layer, and all layers must be protected for defense in
depth.
The Kubernetes project recommends approaching security from four angles, known
as the “4 Cs”:
Compliance with security best practices, industry standards and benchmarks, and
internal organizational strategies in a cloud-native environment also face challenges.
Scan, monitor and remediate configuration issues in public cloud accounts according
to best practices and compliance standards, across AWS, Azure, Google Cloud, and
Oracle Cloud.CSPM
79 | P a g e
Eliminate misconfigurations in your public cloud accounts
Protect against:
Aqua CSPM continuously audits your cloud accounts for security risks and
misconfigurations to assess your infrastructure risk and compliance posture. It
provides checks across hundreds of configuration settings and compliance best
practices to ensure consistent, unified multi-cloud security.
Aqua provides self-securing capabilities to ensure your cloud accounts don’t drift out
of compliance. Get detailed, actionable advice and alerts, or choose automated
remediation of misconfigured services with granular control over chosen fixes.
80 | P a g e
applications, and sensitive data from unauthorized access by centralizing
81 | P a g e
Maintaining a strong cloud infrastructure security posture addresses these
concerns and mitigates the risk of threats, allowing organizations to enjoy all
the benefits of cloud computing while minimizing opportunities for bad actors
to take advantage of vulnerabilities in cloud infrastructure.
How to avoid it
To prevent unauthorized users from gaining access, you should implement privileged
access controls that grant allowed users permission to use cloud resources while
keeping everyone else out. Having visibility across all platforms in an organization’s
IT environment makes it easier to identify security risks, such as unused servers and
open FTP ports. Vulnerabilities like these give cybercriminals a pathway into cloud
infrastructure.
83 | P a g e
Inactive zombie accounts also pose a serious risk to cloud security, particularly when
those accounts are overprovisioned. While some organizations habitually
overprovision new user accounts, accounts can also become overprovisioned over
time as users accumulate additional privileges when they receive promotions,
change roles, or assume new responsibilities.
How to avoid it
Adopt a comprehensive cloud identity access management (IAM) solution that
enables administrators to grant users granular permissions to cloud-based systems
and resources. Use the principle of least privilege to restrict access, giving each
individual user permission to access the resources they need to do their current
job—and no more.
Finally, use a tool that deprovision accounts automatically when a user leaves the
organization. Removing unused accounts minimizes the risk of cyberattacks that
exploit stolen credentials and promptly closes the door to zombie attacks.
3. Incomplete logging
Logs that provide real-time data on system activity and user behavior are invaluable
to Security and Compliance teams. Detailed logs supply the evidence response
teams need to pinpoint the source of a security incident, whereas incomplete or
missing logs impede investigations.
Logs are also an indispensable auditing tool, helping companies satisfy security and
compliance requirements. Reports generated from detailed logs show a complete
picture of the interactions that occur across all infrastructure. However, forgetting to
log critical IT assets results in incomplete logging. Reports generated from
incomplete logs are less accurate and can even be misleading.
How to avoid it
84 | P a g e
Companies need to enable real-time logging for all critical assets, including database
and Web servers and vital cloud infrastructure. Recording the details of who
accessed what, when, and where provides valuable data that helps IT teams
respond to security incidents faster. Logging all critical assets ensures more
accurate reporting, which gives better insights into infrastructure security and helps
companies meet complex compliance requirements.
With remote work gaining in popularity, many businesses have adopted a bring your
own device (BYOD) policy, allowing employees to connect their personal devices to
the organization’s networks. This trend, along with the rapid shift to cloud computing,
blurs traditional boundaries, making it more difficult to establish the perimeters
needed to protect enterprise resources and sensitive data from unauthorized access.
86 | P a g e
1. Deploy an identity access management solution that simplifies
credential management and centralizes authentication.
2. When provisioning new users, grant granular permissions individually
based on each user’s role and business needs.
3. Leverage the principle of least privilege to ensure each user has access
only to the resources their job requires.
4. To reduce the risk of cyberattacks that exploit zombie accounts, use a
modern tool that deprovisions users automatically when they leave the
organization.
5. Perform routine security audits. Verify and update individual, group, and
role-based permissions. Make sure no users have accumulated more
permissions than they need.
To detect irregular usage patterns and potential threats, use modern tools that
provide visibility across all platforms and devices, including cloud
infrastructure. Continuously monitor system activity and user behavior in real-
time, and respond to alerts promptly. Be sure to enable logging for all critical
IT assets. That way, IT teams will have all the information they need to identify
potential threats and can respond quickly to any security incidents that may
occur.
87 | P a g e
While monitoring user activity helps identify irregular usage and potentially
malicious behavior, ongoing employee training plays a key role in every
company’s security strategy. All users should have at least a basic
understanding of security protocols. Train users in security best practices so
they will know how to protect their login credentials from theft or misuse and
how to practice good password hygiene.
In today’s cloud computing environment, organizations have less control over their
infrastructure and its security than they had in the past. Cloud service providers
control their physical infrastructure as well as its security. Organizations get little
visibility, much less control, over many aspects of SaaS security.
Cloud infrastructures face threats from all directions. To protect the organization,
cloud security strategy must address four core objectives:
Provide and control access - Anywhere, anytime access is a benefit of the cloud,
but it becomes a weakness when “anyone‚ gets access. Cloud security strategies
need policies and technologies that allow authorized users to access the resources
they need for their work while preventing unauthorized access.
Protect data - With the right data policies, cloud storage should be more secure
than on-premises data centers, making organizations more resilient to natural
disasters and other disruptions. Data retention policies minimize the amount of data
at risk. Backup and data recovery policies minimize the duration and impact of
disruptions.
88 | P a g e
Prevent and mitigate attacks - Security requires constant vigilance, especially
when company resources live in the cloud. Organizations must monitor the threat
landscape continuously. Given the persistence and sophistication of modern
cybercriminals, focusing on prevention is not enough. Organizations must monitor
their infrastructure around the clock to identify and mitigate security breaches
quickly.
Visibility - Security teams have less visibility into many aspects of a cloud service
provider’s infrastructure. SaaS providers may be completely opaque while IaaS
providers typically offer security monitoring tools.
Dynamic workloads - In the cloud, virtual instances are spun up and down as
needed making security technologies based on ports and IP addresses less
effective.
Shared security roles - Responsibilities for security vary from one cloud service
provider to another. Any misunderstanding in an organization’s responsibilities can
result in misconfigurations and other security gaps
Complexity of multi and hybrid cloud security - Each cloud service has its own
security systems that may not play well with others. Security teams must find ways to
bring every aspect of their on-premises and cloud infrastructure within the same
security framework.
Governance and compliance - All of these security issues hinder governance and
could compromise the organization’s compliance efforts. Shadow IT could leak
customer information. Poorly understood security roles and poor visibility make
controls less effective.
89 | P a g e
Despite these challenges, implementing a cloud infrastructure security plan can
improve your business. Security is easier to manage, your company’s data is better
protected, and business performance improves.
Unifying security across your cloud infrastructure simplifies the setting and
enforcement of security policies. You no longer have to set provider-specific
policies. In their place, a single policy can apply to every cloud service
provider
Cloud security systems also give you more visibility across your
infrastructure. You can see employees’ attempts to add shadow IT. Automated
monitoring systems identify configuration problems and suspicious activity,
quickly escalating issues that cannot be mitigated automatically.
Risk minimization
A unified approach to cloud security will reduce your attack surface and
minimize cyber risks. Replacing provider-specific access controls with a
central IAM system lets you apply granular, role-based access control rules.
Data loss prevention, backup practices, and data recovery systems reduce the
risk of lost data and limit the impact of ransomware. Better visibility and
monitoring also help ensure you remain in compliance with data privacy
regulations and AICPA controls standards.
Operational and financial performance
Secure perimeter technologies have become rigid and fragile in the face of
modern IT trends. Designed for the cloud, this new security framework offers
the scalability and availability of the services it protects. In addition, cloud
security technologies can integrate with CI/CD pipelines to become responsive
elements of DevSecOps practices.
90 | P a g e
cybersecurity experts pinpointing misconfigured cloud infrastructure as the top
security threat.
The nature of cloud systems is that they are dynamic; cloud resources can be
particularly short-lived, with many being created and deleted multiple times
each day. As a result, each individual ‘building block’ in a cloud network must
be robustly and systematically secured – though it is made more complicated
by working practice shifts such as bring-your-own-device (BYOD) and remote
working.
Cloud data is primarily stored in public cloud and private clouds, although
other cloud strategies – such as multi-cloud and hybrid cloud – are also
popular. There are four main cloud computing service models: infrastructure
as a service (IaaS), software as a service (SaaS), platform as a service (PaaS),
and serverless.
Here are some of the best practices for cloud infrastructure security:
91 | P a g e
• Use security groups and firewalls to restrict access to cloud
resources. This helps to prevent unauthorized users from accessing sensitive
data or applications.
• Encrypt data at rest and in transit. This helps to protect data from being
accessed by unauthorized individuals, even if they are able to breach cloud
security.
• Monitor cloud activity for suspicious activity. This can be done using
cloud security posture management (CSPM) tools or other security monitoring
tools.
By following these best practices, organizations can help to improve the security of
their cloud infrastructure and protect their workloads and data from a variety of
threats.
92 | P a g e
• Security monitoring: Security monitoring solutions can be used to detect
suspicious activity in cloud environments.
• Cloud security posture management (CSPM): CSPM tools can be used to
assess the security posture of cloud environments and identify and mitigate
security risks.
Conclusion
93 | P a g e
Cloud infrastructure security is important for all organizations that use cloud
computing. By following the best practices outlined above, organizations can help to
protect their workloads and data from a variety of threats.
Today, we’re living in the era of big data, with companies generating, collecting, and
storing vast amounts of data by the second, ranging from highly confidential
business or personal customer data to less sensitive data like behavioral and
marketing analytics.
Beyond the growing volumes of data that companies need to be able to access,
manage, and analyze, organizations are adopting cloud services to help them
achieve more agility and faster times to market, and to support increasingly remote
or hybrid workforces.
The traditional network perimeter is fast disappearing, and security teams are
realizing that they need to rethink current and past approaches when it comes to
securing cloud data. With data and applications no longer living inside your data
center and more people than ever working outside a physical office, companies must
solve how to protect data and manage access to that data as it moves across and
through multiple environments.
Cloud data security best practices follow the same guiding principles of information
security and data governance:
94 | P a g e
• Data confidentiality: Data can only be accessed or modified by authorized
people or processes. In other words, you need to ensure your organization’s
data is kept private.
• Data availability: While you want to stop unauthorized access, data still needs
to be available and accessible to authorized people and processes when it’s
needed. You’ll need to ensure continuous uptime and keep systems, networks,
and devices running smoothly.
Often referred to as the CIA triad, these three broad pillars represent the core
concepts that form the basis of strong, effective security infrastructure—or any
organization’s security program. Any attack, vulnerability, or other security incident
will likely violate one (or more) of these principles. This is why security professionals
use this framework to evaluate potential risk to an organization’s data assets.
As more data and applications move out of a central data center and away from
traditional security mechanisms and infrastructure, the higher the risk of exposure
becomes. While many of the foundational elements of on-premises data security
remain, they must be adapted to the cloud.
• Lack of visibility. Companies don’t know where all their data and applications
live and what assets are in their inventory.
• Less control. Since data and apps are hosted on third-party infrastructure,
they have less control over how data is accessed and shared.
95 | P a g e
• Inconsistent coverage. Many businesses are finding multicloud and hybrid
cloud to better suit their business needs, but different providers offer varying
levels of coverage and capabilities that can deliver inconsistent protection.
96 | P a g e
▪ Data encryption
Organizations need to be able to protect sensitive data whenever and wherever it
goes. Cloud service providers help you tackle secure cloud data transfer, storage,
and sharing by implementing several layers of advanced encryption for securing
cloud data, both in transit and at rest.
▪ Lower costs
Cloud data security reduces total cost of ownership (TCO) and the administrative
and management burden of cloud data security. In addition, cloud providers offer
the latest security features and tools, making it easier for security professionals to
do their jobs with automation, streamlined integration, and continuous alerting.
Cloud providers and customers share responsibility for cloud security. The exact
breakdown of responsibilities will depend on your deployment and whether you
choose IaaS, PaaS, or SaaS as your cloud computing service model.
In general, a cloud provider takes responsibility for the security of the cloud itself,
and you are responsible for securing anything inside of the cloud, such as data,
user identities, and their access privileges (identity and access management).
At Google Cloud, we follow a shared fate model. That means we are active partners
in ensuring our customers deploy securely on our platform. We can help you
implement best practices by offering secure-by-default configurations, blueprints,
policy hierarchies, and advanced security features to help develop security
consistency across your platforms and tools.
The cloud data protection and security strategy must also protect data of all
types. This includes:
97 | P a g e
• Data in use: Securing data being used by an application or endpoint through
user authentication and access control
• Data in motion: Ensuring the safe transmission of sensitive, confidential or
proprietary data while it moves across the network through encryption and/or
other email and messaging security measures
• Data at rest: Protecting data that is being stored on any network location,
including the cloud, through access restrictions and user authentication
EXPERT TIP
Theoretically, the cloud is no more or less secure than a physical server or data
center so long as the organization has adopted a comprehensive, robust
cybersecurity strategy that is specifically designed to protect against risks and
threats in a cloud environment.
And therein lies the problem: Many companies may not realize that their
existing security strategy and legacy tooling, such as firewalls, do not protect
assets hosted in the cloud. For this reason, organizations must fundamentally
reconsider their security posture and update it to meet the security
requirements of this new environment.
Another big misconception about the cloud is that the cloud provider is
responsible for all security functions, including data security. In fact, cloud
security follows what is referred to as the shared responsibility model.
EXPERT TIP
98 | P a g e
Why should businesses store data in the cloud?
• Lower costs: Cloud storage is generally more affordable for businesses and
organizations because the infrastructure costs are shared across users.
• Resource optimization: Typically speaking, in a cloud model, the CSP is
responsible for maintaining cloud-based servers, hardware, databases or
other cloud infrastructure elements. In addition, the organization no longer
needs to host or maintain on-premises components. This not only decreases
overall IT costs but allows staff to be redeployed to focus on other issues,
such as customer support or business modernization.
• Improved access: Cloud-hosted databases can be accessed by any
authorized user, from virtually any device, in any location in the world so long
as there is an internet connection — a must for enabling the modern digital
workforce.
• Scalability: Cloud resources, such as databases, are flexible, meaning they
can be quickly spun up or down based on the variable needs of the business.
This allows the organization to manage surges in demand or seasonal spikes
in a more timely and cost-effective way.
Though storing data within the cloud offers organizations many important
benefits, this environment is not without challenges. Here are some risks
businesses may face of storing data in the cloud without the proper security
measures in place:
1. Data breaches
2. Misconfigurations
Misconfigurations are the No. 1 vulnerability in a cloud environment and can lead
to overly permissive privileges on accounts, insufficient logging and other
security gaps that expose organizations to cloud breaches, insider threats and
adversaries who leverage vulnerabilities to gain access to data.
3. Unsecured APIs
Businesses often use APIs to connect services and transfer data, either internally
or to partners, suppliers, customers and others. Because APIs turn certain types
99 | P a g e
of data into endpoints, changes to data policies or privilege levels can increase
the risk of unauthorized access to more data than the host intended.
One effective way to protect data is to encrypt it. Cloud encryption transforms
data from plain text into an unreadable format before it enters the cloud. Data
should be encrypted both in transit and at rest.
Data loss prevention (DLP) is part of a company’s overall security strategy that
focuses on detecting and preventing the loss, leakage or misuse of data through
breaches, exfiltration and unauthorized access.
100 | P a g e
Unified discovery and visibility of multi-cloud environments, along with
continuous intelligent monitoring of all cloud resources are essential in a cloud
security solution. That unified visibility must be able to detect misconfigurations,
vulnerabilities and data security threats, while providing actionable insights and
guided remediation.
Another key element of data security is having the proper security policy and
governance in place that enforces golden cloud security standards, while
meeting industry and government regulations across the entire infrastructure.
A cloud security posture management (CSPM) solution that detects and prevents
misconfigurations and control plane threats is essential for eliminating blind
spots and ensuring compliance across clouds, applications and workloads.
When it comes to IAM controls, the rule of thumb is to follow the principle of
least privilege, which means allowing required users to access only the data and
cloud resources they need to perform their work.
CrowdStrike has redefined security with the world’s most advanced cloud-native
platform that protects and enables the people, processes and technologies that
drive modern enterprise. The industry continues to recognize CrowdStrike as a
leader, most recently with CRN naming CrowdStrike a Winner of the 2022 Tech
Innovator Award for Best Cloud Security.
101 | P a g e
Powered by the CrowdStrike Security Cloud, the CrowdStrike Falcon® platform
leverages real-time indicators of attack (IOAs), threat intelligence, evolving
adversary tradecraft and enriched telemetry from across the enterprise to deliver
hyper-accurate detections, automated protection and remediation, elite threat
hunting and prioritized observability of vulnerabilities.
Organizations in all sectors recognize the benefits of cloud computing. Some are
only beginning their migration journey as part of digital transformation efforts, while
others are adopting advanced multi-cloud, hybrid strategies. One of the biggest
challenges at any stage of implementation is data security in cloud computing,
stemming from the unique risks that the technology brings.
The cloud erodes the traditional network perimeter that drove cybersecurity
strategies in the past. Data security in cloud computing requires a different
approach—one that considers not only the threats but also the complexity of data
governance and security models in the cloud.
The changing business landscape and implications for cloud data security
When it comes to data, the cloud poses a variety of risks that the enterprise must
address as part of its security strategy. The biggest risks—as organizations
increasingly rely on the cloud for collecting, storing, and processing critical data—are
cyberattacks and data breaches.
102 | P a g e
of cloud services as the second-biggest barrier to their ability to respond to a data
breach, and this challenge has grown in recent years.
103 | P a g e
insiders are gaining unauthorized access to data with malicious intent or are
inadvertently sharing or storing sensitive data via the cloud.
Data security in the cloud starts with identity governance. Organizations need a
comprehensive, consolidated view of data access across its on-premises and cloud
platforms and workloads. Identity governance provides:
Deploy encryption. Ensure that sensitive and critical data, such as PII and
intellectual property, is encrypted both in transit and at rest. Not all vendors offer
encryption, and the enterprise should consider implementing a third-party encryption
solution for added protection.
Back up the data. While vendors have their own backup procedures, it’s essential to
back up cloud data locally as well. Use the 3-2-1 rule for data backup: Keep at least
three copies, store them on at least two different media, and keep at least one
backup offsite (in the case of the cloud, the offsite backup could be the one
executed by the vendor).
Implement identity and access management (IAM). IAM technology and policies
ensure that the right people have appropriate access to data, and this framework
needs to encompass the cloud environment. Besides identity governance, IAM
components include access management (such as single sign-on, or SSO)
and privileged access management.
104 | P a g e
Adopt multi-factor authentication (MFA). In addition to using secure password
practices, MFA is a good way to mitigate the risk of compromised credentials. It
creates an extra hurdle that threat actors must overcome as they try to gain entry to
cloud accounts.
A leader in identity security for the cloud enterprises, SailPoint provides technology
that helps the enterprise manage cloud risks in today’s dynamic, distributed
workplace. Learn more about SailPoint’s cloud governance solution.
105 | P a g e
Cloud data security refers to the technologies and controls that discover, classify, and
protect all data in the cloud to mitigate risks arising from data loss, misuse, breaches,
and unauthorized access. This includes:
Integrity
Cloud computing and analytics enable organizations to make data-driven decisions. One
study found:
Availability
As organizations build out their data cultures, breaking down data silos becomes more
important. The cloud enables this collaboration, but organizations need to ensure that
they protect sensitive information’s availability, like ensuring no one accidentally deletes
a data set.
Confidentiality
With hybrid and multi-cloud environments, monitoring data use becomes even more
challenging. As data travels between services, organizations need to worry about
application programming interface (API) configurations. By protecting sensitive
information, organizations prevent data loss and leaks that compromise confidentiality.
106 | P a g e
Mitigate Data Breach Risk
Over the first half of 2022, the number of weekly cyberattacks increased by 42%. When
broken down by malware type, the data looks like this:
Brand reputation generates customer interest and provides insight into financial
performance. Research found that 72% of business leaders believe reputation will be a
bigger driver of business performance than margin over the next five years. Every data
breach that makes the news undermines a company’s brand reputation. By mitigating
these risks, organizations protect themselves.
Today’s customers consider a company’s data privacy policies and data protections as
part of their buying decisions. Customer trust starts with an organization’s privacy
policies, but it also incorporates brand reputation.
Data privacy and protection law noncompliance leads to costly fines and legal fees. For
example, a company that violates the General Data Protection Regulation (GDPR) can
face fines up to €10 million, or 2% of its worldwide annual revenue. These fines apply to
107 | P a g e
violations which may not be cybersecurity incidents. For example, one of the first GDPR
fines was levied against a Portuguese hospital for allowing too many people to have too
much access. Additionally, companies often face expensive lawsuits in a data breach’s
aftermath.
Each service provider and “as-a-Service'' model defines the Shared Responsibility
differently. However, customers are typically responsible for:
Cloud environments are naturally flexible and scalable, meaning that organizations can
add new applications or workloads easily. Often, people deploy cloud assets outside of
the organization’s security policies, creating misconfiguration risks. Further, IT and
security teams may not know that these assets exist since traditional asset
management tools lack real-time detection capabilities.
Complex Environments
108 | P a g e
Virtual machines, containers, and cloud instances pose new and unique challenges. As
IT environments add more layers of abstraction, data security protections evolve,
requiring security teams to focus on discovering these assets and maintaining secure
configurations.
Divergent Permissions
• Permissions
• Log formats
• Network configurations
• Encryption configurations
Dynamic Environment
IT departments can create and delete volumes of cloud assets rapidly. While the cloud’s
flexibility and scalability enables organizations to save money, consistently applying
security policies becomes difficult. Security tools built for traditional environments lack
real-time policy enforcement capabilities. Cloud asset configurations can fall out of
compliance, weakening the organization’s data security posture.
Shadow Data
As engineering teams leverage cloud database technologies, they duplicate data. For
example, they may have DB backups generated with sensitive information that were
moved to the cloud and never deleted. Since most tools fail to discover this data,
organizations are left with shadow data that can lead to a data breach.
Regulatory Compliance
109 | P a g e
Identify Sensitive Data
Before you can secure data, you need to identify what sensitive information you have
and where it resides. To gain visibility into critical data and static data risk, you need to
discover and classify structured and unstructured sensitive data across:
• Public cloud platforms, including storage like S3 buckets, RDS, and EFS
• Virtualization environments
• Data analytics platforms, like Redshift
• Databases as a Service, like Snowflake
• Shadow data
• Type
110 | P a g e
• Sensitivity level
• Governing regulation
Your classification process should include how the data moves within your
organization, who uses it, and how they use it.
As people use data, you need visibility into how they access different datasets so that
you understand the evolving nature of data flows.
You can use Data Security Posture Management (DSPM) to identify static risks like:
111 | P a g e
Continuously Monitor Real-Time Data Risk
Since cloud environments are dynamic, your data risk posture continuously changes.
Additionally, you need to use threat modeling and threat intelligence for real-time risk
detection that includes:
For comprehensive visibility that documents your data security posture, you should
aggregate all monitoring and remediation in a single location. With a comprehensive
data security posture management (DSPM) and data detection and response (DDR)
platform, you gain:
• A data-centric view of your cloud data assets, including content, identities and
access, and data vulnerabilities and exposures
• Alerts that prioritize risk based on real-world attack methods for visibility into
exploitability
• Automated remediation of data access violations connected to business
workflows
• Audit documentation based on cloud, geographic region, and compliance
standard
information. They’re also moving more and more of their data to the cloud and
storing it in more places than ever – public, private and hybrid clouds, cloud
As they do this, companies are discovering just how complicated protecting and
securing all their data across multiple environments can be. For example:
112 | P a g e
• They no longer know where all their applications and data are.
companies no longer have visibility into who is accessing and using their
applications and data, which devices are being used for access, or how their data is
• They have no insight into how cloud providers are storing and securing their data.
• Even though most cloud providers have state-of-the-art security, this security is
limited. After all, companies and cloud providers share responsibilities for cloud
security.
• Different cloud providers have varying capabilities, which can result in inconsistent
On top of this, companies face a host of security challenges, including the potential
for:
• Security breaches
Companies must also comply with data protection and privacy laws and
regulations, such as the General Data Protection Regulation, or GDPR, in the EU; the
Health Insurance Portability and Accountability Act of 1996, or HIPAA, in the U.S.,
113 | P a g e
establish and enforce security policies across multiple cloud environments, let
For these reasons, it’s no surprise that nine out of 10 cybersecurity professionals
are concerned about cloud security. They say their biggest challenges are
protecting against data loss and leakage (67%), threats to data privacy (61%) and
This also explains why the data protection market is projected to surpass US$158
billion by 2024.3
• What’s happening inside their applications (e.g., how people are accessing and
using them).
With this information in hand, companies must then put consistent, unified, and
automated cloud data protection offering in place – one that will help them
114 | P a g e
discover, classify, monitor, protect, and secure their applications and data across
• Proactively identify and mitigate risks, such as security threats, suspicious user
• Define policies.
115 | P a g e
• Data breaches: Cloud servers are a target for cybercriminals, who may
attempt to gain unauthorized access to data stored in the cloud.
Cloud storage is the practice of storing data in the cloud. Cloud storage
providers offer a variety of storage options, such as object storage, block
storage, and file storage. Organizations can choose the storage option that
best meets their needs.
116 | P a g e
Cloud storage offers a number of benefits, including:
Overall, cloud data security and storage is an important consideration for any
organization that is considering moving to the cloud. By taking steps to
protect their data, organizations can minimize the risks associated with cloud
computing and enjoy the benefits that it offers.
Physical security
• Perimeter security: Fences, gates, and other physical barriers are used
to protect the perimeter of the data center.
117 | P a g e
• Environmental controls: The data center is equipped with
environmental controls to maintain a safe and secure operating
environment for servers and other equipment.
Technology tools
Cloud providers also use a variety of technology tools to protect data in the
cloud. These tools include:
• Least privilege: Users should only be granted the access they need to
perform their job duties.
118 | P a g e
• Multi-factor authentication (MFA): MFA adds an extra layer of security
to user accounts by requiring users to provide two or more factors of
authentication, such as a password and a one-time code.
Organizational policies
Other considerations
119 | P a g e
• Compliance: Organizations should ensure that their cloud data security
practices comply with all applicable laws and regulations.
Encryption
Cloud providers offer a variety of encryption options for data at rest and in
transit. Organizations should choose the encryption option that best meets
their needs.
Access control
120 | P a g e
Access control is another important cloud data security measure. Access
control restricts access to data to authorized users.
121 | P a g e
Organizations should use monitoring and logging tools to detect and respond
to security incidents quickly.
Security testing
Conclusion
Cloud data security and storage is a complex topic, but it is important for
organizations to take steps to protect their data in the cloud. By
implementing the measures described above, organizations can minimize the
risks associated with cloud computing and protect their data.
CLOUD STORAGE
What is Cloud Storage?
Cloud Storage is a mode of computer data storage in which digital data is
stored on servers in off-site locations. The servers are maintained by a third-
122 | P a g e
party provider who is responsible for hosting, managing, and securing data
stored on its infrastructure. The provider ensures that data on its servers is
always accessible via public or private internet connections.
Cloud Storage uses remote servers to save data, such as files, business data,
videos, or images. Users upload data to servers via an internet connection,
where it is saved on a virtual machine on a physical server. To maintain
availability and provide redundancy, cloud providers will often spread data to
multiple virtual machines in data centers located across the world. If storage
needs increase, the cloud provider will spin up more virtual machines to
handle the load. Users can access data in Cloud Storage through an internet
connection and software such as web portal, browser, or mobile app via an
application programming interface (API).
1. Public
123 | P a g e
depending on the needs of the organization. Public cloud providers typically
make data available from any device such as a smartphone or web portal.
2. Private
3. Hybrid
A hybrid cloud model is a mix of private and public cloud storage models. A
hybrid cloud storage model allows organizations to decide which data it
wants to store in which cloud. Sensitive data and data that must meet strict
compliance requirements may be stored in a private cloud while less sensitive
data is stored in the public cloud. A hybrid cloud storage model typically has a
layer of orchestration to integrate between the two clouds. A hybrid cloud
offers flexibility and allows organizations to still scale up with the public
cloud if need arises.
4. Multicloud
124 | P a g e
servicers’ Service Level Agreements. A multicloud model offers organizations
flexibility and redundancy.
✓ ELASTICITY
Cloud Storage is elastic and scalable, meaning that it can be scaled up (more
storage added) or down (less storage needed) depending on the
organization’s needs.
✓ FLEXIBILITY
Cloud Storage offers organizations flexibility on how to store and access data,
deploy and budget resources, and architect their IT infrastructure.
✓ SECURITY
Most cloud providers offer robust security, including physical security at data
centers and cutting edge security at the software and application levels. The
best cloud providers offer zero trust architecture, identity and access
management, and encryption.
✓ SUSTAINABILITY
125 | P a g e
One of the greatest costs when operating on-premises data centers is the
overhead of energy consumption. The best cloud providers operate on
sustainable energy through renewable resources.
✓ REDUNDANCY
✓ COMPLIANCE
✓ LATENCY
Traffic to and from the cloud can be delayed because of network traffic
congestion or slow internet connections.
✓ CONTROL
Storing data in public clouds relinquishes some control over access and
management of that data, entrusting that the cloud service provider will
always be able to make that data available and maintain its systems and
security.
✓ OUTAGES
126 | P a g e
While public cloud providers aim to ensure continuous availability, outages
sometimes do occur, making stored data unavailable.
a. Backup
Data backup is one of the simplest and most prominent uses of Cloud
Storage. Production data can be separated from backup data, creating a gap
between the two that protects organizations in the case of a cyber threat
such as ransomware. Data backup through Cloud Storage can be as simple
as saving files to a digital folder such as Google Drive or using block storage
to maintain gigabytes or more of important business data.
b. Archiving
The ability to archive old data has become an important aspect of Cloud
Storage, as organizations move to digitize decades of old records, as well as
hold on to records for governance and compliance purposes. Google Cloud
offers several tiers of storage for archiving data, including coldline
storage and archival storage, that can be accessed whenever an organization
needs them.
c. Disaster recovery
A disaster—natural or otherwise— that wipes out a data center or old
physical records needs not be the business-crippling event that it was in the
past. Cloud Storage allows for disaster recovery so that organizations can
continue with their business, even when times are tough.
d. Data processing
127 | P a g e
As Cloud Storage makes digital data immediately available, data becomes
much more useful on an ongoing basis. Data processing, such as analyzing
data for business intelligence or applying machine learning and artificial
intelligence to large datasets, is possible because of Cloud Storage.
e. Content delivery
With the ability to save copies of media data, such as large audio and video
files, on servers dispersed across the globe, media and entertainment
companies can serve their audience low-latency, always available content
from wherever they reside.
1. Object
2. File
File storage organizes data in a hierarchical format of files and folders. File
storage is common in personal computing where data is saved as files and
those files are organized in folders. File storage makes it easy to locate and
retrieve individual data items when they are needed. File storage is most
often used in directories and data repositories.
3. Block
Block storage breaks data into blocks, each with an unique identifier, and
then stores those blocks as separate pieces on the server. The cloud network
128 | P a g e
stores those blocks wherever it is most efficient for the system. Block storage
is best used for large volumes of data that require low latency such as
workloads that require high performance or databases.
Whether you are a small business or a large enterprise, cloud storage can
deliver the agility, cost savings, security, and simplicity to focus on your core
business growth. For small businesses, you no longer have to worry about
devoting valuable resources to manage storage yourself, and cloud storage
gives you the ability to scale as the business grows.
For large enterprises with billions of files and petabytes of data, you can rely
on the scalability, durability, and cost savings of cloud storage to create
centralized data lakes to make your data accessible to all who need it.
COST EFFECTIVENESS
129 | P a g e
move it to lower-cost storage, thus creating even more cost savings. By
moving storage workloads from on premises to the cloud, you can reduce
total cost of ownership by removing overprovisioning and the cost of
maintaining storage infrastructure.
INCREASED AGILITY
With cloud storage, resources are only a click away. You reduce the time to
make those resources available to your organization from weeks to just
minutes. This results in a dramatic increase in agility for your organization.
Your staff is largely freed from the tasks of procurement, installation,
administration, and maintenance. And because cloud storage integrates with
a wide range of analytics tools, your staff can now extract more insights from
your data to fuel innovation.
FASTER DEPLOYMENT
130 | P a g e
VIRTUALLY UNLIMITED SCALABILITY
BUSINESS CONTINUITY
Cloud storage providers store your data in highly secure data centers,
protecting your data and ensuring business continuity. Cloud storage services
are designed to handle concurrent device failure by quickly detecting and
repairing any lost redundancy. You can further protect your data by using
versioning and replication tools to more easily recover from both unintended
user actions or application failures.
• Protect backups with a data center and network architecture built for
security-sensitive organizations.
131 | P a g e
locations around the world. Cloud storage providers manage capacity,
security, and durability to make data accessible to your applications over the
internet in a pay-as-you-go model. Typically, you connect to the storage
cloud either through the internet or through a dedicated private connection,
using a web portal, website, or a mobile app. When customers purchase cloud
storage from a service provider, they turn over most aspects of the data
storage to the vendor, including capacity, security, data availability, storage
servers and computing resources, and network data delivery. Your
applications access cloud storage through traditional storage protocols or
directly using an application programming interface (API). The cloud storage
provider might also offer services designed to help collect, manage, secure,
and analyze data at a massive scale.
Security
With cloud storage, you control where your data is stored, who can access it,
and what resources your organization is consuming at any given moment.
Ideally, all data is encrypted, both at rest and in transit. Permissions and
access controls should work just as well in the cloud as they do for on-
premises storage.
132 | P a g e
What are cloud storage use cases?
Cloud storage has several use cases in application management, data
management, and business continuity. Let’s consider some examples below.
Data lakes built on object storage keep information in its native form and
include rich metadata that allows selective extraction and use for analysis.
Cloud-based data lakes can sit at the center of multiple kinds of data
warehousing and processing, as well as big data and analytical engines, to
help you accomplish your next project in less time and with more targeted
relevance.
Backup and disaster recovery are critical for data protection and accessibility,
but keeping up with increasing capacity requirements can be a constant
challenge. Cloud storage brings low cost, high durability, and extreme scale to
data backup and recovery solutions. Embedded data management policies can
automatically migrate data to lower-cost storage based on frequency or
timing settings, and archival vaults can be created to help comply with legal
or regulatory requirements. These benefits allow for tremendous scale
possibilities within industries such as financial services, healthcare and life
sciences, and media and entertainment that produce high volumes of
unstructured data with long-term retention needs.
Many of the largest and most valuable companies in the world create
applications in record time by using the flexibility, performance, and low cost
of cloud storage. Even the simplest static websites can be improved at low
cost. IT professionals and developers are turning to pay-as-you-go storage
options that remove management and scale headaches.
The availability, durability, and low cloud storage costs can be very
compelling. On the other hand, IT personnel working with storage, backup,
networking, security, and compliance administrators might have concerns
about the realities of transferring large amounts of data to the cloud. For
some, getting data into the cloud can be a challenge. Hybrid, edge, and data
movement services meet you where you are in the physical world to help ease
your data transfer to the cloud.
Compliance
Storing sensitive data in the cloud can raise concerns about regulation and
compliance, especially if this data is currently stored in compliant storage
systems. Cloud data compliance controls are designed to ensure that you can
deploy and enforce comprehensive compliance controls on your data, helping
you satisfy compliance requirements for virtually every regulatory agency
around the globe. Often through a shared responsibility model, cloud vendors
allow customers to manage risk effectively and efficiently in the IT
environment, and provide assurance of effective risk management through
compliance with established, widely recognized frameworks and programs.
134 | P a g e
Cloud-native application storage
Archive
Database storage
Because block storage has high performance and is readily updatable, many
organizations use it for transactional databases. With its limited metadata,
135 | P a g e
block storage is able to deliver the ultra-low latency required for high-
performance workloads and latency sensitive applications like databases.
ML and IoT
With cloud storage, you can process, store, and analyze data close to your
applications and then copy data to the cloud for further analysis. With cloud
storage, you can store data efficiently and cost-effectively while supporting
ML, artificial intelligence (AI), and advanced analytics to gain insights and
innovate for your business.
136 | P a g e
While there are undeniable advantages of adopting cloud storage, there are a
few cons to remember as well. By navigating these cons or challenges, you
can arrive at a pragmatic cloud storage strategy that maximizes its benefits.
137 | P a g e
resource management tool can help address this, giving
you visibility and control.
Let’s look at the most critical aspects businesses need to consider when
selecting a cloud storage provider.
138 | P a g e
from security threats. Understanding the security
measures in place at the cloud storage provider is
important. Two main factors need to be considered for
security: the physical security of the cloud solution
provider’s servers and the level of encryption applied to
the data stored.
o Speed: The speed of downloads from the cloud has a
major impact on businesses and their ability to process
critical data. If cloud storage providers place a cap on the
download speed, retrieving data and running applications
will take longer. Therefore, organizations need to gauge
the cloud storage download speeds of a provider before
buying any storage space.
139 | P a g e
In the last year, cloud storage adoption has accelerated at a dramatic pace,
and the momentum will continue for the foreseeable future. Here are 8 best
practices that can help make the most of this opportunity.
As the cloud storage market matures, providers are eager to deliver a wide
variety of services and capabilities under one offering. However, this could
lead to vendor lock-in. If you rely on a single cloud environment for all your
storage requirements, any downtime or outage experienced by that
environment could cripple your entire storage landscape.
140 | P a g e
And, as your storage volumes increase with time, you will find it increasingly
harder to shift out if necessary. To prevent such a situation, it is advisable to
leverage a multi-cloud landscape where different data and application
buckets are stored in a different cloud environment, and there is
interoperability among platforms.
141 | P a g e
regularly audited with a detailed inventory of your assets, their utilization,
and retention plans.
Private cloud storage also means that you are immune to vendor-related
outages and downtimes, which would render these vital data assets
inaccessible. In fact, the private cloud is mission-critical for companies in
regulated industries, where sensitive data is essential for day-to-day business
processes and not just compliance-related archives.
6. Make remote work a focus area when planning for cloud storage
Remote work is now a major use case for cloud storage implementation and is
poised to be the new normal for the foreseeable future. Therefore, your cloud
storage strategy must take the needs of a remote worker into account, from
connecting with the right productivity tools to enforcing security policies that
restrict remote access in certain scenarios. Outline measures to prevent
employees from accessing cloud storage from unfamiliar and unauthorized
devices. Specify clear policies to regulate which data can be stored on the
cloud and which information needs to be kept on-premise.
142 | P a g e
7. Optimize data transfer to avoid egress fees
Most public cloud platforms charge you for data retrieval (also known as
egress fees) to move data out of their cloud platform. This tactic encourages
more dependency and possibly vendor lock-in, as you keep data immobile on
the cloud for longer periods. Your data transfer frequency is directly linked to
your cloud costs, and frequent retrieval (for example, to run on-premise
analytics) will add to your resource consumption in the form of egress fees.
There are two ways to address this. First, you can host analytics applications
within the same public cloud so that data doesn’t need to be moved out for
processing. Second, you can optimize each transfer by compressing data
volumes to reduce the retrieval fees.
Finally, ensure that your cybersecurity solution takes your cloud storage
investments into account. For example, Trend Micro offers a cloud-first
solution called Cloud One – Conformity, and there are several cloud access
security broker (CASB) tools available. Even if only a portion of your total
data assets is stored in the cloud, it has to be covered by a cybersecurity
solution to close any vulnerabilities and demonstrate compliance with data
protection laws.
Wrapping up
143 | P a g e
Even if the cloud plays a central role in data processing and storage, the
future of cloud and data storage is changing rapidly. Data security is one of
the major concerns in cloud storage, and in the future, mass data breaches
will be a strong point of concern for businesses that opt for cloud storage.
In such a scenario, will the cloud become obsolete? What are the possible
alternatives to store complex data in the future? There are many options on
the table, including serverless computing. Our two essential tips for techies
looking at optimizing cloud services are conducting regular reviews and
identifying redundant tasks on cloud services. The idea is to enjoy the
freedom that the cloud offers without overspending.
144 | P a g e
Examples of cloud storage
The most common uses for cloud storage are:
• cloud backup
ion of the project development and testing, and then spin them down when it
ends.
From data backup to unstructured file sharing to object storage, find out the
many ways cloud storage is used.
146 | P a g e
order to store some of their files. In the mid-1990s, AT&T launched the first
all web-based storage service for personal and business communication.
Since then, a number of different services have become gained traction.
Some of the most popular cloud storage providers are Apple (iCloud),
Amazon (Amazon Web Services ), Dropbox, and Google.
147 | P a g e
Users wonder whether their information is safe, and increasing data
breaches have demonstrated that sometimes it isn’t. Users are also
concerned about whether the data they have stored on the cloud will be
accessible when they need it.
While cloud storage may seem vulnerable due to the prevalence of hacking,
the alternatives, such as onsite storage, have security vulnerabilities, too.
Company-provided cloud storage can actually improve security by giving
employees an alternative to using their personal accounts to back up and
transfer files that they need to access outside the office.
A good cloud storage provider will have data redundancy, storing the same
files in multiple physical locations so that it survives any human errors,
equipment failures, or natural disasters. A reputable provider will also store
and transmit data securely so that no one can access it without permission.
Some users might also require that data be stored in such a way that it can
only be read but not changed; this feature, too, is available through cloud
storage.
Here are a few well-known companies that offer some form of cloud storage:
148 | P a g e
• Sites like Flickr and Picasa host millions of digital photographs. Their
users create online photo albums by uploading pictures directly to the
services' servers.
• Web site hosting companies like StartLogic, Hostmonster
and GoDaddy store the files and data for client Web sites.
• Social networking sites like Facebook and MySpace allow members to
post pictures and other content. All of that content is stored on the
respective site's servers.
• Services like Xdrive, MediaMax and Strongspace offer storage space for
any kind of digital data.
Even with these protective measures in place, many people worry that data
saved on a remote storage system is vulnerable. There's always the possibility
149 | P a g e
that a hacker will find an electronic back door and access data. Hackers could
also attempt to steal the physical machines on which data are stored. A
disgruntled employee could alter or destroy data using his or her
authenticated user name and password. Cloud storage companies invest a lot
of money in security measures in order to limit the possibility of data theft or
corruption.
Cloud storage companies live and die by their reputations. It's in each
company's best interests to provide the most secure and reliable service
possible. If a company can't meet these basic client expectations, it doesn't
have much of a chance -- there are too many other options available on the
market.
• Microsoft Azure
• Dropbox
• Box
• iCloud
150 | P a g e
Cloud data storage can be used for a variety of purposes, including:
• File storage: Cloud data storage can be used to store and share files of
all types, including documents, photos, videos, and music.
• Data backup: Cloud data storage can be used to back up data from on-
premises servers and computers. This can help to protect data from
loss in the event of a hardware failure or other disaster.
• Vendor lock-in: Once you have stored your data with a cloud provider, it
can be difficult and expensive to switch to a different provider. This is
because you may need to convert your data to a format that is
compatible with the new provider's platform.
151 | P a g e
How to choose a cloud data storage provider
When choosing a cloud data storage provider, there are a few factors to
consider:
• Pricing: Compare the pricing of different providers to find the one that
best suits your budget.
• Customer support: Make sure that the provider offers good customer
support in case you have any problems.
• Cloud data storage is a pay-as-you-go model. This means that you only
pay for the storage that you use. This can be a cost-effective option for
businesses that have fluctuating storage needs.
• Cloud data storage is highly scalable. This means that you can easily
add or remove storage capacity as needed. This can be beneficial for
businesses that are experiencing rapid growth or that have seasonal
fluctuations in demand.
152 | P a g e
Here are some examples of how cloud data storage can be used:
• Businesses can use cloud data storage to store their business data. This
can include financial records, sales data, and marketing materials. This
data can be used to make better business decisions.
• Businesses can use cloud data storage to store their website and
application data. This can make their websites and applications more
reliable and scalable.
• Individuals can use cloud data storage to store their personal files. This
can include photos, videos, documents, and music. This can make it
easier to access and share these files from anywhere in the world.
• Data breaches: Data breaches can occur when unauthorized users gain
access to cloud data. This can be done through hacking, malware
attacks, or human error.
• Insider threats: Insider threats can occur when authorized users abuse
their access to cloud data or systems.
153 | P a g e
Cloud data storage providers typically have a number of security measures in
place to protect their customers' data, including:
154 | P a g e
Common use cases for cloud storage are:
• Data backups.
• Primary file storage (most common in a hybrid and multi-cloud setup).
• Email storage.
• Disaster Recovery as a Service (DRaaS) for responding to unforeseen
events.
• File archives.
• Test and development environments for DevOps teams spinning up
storage resources.
Is data security your top priority? Created together with Intel and VMware,
PNAP's Data Security Cloud is a platform that protects data with robust
encryption, strict segmentation controls, and advanced threat intelligence.
155 | P a g e
How Secure Is Cloud Storage?
If you partner with the right provider, your cloud storage will be safer than
any on-prem infrastructure. However, not all cloud storage platforms are the
same, and some of them are less secure than the provider likes to admit.
The right provider offers many features and frameworks a company cannot
easily (or cheaply) deploy on an on-prem setup. These capabilities include:
While beneficial, the decision to move data to the cloud means exposing files
to new risks. Below is a look at the most common risks and concerns of cloud
storage security.
1. Operational Risks
156 | P a g e
Nearly all cloud security failures result from an operational mistake made on
the client's side. The most common mistakes include:
The use of unauthorized devices is an especially high risk for a company with
a Bring Your Own Device (BYOD) culture. In that case, the management must
create and enforce a strict BYOD policy to ensure safe operations.
Operational risks can also occur on the service provider's side. Common
issues include:
If something affects your storage provider, the event will directly impact
access to your data. You must wait for the provider to fix the issue, and the
team may not have access to cloud-based data until the vendor's team
resolves the problem.
157 | P a g e
A large part of data security is making sure no one outside the team can
access the data. When you rely on a partner to store files, you increase the
attack surface via which a malicious actor can reach your data.
Even if you take proper precautions to ensure no one in the team leaks data,
your storage provider might accidentally expose your files and cause data
leakage or pave the way for a costly attack.
Since compliance demands vary based on how and where a business stores
data, cloud storage must meet all the relevant requirements. These demands
can dictate the way a provider must:
Besides meeting current requirements, the cloud service must also be flexible
enough to enable a business to adapt to new demands and regulations.
5. Misconfiguration Issues
Cloud misconfiguration is any error or glitch that exposes cloud data to risk.
Since the end users have reduced visibility and control over data and
operations, misconfigurations are a common problem.
• Inexperienced engineers.
• IT mistakes.
158 | P a g e
• Poor resource and operation policies.
Conflicting and overly complex security controls can also cause issues. The
most common problems appear when the provider's and client's teams set up
inconsistent rules that leave security gaps a hacker can exploit.
There are two ways to alleviate the risk of conflicting security controls:
• Go with a cloud storage solution that enables your team to set up and
manage basic security controls.
• Partner with a reliable provider that agrees to shoulder the entire
responsibility of data storage security.
159 | P a g e
➢ Data Encryption
A cloud provider must encrypt cloud data. That way, if a malicious actor or
program accesses a file, all the unauthorized user will find is scrambled data.
The only way to decipher data is to use a decryption key.
• Encryption at rest protects stored cloud data that is not currently in use
(AES 256-bit encryption is the most popular option).
• Encryption in transit protects data while files move between two cloud
or network points (TLS/SSL 128-bit encryption is the most common
choice).
A company can boost cloud storage security with client-side encryption. With
this strategy, encryption and decryption happen on the target user's device.
There are no encryptions or decryptions on the provider's server as the
160 | P a g e
vendor does not keep any keys. Even if a hacker breaches the provider's
server, the thief will not obtain your decryption key.
• A biometric scan (face or finger scans are the most common options).
• A one-time PIN sent to the user's email address or phone.
• A hardware token (typically a USB).
Both you and your cloud provider should create regular backups:
• The provider should create regular cloud data backups and spread files
across several data centers. If one of the servers goes offline, the client
will not suffer downtime.
• You should back up your most sensitive (or all) cloud-based files in an
on-prem hard drive. Keep these backups immutable and update them
regularly to avoid data loss in any scenario.
161 | P a g e
PhoenixNAP's cloud backup solutions enable you to set up customizable,
immutable backups of all critical data and workloads.
➢ Develop a Cloud Storage Policy
If you rely on hybrid cloud architecture, your policy should also cover
practices for accessing, managing, integrating, and governing cloud usage
within your unique hybrid environment.
162 | P a g e
PhoenixNAP offers robust ransomware protection that relies on a mix of
infrastructure security and immutable backups. To learn more about this
threat, check out our article on different ransomware examples and our DIY
guide to preventing ransomware.
➢ Cloud Storage Monitoring
Continuous change, access, and activity monitoring help identify and remove
potential threats to cloud storage. Most storage services include robust cloud
monitoring with alerts for:
• New sign-ins.
• Account activity.
• Data shares.
• File deletion.
• Unusual and suspicious activity.
In addition to the provider team's alerts, you can also deploy your own cloud
monitoring tool. An extra tool ensures you take a proactive approach to cloud
storage security and that your team can identify threats emerging from your
end.
Educating employees about cloud storage security goes a long way toward
protecting files in the cloud. Organize training sessions that familiarize
employees with all major aspects of your cloud storage policy, including:
• What data they should store on the cloud, and what files should stay
on-prem.
• Safe data-sharing practices.
• Approved cloud storage tools and platforms.
• The risks posed by sharing and storing data on the cloud.
163 | P a g e
• Relevant configuration standards.
• Internal and external access rules.
If you are preparing a training session with your employees, our article
on security awareness training programs will help get the most out of the
upcoming session.
The Future of Secure Cloud Storage
164 | P a g e
• Confidential computing: More providers will start using confidential
computing to make cloud storage security even more robust. This
capability expands at-rest and in-transit encryption with additional in-
use encryption that keeps data safe during operations.
Cloud service providers use their own data centers and compute resources to
host cloud computing-based infrastructure and platform services for customer
organizations. Cloud services typically are priced using various pay-as-you-
go subscription models. Customers are charged only for resources they
consume, such as the amount of time a service is used or the storage capacity
or virtual machines used.
For SaaS products, cloud service providers may host and deliver their own
managed services to users. Or they can act as a third party, hosting the app of
an independent software vendor.
The most well-known cloud service platforms are Amazon Web Services
(AWS), Google Cloud (formerly Google Cloud Platform or GCP) and
Microsoft Azure.
Using a cloud provider has benefits and challenges. Companies considering using
these services should think about how these factors would affect their priorities and
165 | P a g e
risk profile, for both the present and long term. Individual CSPs have their own
strengths and weaknesses, which are worth considering.
Benefits
Challenges
• Hidden costs. Cloud use may incur expenses not factored into the
initial return on investment analysis. For example, unplanned data needs
can force a customer to exceed contracted amounts, leading to extra
charges. To be cost-effective, companies also must factor in additional
staffing needs for monitoring and managing cloud use. Terminating use of
on-premises systems also has costs, such as writing off assets and data
cleanup.
• Cloud migration. Moving data to and from the cloud can take time.
Companies might not have access to their critical data for weeks, or even
months, while large amounts of data are first transferred to the cloud.
166 | P a g e
security issues and practices. Companies with specific security needs may
rely on open source cloud security tools, in addition to the provider's tools.
• IaaS providers. In the IaaS model, the cloud service provider delivers
infrastructure components that would otherwise exist in an on-premises
data center. These components include servers, storage, networking and
the virtualization layer, which the IaaS provider hosts in its own data
center. CSPs may also complement their IaaS products with services such
as monitoring, automation, security, load balancing and storage resiliency.
167 | P a g e
contract a third-party cloud provider, while other vendors -- usually larger
companies -- will host their own cloud services.
• PaaS providers. The third type of cloud service provider, PaaS vendors,
offers cloud infrastructure and services that users can access to perform
various functions. PaaS products are commonly used in software
development. In comparison to an IaaS provider, PaaS providers will add
more of the application stack, such as operating systems and middleware,
to the underlying infrastructure.
Cloud providers are also categorized by whether they deliver public cloud, private
cloud or hybrid cloud services.
Understand the similarities and differences between the public cloud, private cloud
and hybrid cloud models.
168 | P a g e
Some cloud service providers differentiate themselves by tailoring their offerings to a
vertical market's requirements. Their cloud-based services might deliver industry-
specific functionality and tools or help users meet certain regulatory requirements.
For instance, several healthcare cloud products let healthcare providers store,
maintain, optimize and back up personal health information. Industry-specific cloud
offerings encourage organizations to use multiple cloud service providers.
Amazon and
Microsoft lead the cloud infrastructure market. See how the market share breaks out
among the top five providers.
The cloud services market has a range of providers, but AWS, Microsoft and Google
are the established leaders in the public cloud market.
Amazon was the first major cloud provider, with the 2006 offering of Amazon Simple
Storage Service. Since then, the growing cloud market has seen rapid development
of Amazon's cloud platform, as well as Microsoft's Azure platform and Google Cloud.
These three vendors continue to jockey for the lead on a variety of cloud fronts. The
169 | P a g e
vendors are developing cloud-based services around emerging technologies, such
as machine learning, artificial intelligence, containerization and Kubernetes.
Other major cloud service providers in the market include the following:
• Adobe
• Akamai Technologies
• Alibaba Cloud
• Apple
• Box
• Citrix
• DigitalOcean
• IBM Cloud
• Joyent
• Oracle Cloud
• Rackspace Cloud
• Salesforce
• Cost. The cost is usually based on a per-use utility model, but all
subscription details and provider-specific variations must be reviewed.
Cost is often considered one of the main reasons to adopt a cloud service
platform.
170 | P a g e
• Physical location of the servers. Server location may be an important
factor for sensitive data, which must meet data storage regulations.
• Security. Cloud security should top the list of cloud service provider
considerations. Organizations such as the Cloud Security Alliance offer
certification to cloud providers that meet its criteria.
171 | P a g e
Capacity planning and self-service portals are among the capabilities to look for in a
private cloud service provider.
172 | P a g e
• Serverless: Serverless models allow development of applications with the
cloud service provider providing and managing all aspects of the environment
that the application needs to run.
• Software as a Service (SaaS): SaaS solutions, like Office 365, are software
created and managed completely by the cloud service provider and made
available to the customer.
A certain provider may only offer specific service models, and each provider’s
implementation may be different. This means that certain providers may have
specializations or optimizations that are more or less effective at meeting an
organization’s specific business needs and use cases.
One of the most important considerations when selecting a cloud services provider is
whether a public or private cloud meets an organization’s business and security
requirements. However, this does not have to be an either-or decision as hybrid and
multi-cloud deployments enable a company to take advantage of the benefits of both
public and private clouds.
Public Cloud
• Amazon AWS
• Microsoft Azure
• Alibaba
• IBM Cloud
173 | P a g e
• Oracle
• Cost: Public cloud deployments are less expensive than private clouds. This
is because the cloud service provider can distribute costs over multiple clients
that are sharing the same infrastructure.
Private Cloud
Like public cloud deployments, private clouds are implemented using infrastructure
leased from a cloud services provider. Unlike a public cloud, a private cloud
deployment is hosted on a dedicated infrastructure. The most commonly used
private cloud service providers include:
• Cisco ACI
• VMware NSX
• OpenStack
• Alibaba
174 | P a g e
• Oracle
• Salesforce
The choice of a private cloud reduces some of the cost, flexibility, and scalability
benefits of the cloud as compared to a public cloud deployment. However, these
downsides may be offset by the increased privacy and security that a private cloud
deployment offers.
Hybrid or Multi-Cloud
175 | P a g e
An organization is not limited to the choice between a public and a private cloud
deployment. Two other options are hybrid and multi-cloud deployments.
A hybrid cloud incorporates both a private and a public cloud. The use of private
cloud infrastructure provides all of the security benefits of dedicated infrastructure,
which can be invaluable for data security and regulatory compliance. On the other
hand, a public cloud has a number of benefits in terms of cost, flexibility, and
scalability. A hybrid cloud deployment uses both a public and a private cloud and
allows data and applications to move between them as needed, providing the best of
both worlds.
The diversity of options and the specializations of different cloud providers may
mean that different platforms are best-suited to different use cases. As a result,
many organizations adopt a multi-cloud deployment, where applications and data are
hosted on the cloud platform that is best suited to them. This enables an
organization to develop
One of the main selling points of the cloud is that it allows an organization to
outsource many of the responsibilities associated with its infrastructure to a third-
party cloud services provider. However, transitioning to a cloud-based deployment
does not mean that an organization gives up full control over its infrastructure or full
responsibility for securing it.
Since a cloud services provider has full control over certain parts of the infrastructure
that it leases to its customers, it also has the responsibility for securing these
components. However, the customer is responsible for securing the parts of their
infrastructure stack that remain under their control.
The breakdown of security responsibilities depends on the cloud services model that
a customer selects. Cloud services providers delineate this breakdown in a Shared
Responsibility Model. Based on the cloud services model used, a cloud customer
can identify which security responsibilities are wholly theirs and which are shared
with their cloud services provider.
176 | P a g e
Cloud services providers often offer tools designed to help their customers meet their
security responsibilities, such as AWS Security Groups. However, these tools differ
from one platform to another, and many cloud customers lack a full understanding of
the shared responsibility model, their security responsibilities, and how to properly
configure the available security settings.
Securing cloud-based infrastructure can be difficult, and few organizations have the
knowledge and expertise in-house to effectively secure multi-cloud deployments.
Since the provided tools are often vendor-specific and many traditional security
solutions do not work effectively in the cloud, it can be very difficult to achieve
consistent visibility, threat detection, and security policy enforcement across an
organization’s entire cloud-based infrastructure.
Partnering with a cloud security provider can help an organization to ensure that its
move to the cloud doesn’t create additional security challenges and risks. A cloud
security company offers an organization the tools and capabilities that it needs to
secure its cloud-based infrastructure, which include:
• Web Application and API Protection: Cloud deployments are ideally suited
to hosting web applications and APIs, but these resources can be easily
exploited if not properly protected. CloudGuard AppSec uses artificial
intelligence (AI) to identify and block attempted exploitation of cloud-based
web apps and APIs, protecting them against even novel attacks.
The cloud offers organizations several benefits, but it creates new and unique
security risks as well. Check Point’s cloud security solutions
support AWS, Azure, GCP, and all other major cloud platforms.
178 | P a g e
10. VMWare
The following table summarizes the top 3 key players and their offerings in cloud
computing. For Q3 2022, AWS reported revenue increased 27 percent year-over-year to
$20.5 billion from $16.5 billion in Q3 2021. In addition, AWS's operating income was $5.4
billion, compared with operating revenue of $4.9 billion in the third quarter of 2021.
For the same quarter, Microsoft reported revenue from its Intelligent Cloud of $20.3
billion, which increased 20 percent from the previous quarter in 2021. Google Cloud says
revenue of $6.86 billion, up from $4.99 billion in 2021. However, its losses widened
slightly, from $644 million to $699 million.
Geographical
25 54 21
Regions
Availability
78 140 (countries) 61
Zones
Compliance
46 90
Certificates
Q3, 2022
$20.5 billion $20.3 billion $6.8 billion
Revenue
Amazon Web Services (AWS) is an Amazon company that was launched in the year 2002.
AWS is the most popular cloud service provider in the world.
Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted
cloud platform, offering over 165 fully-featured services from data centers globally.
Millions of customers use this service.
AWS's revenue in 2018 was $25.6 billion, with a profit of $7.2 billion. The revenue is
expected to grow to $33 billion in 2019.
AWS Services
179 | P a g e
AWS offers hundreds of services. These include Virtual Private Cloud, EC2, AWS Data
Transfer, Simple Storage Service, DynamoDB, Elastic Compute Cloud, AWS Key
Management Service, AmazonCloudWatch, Simple Notification Service, Relational
Database Service, Route 53, Simple Queue Service, CloudTrail, and Simple Email Service.
The following graphic lists the various categories of services available in AWS. The right
side of the list includes AWS's featured services.
AWS Security
Cloud security is the highest priority for AWS. As a customer, you will benefit from a data
center and network architecture built to meet the requirements of the most security-
sensitive organizations.
AWS security offers infrastructure security, DDoS mitigation, data encryption, inventory
and configuration, monitoring and logging, identity and access control, and penetration
testing.
Compliances
AWS provides 40+ compliance certifications for the global, US, and other countries. Here is
the list of various supported compliance certifications:
180 | P a g e
181 | P a g e
AWS global availability
AWS offers the most significant global footprint in the market. No cloud provider offers as
many regions or Availability Zones (AZs). This includes 78 AZs within 25 geographic regions
around the world. Furthermore, AWS has announced plans for nine more AZs and three
more regions in Cape Town, Jakarta, and Milan.
182 | P a g e
AWS Certifications
AWS certifications are divided into four categories: Foundational, Associate, Professional,
and Specialty.
2. Microsoft Azure
Microsoft Azure is one of the fastest-growing clouds among them all. Azure was launched
years after the release of AWS and Google Cloud but is still knocking on the door to
become the top cloud services provider. Microsoft Azure recently won a $10 billion US
government contract.
While Microsoft Azure's revenue is difficult to predict, Microsoft broke down its last
quarter's revenue into three categories: Productivity and Business Processes, Intelligent
183 | P a g e
Cloud, and Personal Computing. The respective revenue was $11.0 billion, $11.4 billion,
and $11.3 billion.
Microsoft's Azure revenue is expected to grow between $33 billion to $35 billion. This
makes Azure one of the most profitable cloud services in the world.
Azure Services
What makes Azure the most attractive and intelligent is its exclusive offering of
Microsoft's previous products and services in the cloud. Azure's cloud supremacy revolves
around its intelligence. Azure provides the most advanced and maximum number of
intelligent products and services.
Microsoft's Windows operating system Windows and database SQL Server are now
available in the Cloud via Windows Virtual Desktop.
Microsoft's mixed reality technology (products for HoloLens) is also available in the Azure
Cloud.
Microsoft's TFS and VSTS are now available in Azure via Azure DevOps.
Microsoft's popular Office suite and enterprise products, such as Sharepoint and Power BI,
are now available as Office 365 and PowerXXX tools in the cloud. Furthermore, some of
the most popular and advanced developer tools and compilers are available in Azure via
various UI, workflows, and interfaces.
Azure Security
Azure offers the most advanced security products and services. The following table lists
Azure security options:
184 | P a g e
Azure Compliance
Azure Stack
Azure Stack is a service of Azure that allows enterprises to run apps in an on-premises
environment and perform Azure services in your data center. Azure Stack syncs with
global Azure and upgrades when new services and updates are available on Azure.
185 | P a g e
Azure for Government
Azure for Government is an exclusive cloud designed for federal, state, and local US
government agencies.
Azure Government offers government exclusivity. As a result, only US federal, state, local,
and tribal governments and their partners have access to this dedicated instance with
operations controlled by screened US citizens.
Azure Government offers the broadest and most compliance certifications. It runs on six
government-only data center regions, all granted an Impacted Level 5 Provisional
Authorization.
Azure offers more data centers around the world than any other cloud provider.
186 | P a g e
Azure Certifications
IBM Cloud, developed by IBM, is a set of cloud computing services for businesses. Like
other cloud service providers, the IBM cloud includes IaaS, SaaS, and PaaS services via
public, private, and hybrid cloud models.
Compute, Network, Storage, Cloud Packs, Management, Security, Database, Analytics, AI,
IoT, Mobile, Dev Tools, Blockchain, Integration, Migration, Private Cloud, and VMware.
4. Google Cloud
Google Cloud Platform is Google's Cloud. Like AWS and Azure, Google Cloud offers similar
services in various categories, including computing, storage, identity, security, database,
AI and machine learning, virtualization, DevOps, and more.
187 | P a g e
Here is a list of complete products and services categories for Google Cloud Platform
services:
Google products in the cloud also offer G Suite, Google Maps Platform, Google Hardware,
Google Identity, Chrome Enterprise, Android Enterprise, Apigee, Firebase, and Orbitera.
Google Cloud Services are available in 20 regions, 61 zones, and 200+ countries.
Oracle cloud platform is the cloud offering of Oracle corporation. Oracle Cloud offers IaaS,
PaaS, SaaS, and Data as a Service (DaaS).
188 | P a g e
Oracle IaaS offerings are Compute, Storage, Networking, Governance, Database, Load
Balancing, DNS Monitoring, Ravello, and FastConnect.
Oracle SaaS offerings are CX, HCM, ERP, SCM, EPM, IoT, Analytics, Data, and Blockchain
Applications.
6. Alibaba Cloud
Alibaba Cloud is the largest cloud provider in China. Alibaba Cloud, founded in 2009, is
registered and headquartered in Singapore. It was initially built to serve Alibaba's e-
commerce ecosystem and is now offered to the public.
Alibaba offers various products and services in multiple categories, including Elastic
Computing, Storage and CDN, Networking, Database Services, Security, Monitoring and
Management, Domains and Websites, Analytics and Data Technology, Application
Services, Media Services, Middleware, Cloud Communication, Apsara Stack, and Internet
of Things.
Alibaba Cloud is available in 19 regions and 56 availability zones around the globe.
189 | P a g e
providers are Microsoft Azure, with a 21% market share, Google
Cloud, with an 11% market share, and IBM Cloud.
Types of cloud services
A cloud service provider can rent and deliver four main categories of
cloud services, functionalities, or strategies. These include:
1. Infrastructure-as-a-Service (IaaS)
The ownership, provisioning, and maintenance of servers, virtual
machines (VMs), storage, networks, operating systems, and other
resources to help organizations build and manage their operating
systems, data storage, and network infrastructure. Examples
include Amazon Web Services (AWS) and Microsoft Azure.
2. Platform-as-a-Service (PaaS)
One step further, PaaS provides a platform, or environment, for
developing, testing, delivering, and managing software that includes
servers, storage, network, and databases. Examples include Google App
Engine and OpenShift.
3. Serverless computing
Building on PaaS, serverless computing adds additional services to
manage infrastructure and services, including capacity, set-up, and server
maintenance. Examples include Google App Engine, AWS Lambda, IBM
OpenWhisk, and Microsoft Azure Functions.
4. Software-as-a-Service (SaaS)
In SaaS, a software provider hosts and delivers a software application,
and its underlying infrastructure, to users over the Internet.
190 | P a g e
1. Reduced costs
Cloud service providers charge you on a pay-as-you-go basis. You only
need to pay for the services or bandwidth you need. This way, you save a
lot of money you could otherwise spend on hiring a full-time IT staff.
Cloud service providers also reduce IT costs by letting teams quickly
access data, saving on capital investments and energy costs, and
improving employee productivity.
2. Security
Security is a significant concern. By choosing a cloud service provider,
you can take the worry of security maintenance off your shoulders.
Cloud services are also much more efficient in security maintenance than
a conventional in-house system. According to RapidScale, 94% of
businesses saw an improvement in security after switching to the cloud.
Also, 91% of businesses say that the cloud makes it easier to meet
government compliance requirements.
3. Data Loss Prevention
You can use a cloud service provider as an alternate backup plan to
protect against natural disasters, power sources, or other failures. Most
CSPs will create redundancy in backup plans to protect against regional
disruptions. If something goes wrong, it will permanently prevent you
from losing your precious data.
4. Regular Software Patches and Updates
Cloud service providers are responsible for updating software, including
regular and security updates. This way, you can save yourself from the
worry of having to regularly patch your servers and devote your time to
other essential tasks.
5. Reliability
Organizations moving to the cloud experience greater uptime and 24/7
support. It makes you more reliable and offers you a significant edge over
competitors who’ve not yet migrated to the cloud.
6. Mobility
Choosing a cloud services provider ensures that your team can access
data anywhere, anytime. It proved significant in the last two years as
most teams had to work in remote and hybrid environments. Cloud
191 | P a g e
computing played a crucial part in ensuring that they could work
seamlessly.
7. Unlimited Storage Capacity
You can only buy and maintain a limited infrastructure on-premise. There
will be a time when you will run out of budget, or your servers will fail to
accommodate more resources. However, you don’t have to worry about
storage in the Cloud. You can enjoy unlimited storage while only paying
for the services you need.
8. Quick Development & Deployment
In cloud computing, organizations can quickly take an idea from design to
development without worrying about delays in building new
infrastructure. PaaS and serverless cloud service providers provide
complete development services and tools, including testing and debugging
environments.
192 | P a g e
However, security can be improved by finding the right cloud service
provider and taking an active part in shared responsibility, particularly
around access and identity-proof authentication.
4. Lack of Support
Every organization faces challenges as advanced technologies emerge.
However, some cloud providers need more documentation or support staff
to navigate them.
193 | P a g e
• Do they have a portfolio you can evaluate to see if
they’re a good fit?
These questions would help you ensure you don’t choose a cloud
service provider that prevents you from achieving your vision in
the long run.
2. Cost
Consider the cost of use (upfront, pay-as-you-go) alongside
whether there are any minimums associated with cost, volume
discounts, reservations on service that can be made, or type of
billing (e.g., by hour/month, execution, user, or gigabyte). Also,
weigh the cost against other factors. For example, AWS has
innovated its engineering of CPUs to offer the best
price/performance against all counterparts. Many cloud providers
will offer aggressive pricing to first time-customers, so pay careful
attention to fine print about price increases over time.
3. Security & Reliability
Organizations must consider factors such as robust security as
well as the resiliency of the provider, with particular attention
paid to regional capabilities / historical figures on uptime.
Document disaster recovery provisions, backup/restore, integrity
checks, and the roles/responsibilities of each party. Most cloud
service providers will detail security features (free or paid) or
integrations available. Look at specific areas, including identity
management, access controls, authentication, and where data will
be stored or processed.
4. Compliance
When choosing a cloud provider, organizations must consider the
implications of federal, state, and industry regulations. Cloud
providers often have a statement of shared responsibility for
compliance and should be able to answer questions about
compliance with specific regulations. Certain rules may prohibit
customer data storage, transfer, or processing to cloud providers
whose data storage capabilities lie within a geographic boundary
194 | P a g e
or may have specific requirements around protection,
confidentiality, or access controls. Each regulation also has
particular requirements around breach response and reporting.
a. HIPAA
195 | P a g e
6. Business Compatibility
The cloud service provider must match the organization’s
business, technical, and operational goals.
7. Architecture
Consider how the cloud architecture incorporates existing
technology or services within the organization, as there are
technological and cost synergies to staying within large
ecosystems such as Microsoft, Amazon, or Google. Ensure the
chosen cloud provider can support current and future needs,
looking at multi-cloud and microservices support container
capabilities and serverless options.
196 | P a g e
Cloud governance outlines the policies and controls applied to
cloud services in areas of privacy and security as well as to cost
usage. For example, these controls would set a maximum spend
for an organization or department for cloud use to prevent the
overuse of cloud resources.
12. Project Size
The project’s size, scope, and goals will place different
requirements on the cloud service provider.
13. Service Dependencies & Partnerships
To choose the right cloud service provider, it’s essential to
understand their relationship with different vendors, accreditation
levels, technical capabilities, and staff certifications. An ideal
service provider can easily fit into a larger ecosystem. Also, all the
partnerships and dependencies should be clearly defined, so
there’s no confusion in the future.
197 | P a g e