CS Notes UNIT-2

UNIT-2
CLOUD SECURITY
CLOUD SECURITY
Cloud Security
Cloud security, also known as cloud computing security, is the practice of protecting
cloud-based data, applications, and infrastructure from cyber attacks and cyber threats.
Cybersecurity, of which cloud security is a subset, has the same goals. Where cloud
security differs from traditional cybersecurity is in the fact that administrators must
secure assets that reside within a third-party service provider's infrastructure.
What is Cloud Security?
Cloud security definition
Cloud security is a discipline of cyber security dedicated to securing cloud computing

systems. This includes keeping data private and safe across online-based infrastructure,
applications, and platforms. Securing these systems involves the efforts of cloud
providers and the clients that use them, whether an individual, small to medium
business, or enterprise uses.
Cloud providers host services on their servers through always-on internet connections.
Since their business relies on customer trust, cloud security methods are used to keep
client data private and safely stored. However, cloud security also partially rests in the
client’s hands as well. Understanding both facets is pivotal to a healthy cloud security
solution.
At its core, cloud security is composed of the following categories:
• Data security
• Identity and access management (IAM)
• Governance (policies on threat prevention, detection, and mitigation)
• Data retention (DR) and business continuity (BC) planning
• Legal compliance
1|Page
Cloud security may appear like legacy IT security, but this framework actually demands a
different approach. Before diving deeper, let’s first look at what cloud security is.
What is cloud security?
Cloud security is the whole bundle of technology, protocols, and best practices that
protect cloud computing environments, applications running in the cloud, and data held
in the cloud. Securing cloud services begins with understanding what exactly is being
secured, as well as, the system aspects that must be managed.
As an overview, backend development against security vulnerabilities is largely within the

hands of cloud service providers. Aside from choosing a security-conscious provider,
clients must focus mostly on proper service configuration and safe use habits.
Additionally, clients should be sure that any end-user hardware and networks are
properly secured.
The full scope of cloud security is designed to protect the following, regardless of your
responsibilities:
• Physical networks — routers, electrical power, cabling, climate controls, etc.

• Data storage — hard drives, etc.
• Data servers — core network computing hardware and software
• Computer virtualization frameworks — virtual machine software, host machines,
and guest machines
• Operating systems (OS) — software that houses
• Middleware — application programming interface (API) management,
• Runtime environments — execution and upkeep of a running program
• Data — all the information stored, modified, and accessed
• Applications — traditional software services (email, tax software, productivity
suites, etc.)
• End-user hardware — computers, mobile devices, Internet of Things (IoT) devices,
etc.
With cloud computing, ownership over these components can vary widely. This can make
the scope of client security responsibilities unclear. Since securing the cloud can look
different based on who has authority over each component, it’s important to understand
how these are commonly grouped.
To simplify, cloud computing components are secured from two main viewpoints:
1. Cloud service types are offered by third-party providers as modules

used to create the cloud environment. Depending on the type of service, you may
manage a different degree of the components within the service:
• The core of any third-party cloud service involves the provider managing the
physical network, data storage, data servers, and computer virtualization
frameworks. The service is stored on the provider’s servers and virtualized via
their internally managed network to be delivered to clients to be accessed
remotely. This offloads hardware and other infrastructure costs to give clients
access to their computing needs from anywhere via internet connectivity.
2|Page
• Software-as-a-Service (SaaS) cloud services provide clients access to applications
that are purely hosted and run on the provider's servers. Providers manage the
applications, data, runtime, middleware, and operating system. Clients are only
tasked with getting their applications. SaaS examples include Google Drive, Slack,
Salesforce, Microsoft 365, Cisco WebEx, Evernote.
• Platform-as-a-Service cloud services provide clients a host for developing their

own applications, which are run within a client’s own “sandboxed” space on
provider servers. Providers manage the runtime, middleware, operating system.
Clients are tasked with managing their applications, data, user access, end-user
devices, and end-user networks. PaaS examples include Google App Engine,
Windows Azure.
• Infrastructure-as-a-Service (IaaS) cloud services offer clients the hardware and

remote connectivity frameworks to house the bulk of their computing, down to the
operating system. Providers only manage core cloud services. Clients are tasked
with securing all that gets stacked atop an operating system, including
applications, data, runtimes, middleware, and the OS itself. In addition, clients
need to manage user access, end-user devices, and end-user networks. IaaS
examples include Microsoft Azure, Google Compute Engine (GCE), Amazon Web
Services (AWS).
2. Cloud environments are deployment models in which one or more cloud services
create a system for the end-users and organizations. These segments the management
responsibilities — including security — between clients and providers.
The currently used cloud environments are:
• Public cloud environments are composed of multi-tenant cloud services where a

client shares a provider’s servers with other clients, like an office building or
coworking space. These are third-party services run by the provider to give clients
access via the web.
• Private third-party cloud environments are based on the use of a cloud service
that provides the client with exclusive use of their own cloud. These single-tenant
environments are normally owned, managed, and operated offsite by an external
provider.
• Private in-house cloud environments also composed of single-tenant cloud service

servers but operated from their own private data center. In this case, this cloud
environment is run by the business themselves to allow full configuration and
setup of every element.
• Multi-cloud environments include the use of two or more cloud services from
separate providers. These can be any blend of public and/or private cloud
services.
• Hybrid cloud environments consist of using a blend of private third-party cloud

and/or onsite private cloud data center with one or more public clouds.
3|Page
By framing it from this perspective, we can understand that cloud-based security can be
a bit different based on the type of cloud space users are working in. But the effects are
felt by both individual and organizational clients alike.
Cloud security tools
Many of the same tools used in on-premises environments should be used in the cloud,
although cloud-specific versions of them may exist. These tools and mechanisms include
encryption, IAM and single sign-on (SSO), data loss prevention (DLP), intrusion prevention
and detection systems (IPSes/IDSes) and public key infrastructure (PKI).
Some cloud-specific tools include the following:
• Cloud workload protections platforms (CWPPs). A CWPP is a security

mechanism designed to protect workloads -- for example, VMs, applications or
data -- in a consistent manner.
• Cloud access security brokers (CASBs). A CASB is a tool or service that sits
between cloud customers and cloud services to enforce security policies and,
as a gatekeeper, add a layer of security.
• Cloud security posture management (CSPM). CSPM is a group of security

products and services that monitor cloud security and compliance issues and
aim to combat cloud misconfigurations, among other features.
Secure Access Service Edge (SASE) and zero-trust network access (ZTNA) are also
emerging as two popular cloud security models/frameworks.
Security as a service, often shortened to SaaS or SECaaS, is a subset of software as a

service. The Cloud Security Alliance (CSA) defined 10 SECaaS categories:
1. IAM
2. DLP
3. web security
4. email security
5. security assessments
4|Page
6. intrusion management
7. security information and event management (SIEM)
8. encryption
9. BC/disaster recovery (BCDR)
10. network security
These include services such as firewall as a service, cloud-based virtual private

networks (VPNs) and key management as a service (KMaaS).
WhaT aRE SOmE Of ThE kEY TEChnOLOgIES fOR CLOUD SECURITY?
A cloud security strategy should include all of the following technologies:
Encryption: Encryption is a way of scrambling data so that only authorized parties can
understand the information. If an attacker hacks into a company's cloud and finds
unencrypted data, they are able to do any number of malicious actions with the data:
leak it, sell it, use it to carry out further attacks, etc. However, if the company's data is
encrypted, the attacker will only find scrambled data that cannot be used unless they
somehow discover the decryption key (which should be almost impossible). In this way,
encryption helps prevent data leakage and exposure, even when other security measures
fail.
Data can be encrypted both at rest (when it is stored) or in transit (while it is sent from
one place to another). Cloud data should be encrypted both at rest and in transit so that
attackers cannot intercept and read it. Encrypting data in transit should address both
data traveling between a cloud and a user, and data traveling from one cloud to another,
as in a multi-cloud or hybrid cloud environment. Additionally, data should be encrypted
when it is stored in a database or via a cloud storage service.
If the clouds in a multi-cloud or hybrid cloud environment are connected at the network
layer, a VPN can encrypt traffic between them. If they are connected at the application
layer, SSL/TLS encryption should be used. SSL/TLS should also encrypt traffic between a
user and a cloud (see What Is HTTPS?).
Identity and access management (IAM): Identity and access management (IAM) products
track who a user is and what they are allowed to do, and they authorize users and deny
access to unauthorized users as necessary. IAM is extremely important in cloud
5|Page
computing because a user's identity and access privileges determine whether they can
access data, not the user's device or location.
IAM helps reduce the threats of unauthorized users gaining access to internal assets and
authorized users exceeding their privileges. The right IAM solution will help mitigate
several kinds of attacks, including account takeover attacks and insider threats (when a
user or employee abuses their access in order to expose data).
IAM may include several different services, or it may be a single service that combines all
of the following capabilities:
• Identity providers (IdP) authenticate user identity
• Single sign-on (SSO) services help authenticate user identities for multiple
applications, so that users only have to sign in once to access all their cloud
services
• Multi-factor authentication (MFA) services strengthen the user authentication

process
• Access control services allow and restrict user access
Firewall: A cloud firewall provides a layer of protection around cloud assets by blocking
malicious web traffic. Unlike traditional firewalls, which are hosted on-premise and
defend the network perimeter, cloud firewalls are hosted in the cloud and form a virtual
security barrier around cloud infrastructure.
Cloud firewalls block DDoS attacks, malicious bot activity, and vulnerability exploits. This
reduces the chances of a cyber attack crippling an organization's cloud infrastructure.
What is cloud security management? Guide and best

practices
Putting the right cloud security mechanisms and policies in place is critical to prevent
breaches and data loss, avoid noncompliance and fines, and maintain business
continuity (BC).
6|Page
A major benefit of the cloud is that it centralizes applications and data and
centralizes the security of those applications and data as well. Eliminating the need
for dedicated hardware also reduces organizations' cost and management needs,
while increasing reliability, scalability and flexibility.
How cloud security works
Cloud computing operates in three main environments:
1. Public cloud services are hosted by CSPs. These include software as a

service (SaaS), platform as a service (PaaS) and infrastructure as a
service (IaaS).
2. Private clouds are hosted by or for a single organization.
3. Hybrid clouds include a mix of public and private clouds.
As a result, cloud security mechanisms take two forms: those supplied by CSPs and
those implemented by customers. It is important to note that handling of security is
rarely the complete responsibility of the CSP or the customer. It is usually a joint
effort using a shared responsibility model.
THE SHARED RESPONSIBILITY MODEL
Although not standardized, the shared responsibility model is a framework

that outlines which security tasks are the obligation of the CSP and which are
the duty of the customer. Enterprises using cloud services must be clear
which security responsibilities they hand off to their provider(s) and which
they need to handle in-house to ensure they have no gaps in coverage.
Customers should always check with their CSPs to understand what the
provider covers and what they need to do themselves to protect the
organization.
7|Page
The shared responsibility model outlines the security responsibilities of the
CSP and the customer.
CSP SECURITY RESPONSIBILITIES
Security controls supplied by CSPs vary by service model, be it SaaS, PaaS or

IaaS. Customer responsibility commonly increases from SaaS to PaaS to IaaS.
In general, CSPs are always responsible for servers and storage. They secure
and patch the infrastructure itself, as well as configure the physical data
centers, networks and other hardware that power the infrastructure, including
virtual machines (VMs) and disks. These are usually the sole responsibilities
of CSPs in IaaS environments.
In a PaaS environment, CSPs assume more responsibility, including securing

runtime, networking, operating systems (OSes), data and virtualization. In a
SaaS environment, CSPs also provide application and middleware security.
The details of security responsibilities can vary by provider and customer. For
example, CSPs with SaaS-based offerings may or may not offer customers
8|Page
visibility into the security tools they use. IaaS providers, on the other hand,
usually offer built-in security mechanisms that enable customers to access
and view CSP security tools, which may also provide customer-alerting
functionality.
CUSTOMER SECURITY RESPONSIBILITIES
To supplement the CSP security controls listed above, customers are

generally responsible for application, middleware, virtualization, data, OS,
network and runtime security in IaaS clouds. In IaaS architectures, such as
Amazon Virtual Private Cloud (VPC) or Microsoft Azure Virtual Network (VNet),
for example, customers can supplement, replace or overlay built-in
cybersecurity mechanisms with their own set of tools.
In PaaS environments, customers take on fewer security tasks, generally only

application and middleware security. SaaS environments involve even less
customer responsibility.
Data security and identity and access management (IAM) are always the
responsibility of the customer, however, regardless of cloud delivery
model. Encryption and compliance are also the responsibility of the customer.
Yet, because CSPs control and manage the infrastructure customer apps and
data operate within, adopting additional controls to further mitigate risk can be
challenging. IT security staff should get involved as early as possible when
evaluating CSPs and cloud services. Security teams must evaluate the CSP's
default security tools to determine whether additional measures will need to be
applied in-house.
Adding a company's own security tools to cloud environments is typically

done by installing one or more network-based virtual security appliances.
Customer-added tool sets enable security administrators to get granular with
specific security configurations and policy settings. Many enterprises also
often find it cost-effective to implement the same tools in their public clouds
as they have within their corporate local area networks (LANs). This prevents
9|Page
administrators from having to recreate security policies in the cloud using
disparate security tools. Instead, a single security policy can be created once
and then pushed out to identical security tools, regardless of whether they are
on premises or in the cloud.
HOW TO SECURE DATA IN THE CLOUD
The steps required to secure data in the cloud vary. Factors, including the type and
sensitivity of the data to be protected, cloud architecture, accessibility of built-in and
third-party tools, and number and types of users authorized to access the data must
be considered.
Some general best practices to secure business data in the cloud include the
following:
• Encrypt data at rest, in use and in motion.
• Use two-factor authentication (2FA) or multifactor authentication

(MFA) to verify user identity before granting access.
• Adopt cloud edge security protections, including firewalls, IPSes and

antimalware.
• Isolate cloud data backups to prevent ransomware threats.
• Ensure data location visibility and control to identify where data

resides and to implement restrictions on whether data can be copied
to other locations inside or outside the cloud.
• Log and monitor all aspects of data access, additions and changes.
Emerging cybersecurity tools should also be considered to help secure data in

clouds. These include network detection and response (NDR) and artificial
intelligence (AI) for IT operations (AIOps). Both tools collect cloud infrastructure
health and cybersecurity information. AI then analyzes data and alerts administrators
of abnormal behavior that could indicate a threat.
Top cloud security challenges
10 | P a g e
Many of the traditional cybersecurity challenges also exist in the cloud. These can
include the following:
• insider threats
• data loss
• data breaches
• IAM
• key management
• access control
• phishing
• malware
• shadow IT
• distributed denial-of-service (DDoS) attacks
• insecure application programming interfaces (APIs)
As for cloud security challenges specifically, administrators have to deal with issues
that include the following:
• cloud account hijacking;
• lack of cloud visibility and control;
• working with cloud security tools that in-house administrators may

be unfamiliar with;
• tracking and monitoring where data is located both in transit and at

rest;
• misconfigurations;
• weak cloud control plane;
• challenges understanding the shared responsibility model;
• nefarious use of cloud services;
11 | P a g e
• multi-tenancy concerns;
• incompatibilities with on-premises environments;
• cloud compliance; and
• cloud governance.
Security administrators must have plans and processes in place to identify and curb
emerging cloud security threats. These threats typically revolve around newly
discovered exploits found in applications, OSes, VM environments and other network
infrastructure components. To handle these security challenges and eliminate
emerging threats, organizations must quickly and properly update and patch
software that they control.
It's also important to establish communications channels between in-house IT and

CSP staff. In-house staff should subscribe to, monitor and digest the CSP's security
bulletin stream. If coordination between the customer and CSP is required to handle
a security incident, well-documented communications channels must be established
and continuously updated so time isn't wasted when working through a security
breach.
Cloud security best practices
There are separate SaaS best practices, PaaS best practices and IaaS best
practices. Organizations should also adhere to a number of general cloud security
best practices, including the following:
1. Understand the shared responsibility model, including the

responsibilities of your CSPs and your security team.
2. Choose your CSPs wisely. Know what security controls they offer,
and review contracts and service-level agreements (SLAs) diligently.
3. Adopt a strong, granular IAM policy to control who has access to

what. Employ the principle of least privilege (POLP), and require
strong passwords and 2FA or MFA.
4. Encrypt data in at rest, in use and in motion.
12 | P a g e
5. Maintain cloud visibility through continuous monitoring.
6. Understand cloud compliance requirements and regulations.
7. Establish and enforce cloud security policies.
8. Conduct security awareness training for employees, third-party

partners and anyone accessing organizational cloud resources.
9. Segment clouds and workloads.
What are the main cloud security risks?
Most cloud security risks fit into one of these general categories:
• Data is exposed or leaked
• An unauthorized user from outside the organization has access to

internal data
• An internal, authorized user has too much access to internal data
• A malicious attack, such as a DDoS attack or a malware infection,

cripples or destroys cloud infrastructure
The goal of a cloud security strategy is to reduce the threat posed by these risks as
much as possible by protecting data, managing user authentication and access, and
staying operational in the face of an attack.
What other practices are important for keeping cloud data secure?
Implementing the above technologies (plus any additional cloud security products) is
not enough, on its own, to protect cloud data. In addition to standard cyber security
best practices, organizations that use the cloud should follow these cloud security
practices:
Proper configuration of security settings for cloud servers: When a company

does not set up their security settings properly, it can result in a data breach.
Misconfigured cloud servers can expose data directly to the wider Internet.
Configuring cloud security settings properly requires team members who are experts
13 | P a g e
in working with each cloud, and may also require close collaboration with the cloud
vendor.
Consistent security policies across all clouds and data centers: Security measures
have to apply across a company's entire infrastructure, including public
clouds, private clouds, and on-premises infrastructure. If one aspect of a company's
cloud infrastructure — say, their public cloud service for big data processing — is not
protected by encryption and strong user authentication, attackers are more likely to
find and target the weak link.
Backup plans: As with any other type of security, there must be a plan for when
things go wrong. To prevent data from getting lost or tampered with, data should be
backed up in another cloud or on-premise. There should also be a failover plan in
place so that business processes are not interrupted if one cloud service fails. One of
the advantages of multi-cloud and hybrid cloud deployments is that different clouds
can be used as backup — for instance, data storage in the cloud can back up an on-
premise database.
User and employee education: A large percentage of data breaches occur because
a user was victimized by a phishing attack, unknowingly installed malware, used an
outdated and vulnerable device, or practiced poor password hygiene (reusing the
same password, writing their password down in a visible location, etc.). By educating
their internal employees about security, businesses that operate in the cloud can
reduce the risk of these occurrences. (The Cloudflare Learning Center is a good
resource for security education.)
❖ How does cloud security work?

Every cloud security measure works to accomplish one or more of the following:
• Enable data recovery in case of data loss

• Protect storage and networks against malicious data theft
• Deter human error or negligence that causes data leaks
• Reduce the impact of any data or system compromise
Data security is an aspect of cloud security that involves the technical end of
threat prevention. Tools and technologies allow providers and clients to insert barriers
between the access and visibility of sensitive data. Among these, encryption is one of the
most powerful tools available. Encryption scrambles your data so that it's only readable
by someone who has the encryption key. If your data is lost or stolen, it will be effectively
14 | P a g e
unreadable and meaningless. Data transit protections like virtual private networks (VPNs)
are also emphasized in cloud networks.
Identity and access management (IAM) pertains to the

accessibility privileges offered to user accounts. Managing authentication and
authorization of user accounts also apply here. Access controls are pivotal to restrict users
— both legitimate and malicious — from entering and compromising sensitive data and
systems. Password management, multi-factor authentication, and other methods fall in
the scope of IAM.
Governance focuses on policies for threat prevention, detection, and mitigation.

With SMB and enterprises, aspects like threat intel can help with tracking and prioritizing
threats to keep essential systems guarded carefully. However, even individual cloud
clients could benefit from valuing safe user behavior policies and training. These apply
mostly in organizational environments, but rules for safe use and response to threats can
be helpful to any user.
Data retention (DR) and business continuity (BC)

planning involve technical disaster recovery measures in case of data loss. Central to
any DR and BC plan are methods for data redundancy such as backups. Additionally,
having technical systems for ensuring uninterrupted operations can help. Frameworks
for testing the validity of backups and detailed employee recovery instructions are just as
valuable for a thorough BC plan.
Legal compliance revolves around protecting user privacy as set by legislative

bodies. Governments have taken up the importance of protecting private user
information from being exploited for profit. As such, organizations must follow
regulations to abide by these policies. One approach is the use of data masking, which
obscures identity within data via encryption methods.
What makes cloud security different?

Traditional IT security has felt an immense evolution due to the shift to cloud-
based computing. While cloud models allow for more convenience, always-on
connectivity requires new considerations to keep them secure. Cloud security, as
a modernized cyber security solution, stands out from legacy IT models in a few
ways.
Data storage: The biggest distinction is that older models of IT relied heavily
upon onsite data storage. Organizations have long found that building all IT
frameworks in-house for detailed, custom security controls is costly and rigid.
Cloud-based frameworks have helped offload costs of system development and
upkeep, but also remove some control from users.
Scaling speed: On a similar note, cloud security demands unique attention when
scaling organization IT systems. Cloud-centric infrastructure and apps are very
15 | P a g e
modular and quick to mobilize. While this ability keeps systems uniformly adjusted
to organizational changes, it does poses concerns when an organization’s need for
upgrades and convenience outpaces their ability to keep up with security.
End-user system interfacing: For organizations and individual users alike,

cloud systems also interface with many other systems and services that must be
secured. Access permissions must be maintained from the end-user device level
to the software level and even the network level. Beyond this, providers and users
must be attentive to vulnerabilities they might cause through unsafe setup and
system access behaviors.
Proximity to other networked data and systems: Since cloud systems are a
persistent connection between cloud providers and all their users, this substantial
network can compromise even the provider themselves. In networking
landscapes, a single weak device or component can be exploited to infect the rest.
Cloud providers expose themselves to threats from many end-users that they
interact with, whether they are providing data storage or other services. Additional
network security responsibilities fall upon the providers who otherwise delivered
products live purely on end-user systems instead of their own.
Solving most cloud security issues means that users and cloud providers — both in
personal and business environments — must both remain proactive about their
own roles in cyber security. This two-pronged approach means users and providers
mutually must address:
Secure system configuration and maintenance.
User safety education — both behaviourally and technically.
Ultimately, cloud providers and users must have transparency and accountability
to ensure both parties stay safe.
CLOUD SECURITY RISkS

What are the security issues in cloud computing? Because if you don’t know them,
then how are you supposed to put proper measures in place? After all, weak cloud
security can expose users and providers to all types of cyber security threats.
Some common cloud security threats include:
• Risks of cloud-based infrastructure including incompatible legacy IT

frameworks, and third-party data storage service disruptions.
• Internal threats due to human error such as misconfiguration of user access
controls.
• External threats caused almost exclusively by malicious actors, such
as malware, phishing, and DDoS attacks.
The biggest risk with the cloud is that there is no perimeter. Traditional cyber
security focused on protecting the perimeter, but cloud environments are highly
16 | P a g e
connected which means insecure APIs (Application Programming Interfaces) and
account hijacks can pose real problems. Faced with cloud computing security
risks, cyber security professionals need to shift to a data-centric approach.
Interconnectedness also poses problems for networks. Malicious actors often

breach networks through compromised or weak credentials. Once a hacker
manages to make a landing, they can easily expand and use poorly protected
interfaces in the cloud to locate data on different databases or nodes. They can
even use their own cloud servers as a destination where they can export and store
any stolen data. Security needs to be in the cloud — not just protecting access to
your cloud data.
Third-party storage of your data and access via the internet each pose their own
threats as well. If for some reason those services are interrupted, your access to
the data may be lost. For instance, a phone network outage could mean you can't
access the cloud at an essential time. Alternatively, a power outage could affect
the data center where your data is stored, possibly with permanent data loss.
Such interruptions could have long-term repercussions. A recent power outage at

an Amazon cloud data facility resulted in data loss for some customers when
servers incurred hardware damage. This is a good example of why you should have
local backups of at least some of your data and applications.
Why Cloud security is important
In the 1990s, business and personal data lived locally — and security was local as
well. Data would be located on a PC’s internal storage at home, and on enterprise
servers, if you worked for a company.
Introducing cloud technology has forced everyone to reevaluate cyber security.

Your data and applications might be floating between local and remote systems —
and always internet-accessible. If you are accessing Google Docs on your
smartphone, or using Salesforce software to look after your customers, that data
could be held anywhere. Therefore, protecting it becomes more difficult than when
it was just a question of stopping unwanted users from gaining access to your
network. Cloud security requires adjusting some previous IT
practices, but it has become more essential for two key reasons:
1. Convenience over security. Cloud computing is exponentially growing as a

primary method for both workplace and individual use. Innovation has
allowed new technology to be implemented quicker than industry security
standards can keep up, putting more responsibility on users and providers to
consider the risks of accessibility.
2. Centralization and multi-tenant storage. Every component — from core
infrastructure to small data like emails and documents — can now be
located and accessed remotely on 24/7 web-based connections. All this
data gathering in the servers of a few major service providers can be highly
dangerous. Threat actors can now target large multi-organizational data
centers and cause immense data breaches.
17 | P a g e
Unfortunately, malicious actors realize the value of cloud-based targets and
increasingly probe them for exploits. Despite cloud providers taking many security
roles from clients, they do not manage everything. This leaves even non-technical
users with the duty to self-educate on cloud security.
That said, users are not alone in cloud security responsibilities. Being aware of the
scope of your security duties will help the entire system stay much safer.
❖ Cloud security concerns – privacy
Legislation has been put in place to help protect end users from the sale and
sharing of their sensitive data. General Data Protection Regulation (GDPR)
and Health Insurance Portability and Accountability Act (HIPAA) each do their own
duties to protect privacy, limiting how data can be stored and accessed.
Identity management methods like data masking have been used to separate
identifiable features from user data for GDPR compliance. For HIPAA compliance,
organizations like healthcare facilities must make sure that their provider does
their part in restricting data access as well.
The CLOUD act gives cloud providers their own legal limitations to adhere to,
potentially at the cost of user privacy. US federal law now permits federal-level law
enforcement to demand requested data from cloud provider servers. While this
may allow investigations to proceed effectively, this may circumvent some rights
to privacy and cause potential abuse of power.
❖ How to Secure the Cloud
Fortunately, there is a lot that you can do to protect your own data in the cloud.
Let’s explore some of the popular methods.
Encryption is one of the best ways to secure your cloud computing systems. There
are several different ways of using encryption, and they may be offered by a cloud
provider or by a separate cloud security solutions provider:
• Communications encryption with the cloud in their entirety.
• Particularly sensitive data encryption, such as account credentials.
• End-to-end encryption of all data that is uploaded to the cloud.
Within the cloud, data is more at risk of being intercepted when it is on the move.
When it's moving between one storage location and another, or being transmitted
to your on-site application, it's vulnerable. Therefore, end-to-end encryption is the
best cloud security solution for critical data. With end-to-end encryption, at no
point is your communication made available to outsiders without your encryption
key.
18 | P a g e
You can either encrypt your data yourself before storing it on the cloud, or you can
use a cloud provider that will encrypt your data as part of the service. However, if
you are only using the cloud to store non-sensitive data such as corporate graphics
or videos, end-to-end encryption might be overkill. On the other hand, for financial,
confidential, or commercially sensitive information, it is vital.
If you are using encryption, remember that the safe and secure management of
your encryption keys is crucial. Keep a key backup and ideally don't keep it in the
cloud. You might also want to change your encryption keys regularly so that if
someone gains access to them, they will be locked out of the system when you
make the changeover.
Configuration is another powerful practice in cloud security. Many cloud data

breaches come from basic vulnerabilities such as misconfiguration errors. By
preventing them, you are vastly decreasing your cloud security risk. If you don’t
feel confident doing this alone, you may want to consider using a separate cloud
security solutions provider.
Here are a few principles you can follow:
1. Never leave the default settings unchanged. Using the default settings gives a
hacker front-door access. Avoid doing this to complicate a hacker’s path
into your system.
2. Never leave a cloud storage bucket open. An open bucket could allow hackers
to see the content just by opening the storage bucket's URL.
3. If the cloud vendor gives you security controls that you can switch on, use them.
Not selecting the right security options can put you at risk.
Basic cyber security tips should also be built into any cloud implementation. Even
if you are using the cloud, standard cyber security practices shouldn’t be ignored.
So, it is worth considering the following if you want to be as secure as possible
online:
• Use strong passwords. Including a mix of letters, numbers and special
characters will make your password more difficult to crack. Try to avoid
obvious choices, like replacing an S with a $ symbol. The more random your
strings are, the better.
• Use a password manager. You will be able to give each application,
database, and service you use separate passwords, without having to
remember them all. However, you must make sure you protect your
password manager with a strong primary password.
• Protect all the devices you use to access your cloud data, including
smartphones and tablets. If your data is synchronized across numerous
devices, any one of them could be a weak link putting your entire digital
footprint at risk.
• Back up your data regularly so that in the event of a cloud outage or data loss
at your cloud provider, you can restore your data fully. That backup could be
on your home PC, on an external hard drive, or even cloud-to-cloud, as long
as you are certain the two cloud providers don't share infrastructure.
19 | P a g e
• Modify permissions to prevent any individual or device from having access
to all your data unless it is necessary. For instance, businesses will do this
through database permission settings. If you have a home network, use
guest networks for your children, for IoT devices, and for your TV. Save your
'access all areas' pass for your own usage.
• Protect yourself with anti-virus and anti-malware software. Hackers can
access your account easily if malware makes its way into your system.
• Avoid accessing your data on public Wi-Fi, particularly if it doesn't use
strong authentication. However, use a virtual private network (VPN) to
protect your gateway to the cloud.
❖ Cloud storage and the file sharing

Cloud computing security risks can affect everyone from businesses to individual
consumers. For example, consumers can use the public cloud for storing and
backing up files (using SaaS services like Dropbox), for services like email and
office applications, or for doing tax forms and accounts.
If you use cloud-base services then you may need to consider how you share cloud
data with others, particularly if you work as a consultant or freelancer. While
sharing files on Google Drive or another service may be an easy way to share your
work with clients, you may need to check that you are managing permissions
properly. After all, you will want to ensure that different clients cannot see each
other’s names or directories or alter each other’s files.
Remember that many of these commonly available cloud storage services don't
encrypt data. If you want to keep your data secure through encryption, you will
need to use encryption software to do it yourself before you upload the data. You
will then have to give your clients a key, or they won't be able to read the files.
❖ Check your cloud provider's security

Security should be one of the main points to consider when it comes to choosing a
cloud security provider. That’s because your cyber security is no longer just your
responsibility: cloud security companies must do their part in creating a secure
cloud environment — and share the responsibility for data security.
Unfortunately, cloud companies are not going to give you the blueprints to their
network security. This would be equivalent to a bank providing you with details of
their vault — complete with the combination numbers to the safe.
However, getting the right answers to some basic questions gives you better
confidence that your cloud assets will be safe. In addition, you will be more aware
of whether your provider has properly addressed obvious cloud security risks. We
recommend asking your cloud provider some questions of the following questions:
• Security audits: “Do you conduct regular external audits of your security?”
20 | P a g e
• Data segmentation: “Is customer data is logically segmented and kept
separate?”
• Encryption: “Is our data encrypted? What parts of it are encrypted?”
• Customer data retention: “What customer data retention policies are being
followed?”
• User data retention: “Is my data is properly deleted if I leave your cloud
service?”
• Access management: “How are access rights controlled?”
You will also want to make sure you’ve read your provider’s terms of service (TOS).
Reading the TOS is essential to understanding if you are receiving exactly what you
want and need.
Be sure to check that you also know all the services used with your provider. If your
files are on Dropbox or backed up on iCloud (Apple's storage cloud), that may well
mean they are actually held on Amazon's servers. So, you will need to check out
AWS, as well as, the service you are using directly.
❖ Hybrid Cloud Security Solutions

Hybrid cloud security services can be a very smart choice for clients in SMB and
enterprise spaces. They are most viable for SMB and enterprise applications since
they are generally too complex for personal use. But it’s these organizations that
could use the blend of scale and accessibility of the cloud with onsite control of
specific data.
Here are a few security benefits of hybrid cloud security systems:
Segmentation of services can help an organization control how their data is

accessed and stored. For example, placing more sensitive data onsite while
offloading other data, applications, and processes into the cloud can help you
layer your security appropriately. In addition, separating data can improve your
organization’s ability to remain legally compliant with data regulations.
Redundancy can also be accomplished via hybrid cloud environments. By utilizing
daily operations from public cloud servers and backing up systems in local data
servers, organizations can keep their operations moving in the case that one data
center is taken offline or infected with ransomware.
SMB Cloud Security Solutions
While enterprises can insist on a private cloud — the internet equivalent of owning
your own office building or campus — individuals and smaller businesses must
manage with public cloud services. This is like sharing a serviced office or living in
an apartment block with hundreds of other tenants. Therefore, your security needs
to be a prime concern.
In small to medium business applications, you will find cloud security is largely on
the public providers you use.
21 | P a g e
However, there are measures you can take to keep yourself safe:
• Multi-tenant data segmentation: Businesses must be sure that their data

cannot be accessed by any other clients of their cloud vendors. Whether
housed in segmented servers, or carefully encrypted, be sure segmentation
measures are in place.
• User access controls: Controlling permissions might mean throttling user
access to an inconvenient level. However, going restrictive and working
backward to find a balance can be much safer than allowing loose
permissions to permeate your network.
• Legal data compliance: Keeping your data compliant with international
regulations like GDPR is critical to avoid heavy fines and reputation damage.
Make sure measures like data masking and classification of sensitive data is
a priority for your organization.
• Careful scaling of cloud systems: With the rapid implementation of cloud
systems, be sure you take time to check your organization's systems for
security over convenience. Cloud services can quickly become sprawling to
the point of lacking regulation.
Enterprise Cloud Security Solutions
Since cloud computing is now used by over 90% of larger enterprises, cloud
security is a vital part of corporate cyber security. Private cloud services and other
more costly infrastructure may be viable for enterprise-level organizations.
However, you will still have to ensure your internal IT is on top of maintaining the
entire surface area of your networks.
For large-scale enterprise use, cloud security can be far more flexible if you make
some investments into your infrastructure.
There are a few key takeaways to keep in mind:
• Actively manage your accounts and services: If you don't use a service or
software anymore, close it down properly. Hackers can gain easy access to
an entire cloud network via old, dormant accounts through unpatched
vulnerabilities.
• Multi-factor authentication (MFA): This could be biometric data such as
fingerprints, or a password and separate code sent to your mobile device. It
is time-consuming, but useful for your most sensitive data.
• Evaluate the cost-benefits of hybrid cloud: Segmenting your data is far more
important in enterprise use, as you will be handling much larger quantities of
data. You need to make sure your data is separate from other customers'
data, whether it's separately encrypted or logically segmented for separate
storage. Hybrid cloud services can help with this.
• Be wary of shadow IT: Educating your employees to avoid using unauthorized
cloud services on your networks or for company work is essential. If
22 | P a g e
sensitive data is communicated over unsecured channels, your organization
may be exposed to malicious actors or legal issues.
So, whether you are an individual user, SMB user, or even Enterprise level cloud
user — it is important to make sure that your network and devices are as secure as
possible. This starts with having a good understanding of basic cyber security on
an individual user level, as well as, ensuring that your network and all devices are
protected using a robust security solution that is built for the cloud.
Computing?
Cloud computing—the cloud—now dominates worldwide as a means of accessing
resources over the internet. It allows organizations to entrust some of their data,
apps, and infrastructure to third-party cloud providers that may store, manage, or
secure those resources.
Cloud Service Types

SaaS offerings, storage, and various platform and infrastructure services are
available from public cloud service providers such as Amazon Web
Services (AWS), Microsoft Azure, and Google Cloud.
There are four subtypes of cloud infrastructure deployment:
• Private cloud: Dedicated infrastructure used by one organization and owned

by a third party or the organization itself, which is responsible for its security
management. Common users include governments, financial firms, and
others with especially sensitive data to secure.
• Public cloud: Infrastructure owned by a third party and shared among
multiple organizations, which also share security responsibilities with the
provider per a shared responsibility model. Public cloud services such as
Google Workspace and Microsoft 365 are widely used globally.
• Hybrid cloud: A combination of private and public deployment where an
organization uses each for its strengths, such as scalability (public cloud) or
stricter controls (private cloud). Common users include DevOps teams or
others in need of flexible, configurable systems.
• Multicloud: Shared infrastructure, generally used by organizations that need
access to the same applications and/or have the same segmentation and
privacy requirements (e.g., PCI DSS). Enterprises worldwide use multicloud
environments to access various vendors’ services.
As well as four main cloud service models:
• Software as a service (SaaS): Complete software solutions delivered from
the cloud, which can be free or paid (e.g., Google Docs)
• Platform as a service (PaaS): Cloud-delivered tools developers can use to
build, test, and deploy applications in a scalable environment
23 | P a g e
• Infrastructure as a service (IaaS): Virtualized infrastructure, managed by a
third party, onto which an organization can install software
• Functions as a service (FaaS): Similar to PaaS, but suited to individual
functions of apps, which can be spun up or down very quickly
Cloud Security: The Shared Responsibility Model
A shared responsibility model is a cloud security and risk framework that

delineates which cybersecurity processes and responsibilities lie with a cloud
service provider (CSP) and which lie with the customer. With more IT architectures
moving to the cloud, a shared responsibility model promotes tighter security and
establishes accountability as it relates to the security of the cloud.
55.1% of organizations use more than one cloud provider, and 66.7% have public
cloud storage buckets.
Pros and Cons of Cloud Security

When you move your resources off your network, perimeter-style defenses don’t
work anymore, forcing you to re-evaluate how to most effectively support user
productivity, identify security issues, mitigate vulnerabilities, block malware, and
prevent data loss.
This is where cloud security comes in, bringing a whole slate of benefits, but not
without some potential risks. Let’s look briefly at some of the most notable points.
Pros
• Scalability to meet security needs as an organization grows and evolves

• Increase visibility and security for cloud resources and unique endpoint
devices
• Cost savings through reduced on-premises infrastructure and associated
upkeep costs
• Centralized management to simplify monitoring, control, and enforcement
of security policies
• Redundancy through multiple points of presence to support disaster
recovery efforts
• Automatic updates to ensure rapid protection against the latest
vulnerabilities
Cons
• Risk of misconfigurations that leave data vulnerable to unauthorized access

and hackers
• Compliance concerns with regard to government or industry data handling
regulations
• Latency and data privacy/sovereignty issues if the provider lacks global
points of presence
24 | P a g e
At a glance, these cons might seem alarming—but with due diligence and the right
partner, you can eliminate them.
Cloud Security vs. Traditional Network Security
Network security stacks were designed to protect enterprise networks, not the
cloud. They can’t provide the comprehensive cybersecurity today’s SaaS apps,
high-bandwidth services, and mobile users need. To do that without added costs or
complexity, you need a multitenant security platform that scales elastically. You’ll
never get that with a traditional network security architecture.
The best way to secure apps, workloads, cloud data, and users—no matter where
they are—is to move security and access controls to the cloud.
Benefits of Cloud Security

A comprehensive cloud security platform provides:
• Built-in security services and cloud access controls that give you visibility
into all traffic traversing your distributed cloud and on-premises
infrastructure
• Insight into every request—by user, location, server, and endpoint device
around the world—in seconds through one interface
• API integrations with SD-WAN, cloud access security broker (CASB), IAM,
and endpoint protection services to further strengthen your security posture
Common Cloud Security Challenges

Although it can greatly ease security management and increase visibility, cloud
security comes with its share of challenges, underscoring how important it is to
find the right partner.
1. Identity and Access Control
Cloud providers continue to add more services, and the average number of distinct
entitlements for these services now exceeds 5,000. This volume of entitlements
can be challenging to manage using traditional identity and access management
(IAM) approaches.
2. Logging, Monitoring, and Incident Response
Comprehensive and accurate logs are a cornerstone of effective incident

response. Many organizations’ existing solutions are ill-equipped for the volume of
data cloud computing tends to produce, and are unable to reliably collect
complete logs.
3. Storage and Encryption
Queueing and notification services often hold sensitive information before it’s
processed and proper security measures are applied. The sensitivity of this is
frequently overlooked—many services lack server-side encryption.
25 | P a g e
4. Cloud Ransomware
Cloud environments are still vulnerable to cyberattacks. Attackers most

commonly infiltrate environments by taking advantage of misconfigurations or
poor security practices, such as over-permissioned access, insufficient policy
controls, or weak passwords.
5. Supply Chain Attacks in the Cloud
Sharing data and access with third parties, such as suppliers and contractors,
opens cloud environments to greater risk of supply chain attacks, making the
monitoring and management of third-party access a key priority for security teams.
68% of organizations have external users (from outside the organization, via role
delegation or guest users) with admin permissions to the cloud environment.
 WhY ThE CLOUD OffERS BETTER PROTECTIOn Than aPPLIanCES?

Protecting users with consistent and enforceable policies requires more than URL
or web filtering. That’s why thousands of organizations have already moved their IT
security from appliances to secure cloud services. Let’s glance at some of the
key differences.
a. Enterprise-Wide Protection
Appliance-based security requires security stacks at all egress points or

backhauling traffic over costly MPLS links from branch offices and remote sites.
Mobile users go unprotected.
Cloud-based security extends users the same protection whether they’re in the
HQ, branch offices, on the road, or at home.
b. Integrated Security
With appliance-based security, appliances from different vendors often work in

isolation, with no simple way to aggregate their data to understand security issues.
With cloud-based security, integrated security controls and cloud services

correlate information to give you a complete picture of your entire network.
c. User Experience
With appliance-based security, every appliance between your users and the
internet causes latency. If users have to VPN into the data center, their experience
is even worse.
26 | P a g e
Cloud-based security with Zscaler provides fast local breakouts, and our Single-
Scan Multi-Action technology enables our security services to scan
simultaneously for faster performance.
d. IT Complexity
With appliance-based security, maintaining appliances from multiple vendors is

expensive and difficult, requiring continuous patching and upgrades.
Cloud-based security consolidates point products into an integrated platform;

there's no hardware or software to buy or manage.
e. Intelligence
With appliance-based security, point products generally apply a single technique

to identify threats and pass the data on to the next appliance, applying patches
when available.
Cloud-based security from Zscaler integrates intelligence from countless sources,

so when a threat is detected anywhere in the cloud, protection is deployed
everywhere.
f. Value
Appliance-based security is expensive to purchase, and as threats increase, you're

forced to buy more appliances as well as replace old ones.
Zscaler cloud-based security moves security from capex to opex for about the
price of a cup of coffee per user per month.
4 Pillars of Cloud Security

Cloud security aims to protect more than just the perimeter, bringing security all
the way down to the data. Some of the most common measures include:
• Identity and access management (IAM) to help provision access to resources

in cloud environments. IAM also helps you prevent unauthorized access to
data, apps, and infrastructure shared across clouds.
• Data loss prevention (DLP) to monitor and inspect data to prevent
exfiltration. DLP is an essential element of cloud computing security that a
traditional security model can’t carry out effectively.
• Data encryption to encode data so that attackers can’t interpret it without
decrypting it. Encryption also helps establish trust and preserve anonymity,
and is required by various privacy regulations worldwide.
• Security information and event management (SIEM) to analyze security logs
in real time, giving your security team increased visibility over your cloud
ecosystem.
27 | P a g e
These are core security technologies, but with today’s savvy threat actors and
growing compliance requirements, cloud security has had to evolve to keep up.
How Is Cloud Security Evolving?
The global technology landscape is evolving, and so is cloud security. More

recently, two of the most important concepts are security service edge (SSE) and
zero trust.
SSE solves fundamental challenges related to remote work, the cloud, secure edge
computing, and digital transformation, providing secure access to the internet,
SaaS and cloud apps, and your organization’s private apps.
Zero trust, a key component of SSE, is also also seeing rapid adoption. Based on
the idea that no user or entity should be inherently trusted, a zero trust approach
grants access to data and apps based on specific context—identity, content,
location, device, and more—while delivering enhanced user experiences.
What is cloud application security?

Cloud applications are versatile and agile because they can be created and
deployed very quickly, but this also makes them prone to security risks. Many
cloud applications in industries such as manufacturing, public services,
healthcare, retail, education, and utilities are vulnerable to various application
vulnerabilities.
Cloud application security is a combination of policies, processes, and controls

that help reduce the risk of cloud-based application compromise or failure from
external or internal threats.
 The 6 Pillars of Robust Cloud Security
While cloud providers such as Amazon Web Services (AWS), Microsoft

Azure (Azure), and Google Cloud Platform (GCP) offer many cloud native security
features and services, supplementary third-party solutions are essential to
achieve enterprise-grade cloud workload protection from breaches, data leaks,
and targeted attacks in the cloud environment. Only an integrated cloud-
native/third-party security stack provides the centralized visibility and policy-
based granular control necessary to deliver the following industry best practices:
1. Granular, policy-based IAM and authentication controls across

complex infrastructures
Work with groups and roles rather than at the individual IAM level to make it
easier to update IAM definitions as business requirements change. Grant
28 | P a g e
only the minimal access privileges to assets and APIs that are essential for a
group or role to carry out its tasks. The more extensive privileges, the higher
the levels of authentication. And don’t neglect good IAM hygiene, enforcing
strong password policies, permission time-outs, and so on.
2. Zero-trust cloud network security controls across logically

isolated networks and micro-segments
Deploy business-critical resources and apps in logically isolated sections of

the provider’s cloud network, such as Virtual Private Clouds (AWS and
Google) or vNET (Azure). Use subnets to micro-segment workloads from
each other, with granular security policies at subnet gateways. Use
dedicated WAN links in hybrid architectures, and use static user-defined
routing configurations to customize access to virtual devices, virtual
networks and their gateways, and public IP addresses.
3. Enforcement of virtual server protection policies and processes

such as change management and software updates:
Cloud security vendors provide robust Cloud Security Posture Management,

consistently applying governance and compliance rules and templates
when provisioning virtual servers, auditing for configuration deviations, and
remediating automatically where possible.
4. Safeguarding all applications (and especially cloud-native

distributed apps) with a next-generation web application firewall
This will granularly inspect and control traffic to and from web application
servers, automatically updates WAF rules in response to traffic behavior
changes, and is deployed closer to microservices that are running
workloads.
5. Enhanced data protection
Enhanced data protection with encryption at all transport layers, secure file
shares and communications, continuous compliance risk management, and
maintaining good data storage resource hygiene such as detecting
misconfigured buckets and terminating orphan resources.
29 | P a g e
6. Threat intelligence that detects and remediates known and
unknown threats in real-time
Third-party cloud security vendors add context to the large and diverse
streams of cloud-native logs by intelligently cross-referencing aggregated
log data with internal data such as asset and configuration management
systems, vulnerability scanners, etc. and external data such as public threat
intelligence feeds, geolocation databases, etc. They also provide tools that
help visualize and query the threat landscape and promote quicker incident
response times. AI-based anomaly detection algorithms are applied to
catch unknown threats, which then undergo forensics analysis to determine
their risk profile. Real-time alerts on intrusions and policy violations shorten
times to remediation, sometimes even triggering auto-remediation
workflows.
CloudGuard Solutions
Check Point’s unified CloudGuard cloud security platform integrates seamlessly

with the providers’ cloud-native security services to ensure that cloud users
uphold their part of the Shared Responsibility Model and maintain Zero Trust
policies across all the pillars of cloud security: access control, network security,
virtual server compliance, workload and data protection, and threat intelligence.
30 | P a g e
CLOUD SECURITY OBJECTIVES?
Cloud security objectives are the specific goals that an organization sets out
to achieve in order to protect its cloud-based infrastructure, applications, and
data. These objectives should be aligned with the organization's overall
security strategy and business goals.
Some common cloud security objectives include:
• Confidentiality: Protecting data from unauthorized access or disclosure.

• Integrity: Ensuring that data is accurate and complete, and that it has not
been tampered with.
• Availability: Ensuring that data and applications are accessible to authorized
users when they need them.
• Compliance: Meeting all relevant security regulations and standards.
• Risk Mitigation: Reducing the likelihood and impact of security incidents.
In addition to these general objectives, organizations may also have specific cloud
security objectives related to their own unique needs and environment. For example,
an organization that stores sensitive customer data in the cloud may have an
31 | P a g e
objective to achieve PCI DSS compliance. Or, an organization that relies heavily on
cloud-based applications may have an objective to maintain 99.99% uptime.
Cloud security objectives should be specific, measurable, achievable, relevant, and

time-bound. This will help organizations to track their progress and ensure that they
are meeting their goals.
Here are some examples of specific, measurable cloud security objectives:
• Reduce the number of data breaches by 50% within one year.

• Achieve PCI DSS compliance by the end of the third quarter.
• Maintain 99.99% uptime for all cloud-based applications.
• Reduce the time it takes to detect and respond to security incidents to 4
hours or less.
By setting clear and measurable cloud security objectives, organizations can better
protect their data, applications, and systems from a wide range of threats.
Here is a more elaborate explanation of the cloud security objectives mentioned in

my previous answer:
1. Confidentiality
Confidentiality is the protection of data from unauthorized access or

disclosure. In the context of cloud security, this means ensuring that only
authorized users can access data stored in the cloud. This can be achieved
through a variety of measures, such as:
• Identity and access management (IAM): IAM systems allow

organizations to control who has access to cloud resources and what
they can do with them.
• Data encryption: Data encryption scrambles data so that it cannot be
read without the appropriate decryption key. This helps to protect data
from unauthorized access, even if it is intercepted.
• Access control lists (ACLs): ACLs allow organizations to specify who
can access specific cloud resources and what operations they can
perform on those resources.
2. Integrity
Integrity is the assurance that data is accurate and complete, and that it has
not been tampered with. In the context of cloud security, this means ensuring
that cloud-based data and applications are not modified or corrupted without
authorization. This can be achieved through a variety of measures, such as:
32 | P a g e
• Data hashing: Data hashing is a technique that creates a unique
fingerprint of a piece of data. This fingerprint can be used to verify the
integrity of the data by comparing it to the original fingerprint.
• Digital signatures: Digital signatures are a type of cryptography that can
be used to verify the authenticity and integrity of digital data.
• Audit logging: Audit logging tracks all activity on cloud resources. This
can be used to detect unauthorized changes to data or applications.
3. Availability
Availability is the assurance that data and applications are accessible to

authorized users when they need them. In the context of cloud security, this
means protecting cloud-based resources from outages and disruptions. This
can be achieved through a variety of measures, such as:
• Redundancy: Redundancy involves replicating cloud resources across

multiple geographic locations. This helps to ensure that resources are
still available even if one location experiences an outage.
• Load balancing: Load balancing distributes traffic across multiple cloud
resources. This helps to improve performance and scalability, and it can
also help to prevent outages if one resource becomes overloaded.
• Disaster recovery: Disaster recovery plans outline the steps that an
organization will take to recover from a major outage or disaster. This
helps to ensure that the organization can quickly resume operations in
the event of a disruption.
4. Compliance
Compliance is the adherence to all relevant security regulations and

standards. In the context of cloud security, this means ensuring that cloud-
based resources are configured and managed in accordance with applicable
regulations. This can be achieved through a variety of measures, such as:
• Risk assessments: Risk assessments help organizations to identify and

mitigate security risks in their cloud environments.
• Security policies and procedures: Security policies and procedures
outline the specific security measures that must be implemented in the
cloud environment.
• Security audits: Security audits help organizations to verify that their
cloud environments are compliant with all applicable regulations and
standards.
5. Risk Mitigation
33 | P a g e
Risk mitigation is the reduction of the likelihood and impact of security
incidents. In the context of cloud security, this means implementing a variety
of measures to protect cloud-based resources from threats. This can include
measures such as:
• Security awareness training: Security awareness training helps

employees to identify and avoid common security threats.
• Vulnerability management: Vulnerability management involves
identifying and patching vulnerabilities in cloud resources.
• Security monitoring: Security monitoring involves continuously
monitoring cloud resources for suspicious activity.
• Incident response: Incident response plans outline the steps that an
organization will take to respond to and recover from a security incident.
By implementing a comprehensive cloud security program that addresses all

of these objectives, organizations can significantly reduce the risk of a
security breach or other incident.
Software Requirements of a
secure cloud
The software requirements of a secure cloud vary depending on the
specific needs of the organization. However, there are some general
software requirements that are essential for all secure clouds. These
include:
• Cloud security platform (CSP): A CSP is a software suite that

provides a variety of security features for cloud-based
environments. This may include features such as IAM, encryption,
data loss prevention (DLP), and security monitoring.
• Security information and event management (SIEM): A SIEM solution

collects and analyzes security logs from across the cloud
environment. This helps organizations to identify and respond to
security incidents quickly.
• Vulnerability assessment and management (VAM): A VAM solution

identifies and prioritizes vulnerabilities in cloud resources. This
helps organizations to patch vulnerabilities before they can be
exploited by attackers.
34 | P a g e
• Cloud access security broker (CASB): A CASB is a security
gateway that sits between the cloud environment and the internet.
It can be uszsed to enforce security policies, control access to
cloud resources, and inspect traffic for malicious activity.
In addition to these general software requirements, organizations may

also need to implement additional software to meet their specific
security needs. For example, an organization that stores sensitive
customer data in the cloud may need to implement a DLP solution to
prevent data leakage. Or, an organization that uses cloud-based
applications for critical business processes may need to implement a
disaster recovery solution to ensure that the applications remain
available in the event of an outage.
When choosing software for a secure cloud, it is important to consider the following
factors:
• Security features: The software should provide the features that

the organization needs to meet its security objectives.
• Ease of use: The software should be easy to use and manage.
• Scalability: The software should be scalable to meet the

organization's growing needs.
• Vendor support: The software vendor should provide good technical

support.
By implementing a comprehensive software solution that addresses all of

these requirements, organizations can significantly improve the security
of their cloud environments.
A CSP is a software suite that provides a variety of security features for

cloud-based environments. These features may include:
• Identity and access management (IAM): IAM allows organizations to

control who has access to cloud resources and what they can
do with them.
• Data encryption: Encrypts data so that it cannot be read without

the appropriate decryption key.
• Data loss prevention (DLP): Monitors and blocks the unauthorized

movement of sensitive data.
35 | P a g e
• Security monitoring: Tracks all activity on cloud resources and
alerts on suspicious activity.
• Vulnerability assessment and management (VAM): Identifies and

prioritizes vulnerabilities in cloud resources.
• Web application firewall (WAF): Protects web applications from

common attacks.
• Intrusion detection and prevention system (IDS/IPS): Detects and

blocks malicious traffic to and from cloud resources.
Security information and event management (SIEM)
A SIEM solution collects and analyzes security logs from across the
cloud environment. This helps organizations to:
• Identify security incidents quickly. SIEM solutions can identify

security incidents by correlating logs from different sources and
looking for patterns of suspicious activity.
• Investigate security incidents efficiently. SIEM solutions can provide

investigators with the information they need to quickly understand
the scope and impact of a security incident.
• Respond to security incidents effectively. SIEM solutions can help

organizations to prioritize security incidents and take the
appropriate action to mitigate the damage.
Vulnerability assessment and management (VAM)
A VAM solution identifies and prioritizes vulnerabilities in cloud

resources. This helps organizations to patch vulnerabilities before they
can be exploited by attackers.
VAM solutions typically work by scanning cloud resources for known

vulnerabilities. Once vulnerabilities have been identified, the VAM solution
can prioritize them based on the severity of the vulnerability and the
likelihood of it being exploited.
Cloud access security broker (CASB)
36 | P a g e
A CASB is a security gateway that sits between the cloud environment
and the internet. It can be used to:
• Enforce security policies. A CASB can be used to enforce security

policies for cloud access, such as requiring users to authenticate
before accessing cloud resources.
• Control access to cloud resources. A CASB can be used to control

access to cloud resources based on user identity, role, and
device.
• Inspect traffic for malicious activity. A CASB can be used to

inspect traffic for malicious activity, such as malware and phishing
attacks.
Additional software requirements
In addition to the general software requirements listed above,

organizations may also need to implement additional software to meet
their specific security needs. For example:
• Data loss prevention (DLP): DLP software monitors and blocks the
unauthorized movement of sensitive data. This may be required
for organizations that must comply with regulations such as PCI
DSS or HIPAA.
• Disaster recovery (DR): DR software helps organizations to recover

from outages and disasters. This may be required for
organizations that rely on cloud-based applications for critical
business processes.
• Compliance management software: Compliance management

software helps organizations to comply with relevant security
regulations and standards. This may be required for organizations
that operate in regulated industries.
In addition to the software requirements listed above, there are a

number of other requirements that are essential for a secure cloud.
These include:
37 | P a g e
• Security policies and procedures: Organizations should have written
security policies and procedures in place that cover all aspects of
cloud security. These policies and procedures should be regularly
reviewed and updated to ensure that they are effective.
• Security training: Employees should be trained on security policies

and procedures, as well as how to identify and avoid common
security threats.
• Security testing: Organizations should regularly test their cloud

environments for vulnerabilities and security configuration issues.
• Security monitoring: Organizations should monitor their cloud

environments for suspicious activity on a continuous basis.
• Incident response: Organizations should have an incident response

plan in place to quickly and effectively respond to security
incidents.
By implementing all of these requirements, organizations can significantly

reduce the risk of a security breach or other incident in their cloud
environments.
Here are some additional requirements that organizations may want to

consider:
• Encryption at rest: Encryption at rest encrypts data when it is

stored in the cloud. This helps to protect data from unauthorized
access, even if the cloud provider is compromised.
• Encryption in transit: Encryption in transit encrypts data as it is

transmitted between the cloud environment and on-premises
systems. This helps to protect data from interception during
transmission.
• Multi-factor authentication (MFA): MFA requires users to provide

two or more factors of authentication to access cloud
resources. This helps to prevent unauthorized access, even if an
attacker has stolen a user's password.
• Least privilege: The least privilege principle states that users

should only be granted the access and permissions that they
need to perform their job duties. This helps to reduce the risk of
unauthorized access to cloud resources.
38 | P a g e
• Segmentation: Segmentation divides the cloud environment into
multiple segments, each with its own security controls. This helps
to contain the impact of a security breach in one segment from
spreading to other segments of the environment.
By implementing these additional requirements, organizations can further

improve the security of their cloud environments.
Cloud Security (Risks, Best Practices, Certifications)

Cloud security encompasses the technologies, controls, processes, and
policies which combine to protect your cloud-based systems, data, and
infrastructure. It is a sub-domain of computer security and more
broadly, information security.
It is a shared responsibility between you and your cloud service

provider. You implement a cloud security strategy to protect your data,
adhere to regulatory compliance, and protect your customers’ privacy.
Which in turn protects you from the reputational, financial, and legal
ramifications of data breaches and data loss.
39 | P a g e
Cloud security is a critical requirement for all organizations. Especially
with the latest research from (ISC)2 reporting 93% of organizations are
moderately or extremely concerned about cloud security, and one in
four organizations confirming a cloud security incident in the past 12
months.
In this article, we will create a comprehensive guide to cloud security.

You’ll explore the security risks of moving to the cloud, understand why
cloud security is required, and discover cloud security best practices.
We’ll also cover topics like how to assess a cloud service provider’s
40 | P a g e
security and identify the certifications and training to improve your cloud
security.
How Does Cloud Security Work?
Cloud security is a complex interaction of technologies, controls,

processes, and policies. A practice that is highly personalized to your
organization’s unique requirements.
As such, there’s no single explanation that encompasses how cloud

security ‘works’.
41 | P a g e
Thankfully, there are a widely established set of strategies and tools
you can use to achieve a robust cloud security setup, these include:
Identity and Access Management
All companies should have an Identity and Access Management (IAM)

system to control access to information. Your cloud provider will either
integrate directly with your IAM or offer their own in-built system. An
IAM combines multi-factor authentication and user access policies,
helping you control who has access to your applications and data,
what they can access, and what they can do to your data.
Physical Security
Physical security is another pillar of cloud security. It is a combination

of measures to prevent direct access and disruption of hardware
housed in your cloud provider’s datacenter. Physical security includes
controlling direct access with security doors, uninterrupted power
supplies, CCTV, alarms, air and particle filtration, fire protection, and
more.
Threat Intelligence, Monitoring, and Prevention
Threat Intelligence, Intrusion Detection Systems (IDS), and Intrusion

Prevention Systems (IPS) form the backbone of cloud security. Threat
Intelligence and IDS tools deliver functionality to identify attackers who
are currently targeting your systems or will be a future threat. IPS
tools implement functionality to mitigate an attack and alert you to its
occurrence so you can also respond.
Encryption
Using cloud technology, you are sending data to and from the cloud
provider’s platform, often storing it within their
infrastructure. Encryption is another layer of cloud security to protect
your data assets, by encoding them when at rest and in transit. This
ensures the data is near impossible to decipher without a decryption
key that only you have access to.
Cloud Vulnerability and Penetration Testing
42 | P a g e
Another practice to maintain and improve cloud security is vulnerability
and penetration testing. These practices involve you – or your provider
– attacking your own cloud infrastructure to identify any potential
weaknesses or exploits. You can then implement solutions to patch
these vulnerabilities and improve your security stance.
Micro-Segmentation
Micro-segmentation is increasingly common in implementing cloud

security. It is the practice of dividing your cloud deployment into distinct
security segments, right down to the individual workload level.
By isolating individual workloads, you can apply flexible security policies

to minimize any damage an attacker could cause, should they gain
access.
Next-Generation Firewalls
Next-Generation firewalls are another piece of the cloud security puzzle.

They protect your workloads using traditional firewall functionality and
newer advanced features. Traditional firewall protection includes packet
filtering, stateful inspection, proxying, IP blocking, domain name blocking,
and port blocking.
Next-generation firewalls add in an intrusion prevention system, deep

packet inspection, application control, and analysis of encrypted traffic to
provide comprehensive threat detection and prevention.
43 | P a g e
Here at Kinsta, we secure all websites behind the Google Cloud
Platform (GCP) Firewall. Offering state-of-the-art protection and the ability
to integrate closer with other GCP security solutions.
What are the cloud security requirements? Why is cloud security necessary?
1. Identity and Access Management: Cloud security requires the

implementation of identity and access management solutions to ensure
that only authorized users have access to the cloud environment.
2. Data Security: Data stored in the cloud must be secured with

encryption and other security measures to protect it from unauthorized
access.
3. Network Security: Cloud security requires the implementation of secure

networks to protect the cloud environment from external threats.
4. Application Security: Cloud security requires the implementation of

secure applications to protect the cloud environment from malicious
attacks.
5. Compliance: Organizations must ensure that their cloud environment

meets all applicable laws and regulations.
Cloud security is necessary to protect confidential data and prevent

unauthorized access to the cloud environment. It is also important to
44 | P a g e
ensure that cloud resources are used in a secure and efficient manner.
Furthermore, cloud security is necessary to ensure that cloud services
are compliant with applicable laws and regulations.
Data Privacy and Integrity in

Cloud
Data privacy and integrity in the cloud are two of the most important
concerns for organizations that are considering moving their data to the
cloud.
Data privacy refers to the protection of personal data from unauthorized

access, use, or disclosure. Data integrity refers to the accuracy and
completeness of data.
Cloud providers offer a variety of features and services to help

organizations protect their data privacy and integrity, including:
• ENCRYPTION: Encryption scrambles data so that it can only be read

by authorized users. Cloud providers offer both encryption at rest
and encryption in transit.
• ACCESS CONTROL: Access control lists and role-based access control

(RBAC) can be used to restrict access to cloud resources to
authorized users.
• AUDITING: Auditing logs track all activity on cloud resources. This

information can be used to detect and investigate suspicious activity.
• DATA LOSS PREVENTION (DLP): DLP systems can be used to prevent

sensitive data from being leaked or lost.
In addition to the security measures provided by cloud providers,

organizations can also take steps to protect their own data privacy and
integrity, such as:
• Encrypting sensitive data before storing it in the cloud: This will help
to protect the data in case it is accessed by unauthorized users.
• Using strong passwords and multi-factor authentication: This will help

to prevent unauthorized access to cloud accounts.
45 | P a g e
• Educating employees about data privacy and integrity: Employees
should be trained on how to protect data from unauthorized access and
disclosure.
• Regularly reviewing data privacy and integrity policies and

procedures: This will help to ensure that the organization's data is
protected from the latest threats.
Organizations can also use third-party cloud security solutions to help

protect their data privacy and integrity. These solutions can provide
additional security features, such as intrusion detection and prevention
systems (IDS/IPS), web application firewalls (WAFs), and cloud access
security brokers (CASBs).
By taking these steps, organizations can help to ensure that their data is
protected in the cloud.
Here are some additional tips for protecting data privacy and integrity in
the cloud:
 Choose a reputable cloud provider: Make sure that the cloud provider
you choose has a good track record of security and compliance.
 Read the cloud provider's terms of service and privacy policy: Make
sure that you understand the cloud provider's policies on data privacy and
security.
 Use a cloud security posture management (CSPM) tool: A CSPM tool

can help you to identify and remediate security risks in your cloud
environment.
 Monitor your cloud environment for suspicious activity: Use security

monitoring tools to track activity on your cloud resources and to detect
any suspicious activity.
 Have a plan for responding to security incidents: Make sure that you
have a plan in place to respond to security incidents in your cloud
environment.
Data integrity in the cloud is the practice of ensuring that data is accurate and
complete. This is important because inaccurate or incomplete data can lead to bad
decisions being made.
46 | P a g e
Cloud providers typically have a number of security measures in place to protect
data integrity, including:
• Error detection and correction (EDC): EDC systems detect and correct
errors in data.
• Data redundancy: Data redundancy involves storing multiple copies of

data so that if one copy is lost or corrupted, the other copies can be used
to recover the data.
• Data backup: Data backup involves regularly backing up data so that it

can be restored in the event of data loss.
In addition to the security measures provided by cloud providers,

organizations can also take steps to protect their own data integrity in the
cloud, such as:
• Implementing data quality checks: Data quality checks can be used to

identify and correct errors in data.
• Using a data governance framework: A data governance framework can

help to ensure that data is managed properly and that data integrity is
maintained.
• Regularly auditing data: Data auditing can be used to identify and

investigate any problems with data integrity.
By taking these steps, organizations can help to ensure that their data
privacy and integrity are protected in the cloud.
Additional tips for protecting data privacy and integrity in the cloud:
• Choose a reputable cloud provider: Make sure that the cloud provider
you choose has a good track record of security and compliance.
• Use a cloud access security broker (CASB): A CASB can help you to
enforce security policies and monitor activity on your cloud resources.
• Segment your cloud environment: Dividing your cloud environment into

segments can help to reduce the risk of unauthorized access to data.
• Educate employees about cloud security: Employees should be trained

on how to protect data from unauthorized access and disclosure.
47 | P a g e
• Have a plan for responding to security incidents: Make sure that you
have a plan in place to respond to security incidents in your cloud
environment.
By following these tips, organizations can help to protect their data privacy
and integrity in the cloud.
DATA PRIVACY IN THE CLOUD
Data privacy is a complex issue, and there are a number of different

factors that organizations need to consider when moving their data to the
cloud. One of the most important factors is the jurisdiction in which the
cloud provider's data centers are located. Organizations need to make sure
that the cloud provider complies with the data privacy laws of the
jurisdictions in which they operate.
Another important factor to consider is the type of data that the

organization will be storing in the cloud. Some types of data, such as
personal data and financial data, are more sensitive than others.
Organizations need to make sure that the cloud provider has the necessary
security measures in place to protect this type of data.
Data integrity in the cloud
Data integrity is also a complex issue, and there are a number of different
factors that organizations need to consider when moving their data to the
cloud. One of the most important factors is the cloud provider's disaster
recovery plan. Organizations need to make sure that the cloud provider has
a plan in place to recover data in the event of a disaster.
Another important factor to consider is the cloud provider's data backup

policy. Organizations need to make sure that the cloud provider backs up
their data regularly and that the backups are stored in a secure location.
Cloud security posture management (CSPM)
CSPM is a cloud security discipline that helps organizations to identify and

remediate security risks in their cloud environment. CSPM tools can help
organizations to:
48 | P a g e
• Identify security risks: CSPM tools can scan cloud environments for
security risks, such as misconfigurations, vulnerabilities, and suspicious
activity.
• Remediate security risks: CSPM tools can help organizations to

remediate security risks by providing recommendations and remediating
actions.
• Monitor cloud environments for security risks: CSPM tools can monitor
cloud environments for security risks and alert organizations to any
potential threats.
Cloud access security broker (CASB)
A CASB is a security solution that sits between an organization's on-

premises network and the cloud. CASBs can help organizations to:
• Enforce security policies: CASBs can enforce security policies on cloud

traffic, such as data encryption and access control.
• Monitor cloud activity: CASBs can monitor cloud activity for suspicious
activity.
• Protect data from unauthorized access: CASBs can help to protect

data from unauthorized access, even if the data is stored in the cloud.
CONCLUSION
Data privacy and integrity are two of the most important concerns for
organizations that are considering moving their data to the cloud. By taking the
necessary precautions, organizations can help to protect their data and ensure
that it is used in a responsible and ethical manner.
49 | P a g e
Your Guide to Data Privacy
and Information Protection
on Cloud
By Team Cloud4c
25 Apr, 2023
• About Us
• Insights
• Blogs
• Your Guide To Data Privacy And Information Protection On Cloud
Data privacy and information protection have become pressing issues in

today’s technologically evolved era, where data is considered the new oil.
The massive volumes of data that companies gather and process daily have
made them attack hotspots for cybercriminals. Cloud computing is a
technology that has changed the way organizations manage and store their
data. However, as companies migrate their data to the cloud, there is an
urgency to ensure that data privacy and protection are maintained. This
blog will deep dive into the world of data privacy and protection powered by
the cloud and explore the measures that companies can take to ensure
uncompromised data security. But before that, let’s take a quick look at
how cloud cyber threats are evolving at a lightning speed.
Navigating the Threat Landscape

Cyber criminals are employing new technologies to expand their reach,
evade capture, and boost the productivity of their operations. Cloud
computing providers are constantly being targeted owing to their relatively
lax registration processes and their limited capacity for fraud detection.
50 | P a g e
• Identity, authentication, and access management - These issues
include not deploying multi-factor authentication, improperly
configuring access points, employing weak passwords, non-availability
of scalable identity management systems, and not automating the
regular rotation of cryptographic keys, passwords, and certificates.
• Vulnerable public APIs - Application programming interfaces must be
protected against both unintentional and intentional attempts for
accessing sensitive data, starting from authentication and access
control to encryption and activity monitoring.
• Account turnover- Attackers may attempt to monitor user
interactions and transactions, manipulate data, provide false
information, and direct users to malicious websites.
• Malicious insiders - A present or former employee or contractor with
access to a company's network, systems, or data may purposefully
misuse that access in a way that it amounts to data breach or
hampers the organization's information systems' availability.
• Data sharing - A lot of cloud services are designed to make data
sharing seamless between businesses. This expands the attack
surface areas for hackers who now have more potential targets for
breaching sensitive data.
Cloud Computing: Making Data Protection and Privacy a Part of Your

Business in Every Aspect
The cloud allows users to access and store data and applications online.
Instead of using traditional servers, it allows businesses to store and
process data in big data centers. Businesses can benefit from cloud
computing in many ways, including cost savings, scalability, and agility.
Privacy of data is one of them.
Protecting personal information from unauthorized access or use is known as
data privacy. Data privacy is made more tedious by cloud computing because
businesses no longer have control over their data. To manage and store
their data, they depend on cloud service providers, which can increase
vulnerabilities. Selecting a trustworthy cloud service provider that complies
with data privacy laws like GDPR, CCPA, and HIPAA is essential.
You can take precautions to protect data from cyberattacks, data
breaches, or data loss thanks to data protection. Security issues specific
to cloud computing include unauthorized access, data breaches, and data
loss. The implementation of adequate security measures by cloud service
providers is required to safeguard the data of their clients. Data
encryption, access control, and multi-factor authentication are required as
part of the security measures.
51 | P a g e
Best Practices for data privacy and protection on Cloud
Selecting a Trustworthy Cloud Service Provider
Selecting a trustworthy cloud service provider is one of the most crucial
steps in ensuring data privacy and protection. Companies should check if the
cloud service providers enjoy a good reputation and strictly comply with
data privacy laws. An adequate security system, including data encryption,
access control, and multi-factor authentication, should be offered by
the cloud service provider.
Maintaining Data Confidentiality
A fundamental aspect of data protection is preserving data confidentiality.
Usually there’s great risk associated with data breaches in remote data
storage, a lack of network perimeter, third-party cloud service providers,
multi-tenancy, and extensive infrastructure sharing. Hence preserving the
confidentiality of sensitive data and information of all users, associates
connected with it is crucial. Additionally, because enterprise cloud
landscapes often combine new technologies and legacy systems together in a
hybrid model, it will invariably create new security risks because of flaws in
both system design and implementation. Data security versus usability,
system scalability, and dynamics present challenges in providing satisfying
security assurance in terms of data confidentiality.
Is Data Encryption the best Way? Key Questions to Answer
The simplest way to guarantee data confidentiality is to encrypt all
sensitive data when it is being stored, processed, and transmitted by cloud
servers. However, there are several subtle and difficult issues to be
addressed with data encryption which we can list as follows.
• How can data decryption keys be efficiently distributed to authorized

cloud users?
• How can user dynamics, particularly user revocation, be handled
effectively?
• How can data dynamics be handled effectively in terms of data
modification?
• How can user accountability be ensured?
• How can computing be enabled over encrypted data?
The first three questions touch on the subject of key management. In

large-scale application scenarios, efficient key distribution is a particularly
complex problem. As providing elastic and scalable computing resources to
potentially large-scale applications is a fundamental aspect of cloud
computing, it is very likely that the system will support both a large volume
of data and a sizable user base. When users enter the system, it can be
difficult to efficiently and securely distribute the key(s) to authorized
52 | P a g e
users because typically the data owner must remain online to provide the
key distribution service. Additionally, user revocation, which is a problem in
conventional cryptography, is yet another deterrent. User revocation
frequently entails broadcasting to every user in the system and/or re-
encrypting any cloud-stored data that has already been encrypted. In
large-scale systems, the ideal solution is one that can make data encryption
an independent task with little impact on the key distribution process,
meaning that any data modification or re-encryption does not result in an
update or new distribution of the decryption key. Special consideration
should be given to the system design and selection of the underlying
cryptographic primitive(s) for this purpose. Such a problem is specifically
connected to data access control based on cryptography.
Data access privileges for encryption-based solutions are based on
necessary decryption key(s). This makes it possible for malicious users who
have access to data to abuse it by giving data decryption keys to
unauthorized users. One way to stop such key abuse is to protect the data
decryption key with temper-resistant hardware from the user's end. This
will help in preventing the potentially malicious user from accessing the key
while allowing him or her to decrypt data. Temper-resistant devices are
made in such a way that when tampered with, the sensitive data, such as
the decryption key, is zeroed out or the chip simply breaks. This severely
restricts the ability of attackers because now the only way a malicious user
can misuse the key is by sharing the physical device with others. However,
because the malicious attacker is in physical possession of the device, it is
possible to launch vicious attacks that can get past the device's internal
security system, such as chosen message attacks, fingerprinting attacks
and others. As an alternative to using proactive methods, people can deal
with the problem of key abuse by using reactive methods.
Data Prioritization Methods
Removing sensitive data and only storing non-sensitive data in the cloud is
an alternative strategy for maintaining data confidentiality. For instance, to
protect user privacy when working with data containing personally
identifiable information (PII), this uniquely identifying information would be
removed. This method is comparable to the principles of database k-
anonymity and its improvements. This approach keeps data processing's
efficiency and flexibility intact in comparison to data encryption. Since key
distribution and management are no longer necessary, this method also
greatly reduces the complexity of system management. The main drawback
of this solution is that by removing the sensitive information, it will result
in information loss. This process will render the data useless in many
application scenarios while maintaining data confidentiality.
53 | P a g e
Another technique is referred to as "information-centric" protection. With
this approach, the data is encrypted with a usage policy of some sort. The
system will launch a program that checks the environment against the data
usage policy each time the data is accessed. The data will be decrypted,
and a secure virtualization environment will be created if the verifying
program determines that the environment is secure enough. Applications in
this secure environment can access the data in plaintext.
Enabling Data Integrity on Cloud
Another crucial security concern in cloud computing is data integrity. Data
integrity is required for data stored on cloud servers as well as for
communications between cloud users and cloud servers. Particularly when
outsourcing valuable data assets for storage in the cloud, cloud users may
have serious concerns about data integrity. The potential long lifespan of
outsourced data would make it more susceptible to intentional or
unintentional modification, corruption, or deletion, due to sloppy system
maintenance or the efforts of reducing costs.
While the problem of data integrity for communications can be solved using
pre-made methods like message integrity code, the problem of data
integrity for data storage appears to be more challenging for the following
reasons:
First, it's possible that cloud users won't be ready to fully rely on cloud
service providers to protect data integrity. This is due to the fact that
cloud services are typically offered by independent contractors who do not
necessarily fall under the same level of trust as cloud users. Although
service level agreements and other mechanisms help cloud users and cloud
service providers build trust relationships, these practices may occasionally
engage in intentional or unintentional misconduct that prevents cloud users
from having complete confidence in the integrity of their data.
Second, timely service for data integrity should be offered. This is due to
the fact that in practical applications, it is frequently too late for cloud
users to discover data corruption at the point of data retrieval. This is
especially true for the long-term storage of large volumes of data because
many portions or blocks of data may not be accessed frequently over an
extended period of time.
Third, cloud users must not only actively participate in the "self-served"
data integrity check but also provide the necessary knowledge and
computing power. But in the world of cloud, users' skill levels and resources
range widely. It turns out that the majority of cloud users might not be
able to perform a data integrity check on their own.
The best solution would be for a data integrity protection mechanism to
support frequent data integrity checks on large volumes of data while
54 | P a g e
allowing third-party verification and data dynamics. Cryptographic
techniques can be used to offer robust data integrity protection. Precisely,
this is how message authentication codes (MAC) should be used for data
integrity. A small number of MACs are initially locally generated and kept
on hand by data owners (cloud users) for the data files that will be
outsourced. Recalculating the MAC of the received data file and comparing
it to the locally pre-computed value allows the data owner to check the
data integrity whenever they need to retrieve the file.
Ensuring Data Availability
The ability of cloud users to store and process data will be greatly
enhanced by the limitless and elastic resources provided by cloud computing.
For instance, cloud users can benefit from robust data storage that may
not be available locally due to limited resources by creating multiple replicas
of data in the cloud. Cloud users (data owners) may replicate data on
geographically dispersed cloud servers and permit their customers to access
data effectively via local cloud servers (the use of which is similar to the
content distribution networks (CDNs)). This enables them to offer high-
quality data services to their own customers. By giving the task of data
maintenance to the cloud service provider, who might be more skilled at it,
cloud users can also save time and effort. In other words, cloud computing
allows users to operate high-quality, massive data services with little local
deployment and maintenance work.
Securing Data Access
Cloud computing requires that cloud data storage and sharing services
facilitate secure, effective, and reliable distribution of data content to a
potentially large number of authorized users on behalf of the data owners.
This is because different sensitive data information is pooled in the cloud.
Role-Based Access Control (RBAC) is one such access control mechanism
that can be implemented by cloud servers as a solution to this problem. The
aim of data access control can be successfully accomplished because mature
techniques like RBAC's access control mechanisms are capable of handling
fine-grained access control in large-scale systems. Alternatively,
cryptographic techniques are a different approach to offering secure data
access services. This type of solution encrypts data before it is stored in
the cloud, and the data owner (cloud user) keeps the secret key to
themselves. The data decryption key is given to authorized users to enable
data access. By doing this, we are able to facilitate end-to-end security
without revealing its contents to the cloud servers.
Deploying Multi-Factor Authentication
Multi-factor authentication needs users to provide two or more forms of
authentication before they can access data. Cloud service providers should
55 | P a g e
enable multi-factor authentication to allow only authorized personnel to
access their clients' data. Multi-factor authentication should include a
blend of something the user knows, such as a password, something the user
has, such as a security token, and something the user is, such as biometric
data
Adhering to Regulations and Compliance
Sensitive data storage and access are strictly regulated for mission-critical
applications. Before moving sensitive data into the cloud, the data owner
and the cloud service provider should both be aware of the underlying
laws/compliances:
• HIPAA- stands for the Health Insurance Portability and

Accountability Act. The proper use and disclosure of private health
information held by "covered entities," as defined by HIPAA and the
Department of Health and Human Services (HHS), is governed by the
privacy rule of HIPAA. It establishes guidelines for the proper use
and disclosure of PHI and defines 18 different types of Protected
Health Information (PHI). PHI typically refers to data that can be
used to identify a specific person. This may include the entire
person's medical history or payment history.
• Federal Information Security Management Act (FISMA): Information
security for U.S. federal government agencies and/or their
contractors will be governed by the Federal Information Security
Management Act (FISMA), or FISM. All agent information systems
are required to adhere to a security framework that defines
information security. A number of security measures, including
information categorization, security control, and risk management,
are mandated by this framework.
• SOX (Sarbanes-Oxley): With the main objective of protecting against
corporate and accounting scandals in the financial market, SOX was
implemented for public companies. This act contains 11 titles that
cover a variety of financial information security topics, including
integrity, accountability, secure audit, etc.
• No. 70 of the Statement on Auditing Standards (SAS): The purpose
of SAS 70 is to regulate the contracted internal controls for service
organizations, such as hosted data centers, businesses that handle
insurance claims and credit information. It specifies a set of
standards for auditing that an auditor must follow.
These regulations place different requirements on data security. Due to

cloud characteristics like multi-tenancy, internet-based services; adhering
to compliances can be difficult in a cloud computing environment. Before
56 | P a g e
sensitive data can be stored in the cloud, the cloud service provider may
need to obtain security certification and/or accreditation. This type of
security certification typically includes a thorough evaluation of the service
provider's operational and/or technical security controls. For instance,
FISMA mandates that such certification or accreditation be obtained prior
to the agents using cloud services for data processing or storage. Firms are
also increasingly opting for compliance-as-a-service offerings to remain
compliant all time, across any activity at less manual hassle.
Streamlining Auditing
The entire service architecture design must be both secure and practical to
enable public auditing from a systematic standpoint. Considering this, we
can briefly describe a set of suggested desirable properties that satisfy
this kind of design principle below. Note that these specifications are
desirable ends. They may not even be entirely feasible or in tandem with
the current technology.
• Reduce auditing overhead as much as possible: The overhead that

the auditing process imposes on the cloud server cannot, in any way,
outweigh its advantages. Both the I/O cost and the bandwidth cost
associated with data transfer may fall under this category of
overhead. Additionally, the extra online workloads for the data owner
should be kept to a minimum. After auditing delegation, the data
owner should ideally be able to simply enjoy the cloud storage service
without having to worry about the auditing of storage accuracy.
• Protect data privacy: A key component of service level agreements
for cloud storage services has always been data privacy protection.
Therefore, implementing a public auditing protocol shouldn't violate
the owners' right to privacy regarding their data. In other words,
TPA should be able to audit cloud data storage effectively without
requesting a local copy of the data or even understanding its content.
• Leverage data dynamics: As cloud storage is more than just a data
warehouse, owners are required to dynamically update their data for
a variety of application purposes. This significant aspect of data
dynamics in cloud computing should be incorporated into the auditing
protocol design.
• Support batch auditing: The widespread use of extensive cloud
storage services increases the need for efficient auditing. TPA should
be able to handle multiple auditing tasks quickly and affordably even
when they come from various owners' delegations. This feature
effectively makes it possible for public auditing services to scale,
even for storage clouds with numerous data owners.
57 | P a g e
The Path Forward
The Cloud computing model has received a lot of attention from businesses
and the academic community. Data security is a critical concern when
deploying applications to the cloud. With Cloud4C, one of the leading
managed services providers, gain end-to-end data protection for your
enterprise IT landscape, regardless of the scope and complexity of your IT
infrastructure. Prevent Data leaks (Data Loss Prevention) in hosted systems
and assets, examine databases and dataflows across multiple assets, assess
logs and telemetry from various sources, study information to find malicious
links and hidden threats, and predict vulnerabilities for preventive
maintenance. For the strictest data protection, integrate cutting-edge
intelligent security solutions, cloud-native tools, and proprietary platforms.
Utilize round-the-clock assistance from top cybersecurity professionals to
safeguard sensitive data and workflows. To know more, get in touch with us
today.
Cloud Security Services

A set of policies, controls, authentication rules, technology, and approaches
to protect cloud systems along with their data and architecture is called
Cloud Security Services. Various measures such as managing the network
traffic to maintain the data security, authorization rules for devices to log in
to the same cloud directory, keep up with all the regulations and compliance
rules are followed to protect the security of the cloud systems. Cloud security
is provided by the cloud owner and cloud users need not worry about the
same as cloud packages include cloud security in the system as well.
58 | P a g e
List of Cloud Security Services
Data Encryption
A huge amount of data is stored in the cloud systems by enterprises and this
data is crucial for the survival of the enterprise itself. If the data get stolen, it
can be sold to the competitive company and they can make use of this data
to develop products making market competition worse. Considering the data
that is no longer used in the daily activities, we can call this Data at rest. It is
good to encrypt the data at rest as this data will have all the charts and
studies about the market trends and the upcoming products of the same
company. This data at rest encryption is important in Cloud Security Services
as it alerts the users when hackers try to access the data at rest.
Firewall Protection
When the user initially tries to access any cloud system from the system, they
will be prevented to do so as per firewall protection. The device must be
registered in the firewall security settings after which the user can access the
data in the cloud system. This internal and external firewall protection is
configured by cloud systems so that any unauthorized sign-ins are prevented
59 | P a g e
by the firewall. When data is sent across the same IP address, the source and
destination of the packet are verified by the firewall. Also, the stability of the
packet is checked to ensure the authenticity of the data packet. Some
firewalls will check the content of the data packet to establish that there are
no viruses or malware attached to it. External and internal firewalls are
important to verify that the data is not compromised to outsiders in any
form.
Monitoring
All the IDs that are being logged into the system are monitored and noted in
the cloud logging system so that when any security threat occurs and if it is
from inside, this tracking helps to identify the individual who logged in at a
particular time. Even firewall rules are updated to prevent suspicious logging
attempts thus making the data secure in the cloud storage. Monitoring
usually checks for the authentication rules and IP addresses so that if any
suspicious logins are detected, they are prevented from accessing the data in
the storage. This is done at the granular level so that permissions are not
given to an individual directly but to a group of people where the
60 | P a g e
responsibilities are shared. This helps in monitoring the activities of other
people and notifying the security team of any unauthorized data modulation.
Security at Data centers

If all the ways to access data via the system is failed, there is a way for
hackers to access data via server directly. This does not check for firewall
protection and there are no authentication rules. This is why all the physical
servers are monitored closely by physical security and watched using CCTV
cameras 24 hours a day. Biometrics are also present in the server rooms
where only authorized security personnel and maintenance officials can enter
and check the servers working. Also, logs are enabled for those who enter
and leave the room and the time taken inside the server room. When the
concerned personnel proceeds with more time than permitted, alerts are sent
to the security so that they can check the server rooms for unauthorized
personnel.
Isolated networks
When there is an important deployment in the cloud system and the data
must be kept hidden from the corresponding resource group members, it is
61 | P a g e
good to do the deployment in virtually isolated networks. Security policies
should be implemented in all the networking systems and the system itself
should be protected from malicious threats and virus attacks. The accesses
and authentications should be customized and dedicated network links must
be used to transfer the data to higher environments.
Anomaly detection
When the logs are huge, it is difficult to manage the logs manually for which
cloud vendors utilize AI-based algorithms to describe the anomaly in the
logging pattern. This helps to manage the logging details and monitor the
discrepancies in the logs. Also, vulnerability can be scanned and thus made
to know which computing service has less security systems. This makes the
system improve security and protect the data to the core. The location of the
databases can be kept under surveillance so that we can be sure that data is
not stored in unauthenticated databases. Checkpoints are installed in all the
deployment of data into the cloud and higher environments to ensure that
the data is kept in the proper cloud storage and in the proper format of
folder details.
62 | P a g e
Protection through APIs
To protect data from the hands of unauthorized personnel, cloud users can
employ APIs and web apps for the security of data. This helps in protecting
the containers and virtual machines from unsecured logins. Auto incidents
can be raised for unofficial logins which helps to protect the systems and
thus the cloud-stored data. And if the threats pose heavy risks, real-time
alerts can be set in the cloud storage to prevent them to access the data.
All our data in our systems, mobile devices, and storage disks are becoming
cloud storage data and hence it is crucial to have good cloud security
services arranged for these devices. Cloud providers offer cloud security and
if one is not satisfied with the same, users can sort out the help of private
software to achieve the security level intended.
Cloud security is an opportunity to drive the business, improve defenses and

reduce security risk. Enforcing cloud security services in cloud computing has
been a fruitful outcome, but the network pros must examine the architecture
of cloud provider for reliability and security aspect. Security-as-a-service is the
subset of Software as a service (SaaS), which allows consumers to host their
network security and monitoring practices on hybrid or public cloud, instead
of locating them in premises itself.
Explain Cloud Security Services – Are These Important?

63 | P a g e
In comparison to the on-premises network security, there is a number of
benefits of using a Security-as-a-Service solution. One of the major benefits is
that it is available in lower costing. It is so because the service eliminates the
capital expenditure and the maintenance services purchased either on an
individual basis or subscription basis. Apart from this main benefit, security-
as-a-service is rapidly to deploy that demands less maintenance costing and is
supportable for mobile users too. If the cloud vendors satisfy the SLAs (Service-
level agreements), these types of cloud security services are more than enough
to replace some of the on-premises security apps.
Preparation to be Done for Cloud-Based Security Services

When an enterprise decides to adopt a cloud security provider, network
executives must measure the cloud infrastructure’s viability on which they
trust. Make sure to take the security assessments and audits of the cloud-based
systems at the selection time of cloud security providers. The entire procedure
comprises of following aspects:
• Workstation/server/smartphones compliance assessments
• Assessments of cloud or hypervisor architecture
• Vulnerability assessments of network & system
One has to calculate the results of all the above-enlisted assessment types and
then, combine them with an overall value of risk to address the current security
status in your firm. Organizations must collaborate with cloud service vendors
to ensure that a sufficient amount of encryption algorithms are enforced at
their exact location. This will provide Endpoint security to business data from
unauthorized access. All critical content of business should be encrypted at the
transmit state as well as in the rest state. At the initial stage, companies must
learn the data sensitivity level to be secured and analyze the maturity level of
encryption products for data transmission on a public or hybrid cloud.
Cloud Security Services Provider Should Offer Backup

Plan
Do you know that – Organizations frequently address online strategy for
backup and disaster recovery. Customers need to make sure that cloud service
64 | P a g e
providers that offer online security services, should have a disaster recovery or
business continuity plan of their own. These strategies must guarantee to
continue operations on PaaS, IaaS, and SaaS platforms.
A Safety Tip – Being a responsible online user, it is your responsibility to
demand an SLA from CSP. This agreement comprises the backup and recovery
plan that is covered under the RTO/RPO section.
What All Should be Present in Cloud Security Service

Vendor?
This is actually a good question because the answer to this question comprises
of the points that a security-as-a-service vendor should have in them. So, let
us read out the following bullets that cover the need of today’s business to
achieve prevention against Cyber threats 2020:
• Identity and Access Management – Business network admins have to

maintain cloud identity management services to create, handle, and delete
the role-based identities, enforce strong passwords, and prefer the use of
biometric technologies. A cloud security services provider should render a
simplified platform from where it becomes easier for administrators to
manage their responsibilities.
• Intrusion Detection and Prevention – This requirement is quite obvious
in Cybersecurity service providers, which is capable of detecting threats on
its own. Advanced intrusion prevention and detection system enable
administrators to perform network traffic inspection, responses over manual
or automated intrusions, and behavioral analyses of employees because they
are the main cause for internal threats.
• Coded With Email Security Measures – Of course when it’s about cloud
security services, it is mandatory to have email security policies already
embedded in them. Enterprises have to make sure that this feature is already
provided in the shortlisted service provider. If no, immediately reject the
security vendor proposal because email security is one of the basic aspects
of Cyber protection.
65 | P a g e
• Security Data & Event Management – Online apps contribute themselves
to monitoring and auditing procedure, and these features are core in SIEM.
It is accomplished by the events and security data collected from traditional
IT security systems (like anti-malware, IDP), network systems, and
management systems. Administrators must ensure that the log file data
meets particular regulatory and compliance requirements at the time
of shifting data to the cloud.
What Are Cloud Security Services?
Cloud security services are a set of services designed to mitigate risk and improve
compliance of cloud environments. Since these environments can be quite
complex, involving a wide range of technologies and processes and, at the same
time, exposed to a variety of threats, they can’t be protected by a one-size-fits-all
solution. Rather, most of these services tackle specific areas. We’ll elaborate on
that in a moment.
Technically speaking, these services are actually managed cloud-security

services, meaning, they’re managed and operated by third parties. Offloading
security operations to a third party has several benefits, including:
• Threats can be monitored, detected, and responded to by experts who

actually know what to do. This ensures threats are dealt with properly
and completely.
• Managed cloud security services providers are usually also trained to

help organizations achieve regulatory compliance—an area that’s
normally also outside of an organization’s expertise.
• Your IT staff no longer have to handle cyber incidents and can focus
instead on supporting your core business operations.
What Are Some Types of Cloud Security Services?

Cloud environments can be quite complex, consisting of a mishmash of
technologies and processes. At the same time, they’re exposed to a wide range
of threats. Hence, you normally don’t find a one-size-fits-all cloud security service.
66 | P a g e
Rather, most of these services tackle specific areas. Some of the most common
types of cloud security services include data loss prevention (DLP), identity and
access management (IAM), email security, web security, and intrusion detection.
 Data Loss Prevention
With so much data being uploaded to and generated by cloud services, and
with so many applications and devices accessing that data, the chance of
data loss is enormous. DLP services are built to detect the presence of
sensitive data—credit card data, electronic Protected Health Information
(ePHI), social security numbers, etc.—and prevent them from falling into the
wrong hands.
 Identity and Access Management

IAM services ensure that users adhere to the principle of least privilege,
meaning they force users to access cloud resources and perform actions that
are permissible to their designated role or function. For instance, an ordinary
user shouldn’t be able to create instances or delete snapshots. An IAM
service can enforce that policy. By using an IAM service, administrators can
create permission policies and then associate them with a user or group of
users.
 Email Security
As the weakest link in the security chain, users are often the targets in
cyberattacks. And because practically all users use email, many of these
attacks—such as phishing and Trojans—are carried out through that medium.
Some of these attacks may compromise your cloud environment. For
instance, a spear phishing attack may be aimed at acquiring cloud
administrator credentials. One way to mitigate these threats is by employing
a capable email security service that can detect phishing emails and malicious
attachments.
 Web Security
67 | P a g e
Increased usage of cloud services is an added burden to IT administrators,
who now have to deal with a much larger attack surface. Users access cloud
services from different locations—in their headquarters, at home, in branch
offices, or just about anywhere. Web security solutions, which sit between
users (regardless of location) and the internet in typical scenarios, provide
administrators the means to secure these connections and protect them
against cyber threats.
 Intrusion Detection
Intrusion-detection solutions monitor inbound and outbound traffic for
suspicious activities and detect potential threats. Usually, detection is done
through pattern recognition mechanisms that identify specific signatures and
behaviors. Traditional intrusion detection is usually applied to the network
layer. However, we’re now seeing more solutions applying this kind of
protection to the host layer (i.e., to the virtual machines themselves). By
detecting threats before they can exploit vulnerabilities, businesses can
prevent threat actors from establishing a beachhead in the targeted system.
What about Security Information and Event Management?
A Security Information and Event Management (SIEM) solution collects log

and event data from various security tools and network devices (e.g.,
antivirus solutions, DLP software, intrusion detection solutions, firewalls,
routers, switches) in real-time, correlates all aggregated data, and then
generates alerts based on predefined rules. It’s one of the key tools of threat
detection and incident response teams, enabling them to respond quickly to
threats.
Encryption
Encryption, which protects data by rendering it unreadable, is a highly sought

security control, not only because it preserves data confidentiality, but also
because this functionality is one of the basic requirements for compliance with
data privacy/protection laws and regulations such as the Health Insurance
68 | P a g e
Portability and Accountability Act (HIPAA), Payment Card Industry Data Security
Standard (PCI DSS), and General Data Protection Regulation (GDPR).
What about Business Continuity and Disaster Recovery?
Despite the high availability (HA) capabilities of cloud environments, unforeseen

events can still disrupt business operations. A server instance may fail,
ransomware may encrypt files in your cloud storage, a distributed denial-of-
service (DDoS) attack may render your services unreachable, and so on. Business
continuity and disaster recovery services can help ensure you can continue doing
business as usual or recover in the quickest possible time should an unforeseen
disruptive event occur.
Can Cloud Security Services Help with Network Security?
We all know that scalability is a key characteristic of the cloud. Internet as a

Service (IaaS) users can spin up a bunch of servers with ease. Auto-scaling takes
that capability even further by enabling organizations to deploy hundreds if not
thousands of instances rapidly, again with relative ease. But that scalability comes
with a cost. It now means IT teams have a much larger attack surface to secure, a
responsibility that’s made even more challenging with the increased adoption of
more complex hybrid cloud infrastructures. Network security services help
businesses address vulnerabilities in user-to-cloud as well as intra-cloud and
inter-cloud data exchanges.
What Are Best Practices when Using Cloud Security Services?
With so many different cloud security services in the market today, it can be
difficult to put them together into an effective layer of defense. In the following
subsections, we’ll share with you some best practices that will help you make the
most of using cloud security services.
 Recognize Your Shared Security Responsibility Model
Before you embark on any cloud security program, it’s important to

understand your role in the shared security responsibility model. It defines
69 | P a g e
what portions of the cloud environment are your responsibility and which
ones are for your cloud provider. Generally speaking, your provider will
oversee the security of the cloud, and you will be responsible for security in
the cloud.
Different cloud service offerings like Software as a Service (SaaS) and IaaS
have different takes on this model, so make sure you’re looking at the right
one. Your provider should have this information.
 Clarify Concerns about Security Measures and Procedures

in Place
While large cloud providers have several security controls in place, the
presence of these controls and the extent of their coverage may vary from
one provider to another. Hence, it’s important to know exactly which controls
exist as well as the details pertinent to these controls.
What’s their disaster recovery plan? Do they have information that maps
their security controls with specific regulatory requirements? What access
control, encryption, and backup mechanisms are readily available? What is
the extent of their technical support? Do they have 24/7 support? These are
some of the questions you should ask.
 Utilize an Identity and Access Management Solution
The 2021 Cost of a Data Breach Report identified cloud misconfigurations as

the third-most common initial attack vectors. What’s alarming is that many
of these misconfigurations aren’t even intentional. One way to minimize this
particular risk is to limit privileged access to only those who absolutely need
it. Better yet, limit the scope of administrative functions to specific
administrators. Conversely, you shouldn’t be granting absolute administrative
rights to just one person. All this can be achieved by using an IAM solution.
 Train Employees to Recognize Threats
70 | P a g e
Since users are the weakest link in the security chain, something must be
done to strengthen that link. Otherwise, your cloud security initiatives will
only go to waste. Now, since it’s their lack of security awareness that’s likely
exposing them to threats, education is the best solution.
Ensure all your users undergo security awareness training, and keep them
updated with the latest threats, particularly those that target end users (e.g.,
phishing, spear phishing, and other social engineering attacks). You can even
incorporate it into your onboarding process so that they can be equipped
with the right mindset from day one.
 Document and Apply Cloud Security Policies
To facilitate a smooth implementation of your cloud security program,

document all relevant policies, processes, and procedures. These will serve as
guard rails for all members of your organization to follow. However, those
policies shouldn’t be left to gather dust. Leadership must take it upon
themselves to inspire employee buy-in and spearhead the implementation of
those security policies.
 Automated In-Depth Defense Strategy
Current cyber threats operate mostly with a high degree of sophistication.

Thus, for your cloud security services to be effective against them, you need
to incorporate them into an in-depth defense strategy. This means a strategy
that layers several security mechanisms that can counter sophisticated threats
should one defense fail.
For greater efficacy, those security solutions should be integrated,

automated, and orchestrated. This will eliminate manual and time-consuming
processes, streamline security operations, optimize threat monitoring, ensure
faster detection and incident response, and lower the total cost of ownership
(TCO).
 Outsource Your Cloud Service Security
71 | P a g e
Not all organizations have dedicated cybersecurity teams, let alone a full-
fledged security operations center (SOC), that can architect and implement a
defense-in-depth strategy as well as manage its cloud security solutions and
take charge of threat monitoring, detection, and response.
If you lack (or have no) in-house cybersecurity staff, the best option would
be to outsource cloud security services. Third parties such as managed
security service providers (MSSPs) can manage existing cloud security
services and also offer cloud security services themselves. By outsourcing
your security responsibilities, you can focus more on your core business.
 Parallels RAS: Virtualize Your Infrastructure, and Enhance

Your Cloud Security
As businesses increase the adoption of remote and hybrid work environments,

cloud-based applications and desktops are taking center stage more often. This is
giving rise to cloud-ready VDI solutions such as Parallels® Remote Applications
Server. There are several advantages of using a VDI solution like Parallels RAS,
especially from a cloud security standpoint.
Superior Encryption
Data-in-motion encryption is an essential security control in any cloud-based use

case. That’s because user sessions usually pass through the internet and, hence,
are exposed to several network-based threats such as man-in-the-middle attacks.
Parallels RAS protects these sessions with strong Transport Layer Security/Secure
Sockets Layer (SSL/TLS) encryption and uses cryptographic elements that comply
with the Federal Information Processing Standard (FIPS) 140-2 to provide
enterprise-grade security and hide confidential information from network
eavesdroppers.
Monitoring Tools
Parallels RAS also provides monitoring tools that enable IT administrators to gain
in-depth visibility into user sessions. This allows them to monitor what users are
doing on the network. In addition, Parallels RAS also auto-baselines its VDI
72 | P a g e
environment. You can use this to trigger alert notifications should user activities
deviate from the baseline, i.e., when abnormal actions are detected.
Hardened Access with Multifactor Authentication
Since users access cloud-based VDI desktops and applications remotely from any
device, it’s important to make sure that the person logging in is really who that
user claims to be. Parallels RAS mitigates the risk of unauthorized logins by
adding several multifactor authentication (MFA) options, including Azure MFA,
Duo, FortiAuthenticator, TekRADIUS, RADIUS, Deepnet, Google Authenticator, or
Gemalto (formerly SafeNet). With MFA, even if a threat actor manages to acquire
a legitimate user’s login password, that person will still be unable to log in if the
second factor fails to match what Parallels RAS expects.
Advanced Permissions Filtering
In addition to MFA, Parallels RAS further minimizes the chances of unauthorized

access by enabling administrators to create granular filtering rules for user access
to a Parallels RAS farm. Administrators can specify who can access a published
resource based on several criteria, including user, IP address, client device name,
client device OS, media access control (MAC) address, and gateway. Only users
that can satisfy the specified criteria are granted access.
Client Policies
One major advantage of delivering virtual applications and desktops from a

centralized location such as the cloud is that it simplifies endpoint device
management and security. Parallels RAS makes it much easier by allowing
administrators to add users to a group, create client policies, and then apply
those policies to that group, thereby ensuring policy enforcement.
Security Compliance with the HIPAA, PCI DSS, and GDPR
The Parallels RAS assemblage of security features, which includes enterprise-

grade encryption, multifactor authentication, advanced permissions filtering, and
73 | P a g e
others, enables companies to conform with data privacy/protection laws and
regulations such as the HIPAA, PCI DSS, and GDPR.
When delivering virtual applications and desktops from the cloud, it’s not enough
to rely on cloud security services. Enhance the protection provided by your cloud
security services with a highly secure, cloud-ready VDI solution.
Cloud Infrastructure Security

SECURING THE 7 KEY COMPONENTS
What is Cloud Infrastructure Security?

Cloud infrastructure security is the practice of securing resources deployed in
a cloud environment and supporting systems.
Public cloud infrastructure is, in many ways, more vulnerable than on-
premises infrastructure because it can easily be exposed to public networks,
and is not located behind a secure network perimeter. However, in a private or
hybrid cloud, security is still a challenge, as there are multiple security
concerns due to the highly automated nature of the environment and
numerous integration points with public cloud systems.
Cloud infrastructure is made up of at least 7 basic components, including user

accounts, servers, storage systems, and networks. Cloud environments are
dynamic, with short-lived resources created and terminated many times per
day. This means each of these building blocks must be secured in an
automated and systematic manner. Read on to learn best practices that can
help you secure each of these components.
Securing Public, Private, and Hybrid Clouds

Cloud security has different implications in different cloud infrastructure models. Here
are considerations for security in each of the three popular models—public cloud,
private cloud, and hybrid cloud.
Public Cloud Security

In a public cloud, the cloud provider takes responsibility for securing the
infrastructure, and provides tools that allow the organization to secure its workloads.
Your organization is responsible for:
74 | P a g e
• Securing workloads and data, fully complying with relevant compliance
standards, and ensuring all activity is logged to enable auditing.
• Ensuring cloud configurations remain secure, and any new resources on the
cloud are similarly secured, using automated tools such as a Cloud Security
Posture Management (CSPM) platform.
• Understanding which service level agreements (SLA), supplied by your cloud
provider, deliver relevant services and monitoring.
• If you use services, machine images, container images, or other software
from third-party providers, performing due diligence on their security
measures and replacing providers if they are insufficient.
Private Cloud Security

The private cloud model gives you control over all layers of the stack. These
resources are commonly not exposed to the public Internet. This means that you can
achieve a certain level of security using traditional mechanisms that protect the
corporate network perimeter. However, there are additional measures you should
take to secure your private cloud:
• Use cloud native monitoring tools to gain visibility over any anomalous
behavior in your running workloads.
• Monitor privileged accounts and resources for suspicious activity to detect
insider threats. Malicious users or compromised accounts can have severe
consequences in a private cloud, because of the ease at which resources can
be automated.
• Ensure complete isolation between virtual machines, containers, and host
operating systems, to ensure that compromise of a VM or container does not
allow compromise of the entire host.
• Virtual machines should have dedicated NICs or VLANs, and hosts should
communicate over the network using a separate network interface.
• Plan ahead and prepare for hybrid cloud by putting security measures in place
to ensure that you can securely integrate with public cloud services
Hybrid Cloud Security

Hybrid clouds are a combination of on-premise data center, public cloud, and private
cloud. The following security considerations are important in a hybrid cloud
environment:
• Ensure public cloud systems are secured using all the best practices.
• Private cloud systems should follow private cloud security best practices, as
well as traditional network security measures for the local data center.
• Avoid separate security strategies and tools in each environment—adopt a
single security framework that can provide controls across the hybrid
environment.
• Identify all integration points between environments, treat them as high-risk
components and ensure they are secured.
75 | P a g e
➢ Securing 7 Key Components of Your Cloud
Infrastructure
Here are key best practices to securing the key components of a typical cloud
environment.
1. Accounts
Service accounts in the cloud are typically privileged accounts, which may
have access to critical infrastructure. Once compromised, attackers have
access to cloud networks and can access sensitive resources and data.
Service accounts may be created automatically when you create new cloud
resources, scale cloud resources, or stand up environments using
infrastructure as code (IaC). The new accounts may have default settings,
which in some cases means weak or no authentication.
Use identity and access management (IAM) to set policies controlling access
and authentication to service accounts. Use a cloud configuration monitoring
tool to automatically detect and remediate non-secured accounts. Finally,
monitor usage of sensitive accounts to detect suspicious activity and respond.
2. Servers
While a cloud environment is virtualized, behind the scenes it is made up of physical
hardware deployed at multiple geographical locations. This includes physical
servers, storage devices, load balancers, and network equipment like switches and
routers.
Here are a few ways to secure a cloud server, typically deployed using a compute
service like Amazon EC2:
• Control inbound and outbound communication—your server should only

be allowed to connect to networks, and specific IP ranges needed for its
operations. For example, a database server should not have access to the
public internet, or any other IP, except those of the application instances it
serves.
• Encrypt communications—whether communications go over public
networks or within a secure private network, they should be encrypted to
avoid man in the middle (MiTM) attacks. Never use unsecured protocols like
Telnet or FTP. Transmit all data over HTTPS, or other secure protocols like
SCP (Secure Copy) or SFTP (Secure FTP).
• Use SSH keys—avoid accessing cloud servers using passwords, because
they are vulnerable to brute force attacks and can easily be compromised.
Use SSH keys, which leverage public/private key cryptography for more
secure access.
• Minimize privileges—only users or service roles that absolutely need access
to a server should be granted access. Carefully control the access level of
each account to ensure it can only access the specific files and folders, and
76 | P a g e
perform specific operations, needed for their role. Avoid using the root user—
any operation should be performed using identified user accounts.
3. Hypervisors
A hypervisor runs on physical hardware, and makes it possible to run several
virtual machines (VMs), each with a separate operating system.
All cloud systems are based on hypervisors. Therefore, hypervisors are a key
security concern, because compromise of the hypervisor (an attack known as
hyperjacking) gives the attacker access to all hosts and virtual machines
running on it.
In public cloud systems, hypervisor security is the responsibility of the cloud

provider, so you don’t need to concern yourself with it. There is one exception—
when running virtualized workloads on a public cloud, using systems like VMware
Cloud, you are responsible for securing the hypervisor.
In private cloud systems, the hypervisor is always under your responsibility. Here
are a few ways to ensure your hypervisor is secure:
• Ensure machines running hypervisors are hardened, patched, isolated

from public networks, and physically secured in your data center
• Assign least privileges to local user accounts, carefully controlling
access to the hypervisor
• Harden, secure, and closely monitor machines running the virtual
machine monitor (VMM) and virtualization management software, such
as VMware vSphere
• Secure and monitor shared hardware caches and networks used by the
hypervisor
• Pay special attention to hypervisors in development and testing
environments—ensure appropriate security measures are applied when
a new hypervisor is deployed to production
4. Storage
In cloud systems, virtualization is used to abstract storage from hardware systems.
Storage systems become elastic pools of storage, or virtualized resources that can
be provisioned and scaled automatically.
Here are a few ways to secure your cloud storage services:
• Identify which devices or applications connect to cloud storage, which

cloud storage services are used throughout the organization, and map
data flows.
• Block access to cloud storage for internal users who don’t need it, and
eliminate shadow usage of cloud services by end users.
• Classify data into sensitivity levels—a variety of automated tools are
available. This can help you focus on data stored in cloud storage that
has security or compliance implications.
77 | P a g e
• Remove unused data—cloud storage can easily scale and it is common
to retain unnecessary data, or entire data volumes or snapshots that are
no longer used. Identify this unused data and eliminate it to reduce the
attack surface and your compliance obligations.
• Carefully control access to data using identity and access management
(IAM) systems, and applying consistent security policies for cloud and
on-premises systems.
• Use cloud data loss prevention (DLP) tools to detect and block
suspicious data transfers, data modification or deletion, or data access,
whether malicious or accidental.
5. Databases
Databases in the cloud can easily be exposed to public networks, and almost always
contain sensitive data, making them an imminent security risk. Because databases
are closely integrated with the applications they serve and other cloud systems,
those adjacent systems must also be secured to prevent compromise of the
database.
Here are a few ways to improve security of databases in the cloud:
• Hardening configuration and instances—if you deploy a database yourself

in a compute instance, it is your responsibility to harden the instance and
securely configure the database. If you use a managed database service,
these concerns are typically handled by the cloud provider.
• Database security policies—ensure database settings are in line with your
organization’s security and compliance policies. Map your security
requirements and compliance obligations to specific settings on cloud
database systems. Use automated tools like CSPM to ensure secure settings
are applied to all database instances.
• Network access—as a general rule, databases should never be exposed to
public networks and should be isolated from unrelated infrastructure. If
possible, a database should only accept connections from the specific
application instances it is intended to serve.
• Permissions—grant only the minimal level of permissions to users,
applications and service roles. Avoid “super users” and administrative users
with blanket permissions. Each administrator should have access to the
specific databases they work on.
• End user device security—security is not confined to the cloud environment.
You should be aware what endpoint devices administrators are using to
connect to your database. Those devices should be secured, and you should
disallow connections from unknown or untrusted devices, and monitor
sessions to detect suspicious activity.
6. Network
Here are a few ways you can secure cloud networks:
Cloud systems often connect to public networks, but also use virtual networks to
enable communication between components inside a cloud. All public cloud
78 | P a g e
providers let you set up a secure, virtual private network for your cloud resources (
called a VPC in Amazon and a VNet in Azure).
• Use security groups to define rules that define what traffic can flow
between cloud resources. Keep in mind that security groups are tightly
connected to compute instances, and compromise of an instance grants
access to the security group configuration, so additional security layers
are needed.
• Use Network Access Control Lists (ACL) to control access to virtual
private networks. ACLs provide both allow and deny rules, and provide
stronger security controls than security groups.
• Use additional security solutions such as firewalls as a service (FWaaS)
and web application firewalls (WAF) to actively detect and block
malicious traffic.
• Deploy Cloud Security Posture Management (CSPM) tools to
automatically review cloud networks, detect non-secure or vulnerable
configurations and remediate them.
7. Kubernetes
When running Kubernetes on the cloud, it is almost impossible to separate the
Kubernetes cluster from other cloud computing layers. These include the application
or code itself, container images, compute instances, and network layers. Each layer
is built on top of the previous layer, and all layers must be protected for defense in
depth.
The Kubernetes project recommends approaching security from four angles, known
as the “4 Cs”:
• Code—ensuring code in containers is not malicious and uses secure coding

practices
• Containers—scanning container images for vulnerabilities, and protecting
containers at runtime to ensure they are configured securely according to best
practices
• Clusters—protecting Kubernetes master nodes and ensuring cluster
configuration is in line with security best practices
• Cloud—using cloud provider tools to secure the underlying infrastructure,
including compute instances and virtual private clouds (VPC)
Compliance with security best practices, industry standards and benchmarks, and
internal organizational strategies in a cloud-native environment also face challenges.
In addition to maintaining compliance, organizations must also provide evidence of

compliance. You need to adjust your strategy so that your Kubernetes environment
fits the controls originally created for your existing application architecture.
Aqua Cloud Security Posture Management (CSPM)
Scan, monitor and remediate configuration issues in public cloud accounts according
to best practices and compliance standards, across AWS, Azure, Google Cloud, and
Oracle Cloud.CSPM
79 | P a g e
Eliminate misconfigurations in your public cloud accounts
Aqua CSPM provides automated, multi-cloud security posture management to scan,

validate, monitor, and remediate configuration issues in your public cloud accounts.
Aqua CSPM ensures the use of best practices and compliance standards across
AWS, Azure, Google Cloud, and Oracle Cloud — including Infrastructure-as-code
templates.
Protect against:
• Servers exposed publicly to the internet

• Unencrypted data storage
• Lack of least-privilege policies
• Poor password policies or missing MFA
• Misconfigured backup/restore settings
Multi-cloud visibility – Gain visibility across all your cloud accounts
Aqua CSPM continuously audits your cloud accounts for security risks and
misconfigurations to assess your infrastructure risk and compliance posture. It
provides checks across hundreds of configuration settings and compliance best
practices to ensure consistent, unified multi-cloud security.
Rapid remediation – Find and fix misconfigurations before they’re exploited
Aqua provides self-securing capabilities to ensure your cloud accounts don’t drift out
of compliance. Get detailed, actionable advice and alerts, or choose automated
remediation of misconfigured services with granular control over chosen fixes.
Enterprise scale – Unify security across VMs, containers, and serverless
Protect applications in runtime on any cloud, orchestrator, or operating system using

a zero-trust model that provides granular control to accurately detect and stop
attacks. Leverage micro-services concepts to enforce immutability and micro-
segmentation.
Cloud Infrastructure Security: Meaning, Best Practices & More
What is Cloud Infrastructure Security?
Cloud infrastructure security is a framework for safeguarding cloud resources
against internal and external threats. It protects computing environments,
80 | P a g e
applications, and sensitive data from unauthorized access by centralizing
authentication and limiting authorized users’ access to resources.

A comprehensive cloud infrastructure security approach comprises a broad set of
policies, technologies, and applications. It includes controls that help eliminate
vulnerabilities or mitigate the consequences of an incident by automatically
preventing, detecting, reducing, and correcting issues as they occur. This framework
also facilitates business continuance by aiding in disaster recovery and supports
regulatory compliance across multiple cloud infrastructures.
In addition, a secure cloud infrastructure includes centralized identity and access

management (IAM) and granular, role-based access controls for managing access to
applications and other system resources. This prevents unauthorized users from
gaining access to digital assets and allows system administrators to limit the
resources that authorized users are permitted to access.
Importance of Cloud Infrastructure Security

With the adoption of cloud services on a sharp upward trajectory and 98% of
companies having experienced a cloud data breach in the past 18 months,
cloud infrastructure security is of paramount importance in today’s digital
world. [1] Virtually all large enterprises already use cloud computing, and most
of those companies have implemented a multi-cloud strategy that includes at
least one public and one private cloud.
Despite the cloud’s growing popularity, some organizations remain hesitant to

move sensitive data to the cloud. Common concerns include security,
governance, and compliance issues and fears around accidental data
leaks and the theft of data or intellectual property. As cybercriminals become
savvier, companies are justifiably concerned about the risk of becoming the
target of a costly attack that could compromise the business’s reputation.
81 | P a g e
Maintaining a strong cloud infrastructure security posture addresses these
concerns and mitigates the risk of threats, allowing organizations to enjoy all
the benefits of cloud computing while minimizing opportunities for bad actors
to take advantage of vulnerabilities in cloud infrastructure.
Benefits of Cloud Infrastructure Security

Cloud infrastructure security offers many advantages, including lower capital
investment, reduced operating costs, greater visibility across all IT
infrastructure, and increased availability and reliability. In addition,
organizations can easily scale applications and data storage as needed to
meet changing demands without compromising the security of digital assets
and system resources.
Setting uniform security policies across all platforms and environments

eliminates the need to apply policies to cloud resources individually. Tasks
like network monitoring, logging, and threat detection can be automated.
When issues arise, teams can identify them faster and address them more
easily. Along with improved visibility, logs help companies stay in compliance
with myriad governance standards and data security and privacy regulations.
Adopting a robust cloud infrastructure security posture also helps reduce an

organization's attack surface and mitigates the risk of threats—including
Distributed Denial of Service (DDoS) attacks, which have increased by 203%
since 2021. [2] DDoS attacks target websites and servers, aiming to render
them unavailable to authorized users. These types of attacks often serve as a
distraction from other, even more malicious, activities.
3 Costly Cloud Infrastructure Security Mistakes

The rapid adoption of cloud technologies has created a complex environment with a
decentralized workforce and resources distributed across many locations.
82 | P a g e
Consequently, infrastructure security in cloud computing has never been more vital
than it is today. As teams scramble to implement new applications and services, it’s
easy to overlook vulnerabilities that could allow bad actors to gain unauthorized
access to networks or sensitive information.
Misconfigurations are the primary cause of data breaches, exposing billions of

records and costing companies approximately $5 trillion in 2018 and 2019. [3] Below
are three costly cloud security configuration blunders and some tips that can help
organizations avoid making them.
1. Not protecting remote access

As the cloud grows in popularity, so does the attack surface, creating more
opportunities for hackers to gain access to data and enterprise resources. Failure to
place tight restrictions on remote access exposes cloud infrastructure to a breach or
a malware attack. While unauthorized users present the most obvious threat to
security, cybercriminals also exploit vulnerabilities in cloud architecture.
How to avoid it
To prevent unauthorized users from gaining access, you should implement privileged
access controls that grant allowed users permission to use cloud resources while
keeping everyone else out. Having visibility across all platforms in an organization’s
IT environment makes it easier to identify security risks, such as unused servers and
open FTP ports. Vulnerabilities like these give cybercriminals a pathway into cloud
infrastructure.
2. Over Provisioning user accounts

In their haste to add new users to the system quickly, organizations often
overprovision user accounts, granting broad access to data and resources across
the entire network. One of the most common errors is to assign access privileges by
group or department, giving all members of a certain group or department the same
permissions regardless of their individual roles.
83 | P a g e
Inactive zombie accounts also pose a serious risk to cloud security, particularly when
those accounts are overprovisioned. While some organizations habitually
overprovision new user accounts, accounts can also become overprovisioned over
time as users accumulate additional privileges when they receive promotions,
change roles, or assume new responsibilities.
How to avoid it
Adopt a comprehensive cloud identity access management (IAM) solution that
enables administrators to grant users granular permissions to cloud-based systems
and resources. Use the principle of least privilege to restrict access, giving each
individual user permission to access the resources they need to do their current
job—and no more.
Finally, use a tool that deprovision accounts automatically when a user leaves the
organization. Removing unused accounts minimizes the risk of cyberattacks that
exploit stolen credentials and promptly closes the door to zombie attacks.
3. Incomplete logging
Logs that provide real-time data on system activity and user behavior are invaluable
to Security and Compliance teams. Detailed logs supply the evidence response
teams need to pinpoint the source of a security incident, whereas incomplete or
missing logs impede investigations.
Logs are also an indispensable auditing tool, helping companies satisfy security and
compliance requirements. Reports generated from detailed logs show a complete
picture of the interactions that occur across all infrastructure. However, forgetting to
log critical IT assets results in incomplete logging. Reports generated from
incomplete logs are less accurate and can even be misleading.
How to avoid it
84 | P a g e
Companies need to enable real-time logging for all critical assets, including database
and Web servers and vital cloud infrastructure. Recording the details of who
accessed what, when, and where provides valuable data that helps IT teams
respond to security incidents faster. Logging all critical assets ensures more
accurate reporting, which gives better insights into infrastructure security and helps
companies meet complex compliance requirements.
Cloud Infrastructure Security and Zero Trust

Zero Trust is a security strategy designed to stop data breaches and make other
cyber security attacks unsuccessful. All users and devices, regardless of their
location, must be authenticated first and then ongoingly monitored to verify their
authorization status. Although Zero Trust is easy to implement on an enterprise-
owned network, cloud environments introduce some unique challenges while also
making a zero-trust approach essential.
With remote work gaining in popularity, many businesses have adopted a bring your
own device (BYOD) policy, allowing employees to connect their personal devices to
the organization’s networks. This trend, along with the rapid shift to cloud computing,
blurs traditional boundaries, making it more difficult to establish the perimeters
needed to protect enterprise resources and sensitive data from unauthorized access.
In today’s cloud-centric world, Zero Trust is a vital element of infrastructure security.

A comprehensive security solution built on Zero Trust Network Access (ZTNA)
architecture protects an organization’s data and resources across all platforms and
environments. With modern tools, companies can control access, monitor traffic and
usage continuously, and adapt their security strategy easily—even as dynamic cloud
environments change.
Cloud Infrastructure Security Best Practices

As businesses become more dependent on cloud technologies and computing
environments grow more complex, the need to secure cloud infrastructure is
85 | P a g e
becoming increasingly important. The following cloud infrastructure best practices
can help organizations adopt a robust security posture that protects critical IT assets,
sensitive data, and intellectual property.
a. Use strong authentication methods

Passwords alone do not provide enough security. Users typically choose short
passwords that are easy to remember, often using the same password to
access multiple websites or applications. Weak passwords are easy for
hackers to guess and contribute to 81% of all data breaches. [4] Stolen and
reused login credentials also pose a significant security threat, comprising
80% of all hacking incidents.
To secure cloud infrastructure, companies should use strong authentication

methods, such as multi-factor authentication (MFA) or biometrics. Requiring
users to provide additional evidence to verify their identity significantly
reduces the risk of cyberattacks. Bad actors can rarely meet the second
authentication requirement, which prevents them from gaining access to user
accounts that have permission to access sensitive data and use critical
enterprise applications and services.
b. Limit users’ access to resources

A strong security posture not only keeps unauthorized users out; it also limits
the resources authorized users can access. Organizations that give users
more access than they need risk unintentional data loss caused by users’
careless actions. Even greater damage can result if bad actors gain access to
zombie accounts or malicious insiders compromise data or steal the
company’s intellectual property.
Use the following infrastructure security best practices to protect sensitive

data and resources from unauthorized access:
86 | P a g e
1. Deploy an identity access management solution that simplifies
credential management and centralizes authentication.
2. When provisioning new users, grant granular permissions individually
based on each user’s role and business needs.
3. Leverage the principle of least privilege to ensure each user has access
only to the resources their job requires.
4. To reduce the risk of cyberattacks that exploit zombie accounts, use a
modern tool that deprovisions users automatically when they leave the
organization.
5. Perform routine security audits. Verify and update individual, group, and
role-based permissions. Make sure no users have accumulated more
permissions than they need.
c. Enable real-time monitoring and logging

While segmentation capabilities give cloud computing a significant security
advantage, the accelerated adoption of cloud technologies has created an
ever-expanding attack surface. In the first half of 2022, the incidence of
cyberattacks rose by 42%. [6] As threats become increasingly sophisticated
and breaches become increasingly expensive, [7, 8] it is more important than
ever for companies to employ real-time monitoring and comprehensive
logging capabilities.
To detect irregular usage patterns and potential threats, use modern tools that
provide visibility across all platforms and devices, including cloud
infrastructure. Continuously monitor system activity and user behavior in real-
time, and respond to alerts promptly. Be sure to enable logging for all critical
IT assets. That way, IT teams will have all the information they need to identify
potential threats and can respond quickly to any security incidents that may
occur.
d. Provide cybersecurity training to employees
87 | P a g e
While monitoring user activity helps identify irregular usage and potentially
malicious behavior, ongoing employee training plays a key role in every
company’s security strategy. All users should have at least a basic
understanding of security protocols. Train users in security best practices so
they will know how to protect their login credentials from theft or misuse and
how to practice good password hygiene.
Leverage advanced training sessions to raise awareness of common

cybersecurity risks, such as phishing attacks, online fraud, spoof domains
that replicate popular trusted websites, and social engineering scams that
trick users into disclosing sensitive information. With 75% of phishing attacks
originating from cloud-based email servers and a record-breaking 1,097,811
phishing attacks in the second quarter of 2022, phishing should be top of mind
for everyone.
Why is cloud security strategy important?
In today’s cloud computing environment, organizations have less control over their
infrastructure and its security than they had in the past. Cloud service providers
control their physical infrastructure as well as its security. Organizations get little
visibility, much less control, over many aspects of SaaS security.
Traditional security frameworks simply do not work anymore. Secure perimeter

technologies and practices assume a physical network can be isolated from external
threats. In today’s decentralized, virtualized cloud environments, the perimeter is
meaningless.
Cloud infrastructures face threats from all directions. To protect the organization,
cloud security strategy must address four core objectives:
Provide and control access - Anywhere, anytime access is a benefit of the cloud,
but it becomes a weakness when “anyone‚ gets access. Cloud security strategies
need policies and technologies that allow authorized users to access the resources
they need for their work while preventing unauthorized access.
Protect data - With the right data policies, cloud storage should be more secure
than on-premises data centers, making organizations more resilient to natural
disasters and other disruptions. Data retention policies minimize the amount of data
at risk. Backup and data recovery policies minimize the duration and impact of
disruptions.
88 | P a g e
Prevent and mitigate attacks - Security requires constant vigilance, especially
when company resources live in the cloud. Organizations must monitor the threat
landscape continuously. Given the persistence and sophistication of modern
cybercriminals, focusing on prevention is not enough. Organizations must monitor
their infrastructure around the clock to identify and mitigate security breaches
quickly.
Compliance - Regulations such as GDPR and standards such as SOC 2 require

organizations to have effective IT controls for managing and protecting customer
data. Demonstrating compliance requires systems that monitor conformity to
security, process integrity, privacy, and other standards.
Cloud security architecture threats, risks, and challenges

In some respects, cloud security risks are nothing new. Many of the risks and
challenges organizations face when securing their on-premises infrastructure are
also present in the cloud. However, the amorphous nature of cloud computing
security adds unique challenges:
Visibility - Security teams have less visibility into many aspects of a cloud service
provider’s infrastructure. SaaS providers may be completely opaque while IaaS
providers typically offer security monitoring tools.
Dynamic workloads - In the cloud, virtual instances are spun up and down as
needed making security technologies based on ports and IP addresses less
effective.
Shared security roles - Responsibilities for security vary from one cloud service
provider to another. Any misunderstanding in an organization’s responsibilities can
result in misconfigurations and other security gaps
Complexity of multi and hybrid cloud security - Each cloud service has its own
security systems that may not play well with others. Security teams must find ways to
bring every aspect of their on-premises and cloud infrastructure within the same
security framework.
Shadow IT - Many cloud services are not adopted through an organization’s IT

planning process. Instead, services pitch themselves to end-users in hopes they will
find the service too valuable to do without. This creates a risk that sensitive data will
migrate outside the organization’s established controls
Governance and compliance - All of these security issues hinder governance and
could compromise the organization’s compliance efforts. Shadow IT could leak
customer information. Poorly understood security roles and poor visibility make
controls less effective.
Benefits of cloud security models
89 | P a g e
Despite these challenges, implementing a cloud infrastructure security plan can
improve your business. Security is easier to manage, your company’s data is better
protected, and business performance improves.
Centralized cloud security
Unifying security across your cloud infrastructure simplifies the setting and
enforcement of security policies. You no longer have to set provider-specific
policies. In their place, a single policy can apply to every cloud service
provider
Cloud security systems also give you more visibility across your
infrastructure. You can see employees’ attempts to add shadow IT. Automated
monitoring systems identify configuration problems and suspicious activity,
quickly escalating issues that cannot be mitigated automatically.
Risk minimization
A unified approach to cloud security will reduce your attack surface and
minimize cyber risks. Replacing provider-specific access controls with a
central IAM system lets you apply granular, role-based access control rules.
Data loss prevention, backup practices, and data recovery systems reduce the
risk of lost data and limit the impact of ransomware. Better visibility and
monitoring also help ensure you remain in compliance with data privacy
regulations and AICPA controls standards.
Operational and financial performance
Secure perimeter technologies have become rigid and fragile in the face of
modern IT trends. Designed for the cloud, this new security framework offers
the scalability and availability of the services it protects. In addition, cloud
security technologies can integrate with CI/CD pipelines to become responsive
elements of DevSecOps practices.
Cloud infrastructure security also offers financial benefits. Capital expenses

decline since fewer infrastructure investments are needed. At the same time,
cloud security’s automated systems reduce administrative overhead and let
companies reallocate operational budgets to more productive goals.
What is infrastructure security in cloud computing?

Society’s pivot towards cloud computing environments for work and personal use
has occurred at pace over recent years. With work migrating to the cloud and
businesses adopting a cloud-first approach to wider operations more generally, our
reliance on cloud applications grows by the day.
Business leaders and computer science specialists must ensure that adequate cloud
computing security is prioritised amid these rapid technological advances and
transitions. It’s a concern for many, with 75% of businesses and 68% of
90 | P a g e
cybersecurity experts pinpointing misconfigured cloud infrastructure as the top
security threat.
What is cloud infrastructure security?

The aim of cloud infrastructure security is to protect cloud-based assets from
cybersecurity threats. There are a number of challenges presented by modern
cloud computing – from regulatory demands to inconsistent and patchy
security policies – which cloud security frameworks make it simpler and easier
to address.
Despite this, traditional tools and methods of network security still create
critical gaps and vulnerabilities that hackers can leverage. Some of the
key security challenges and risks associated with cloud networks include:
• data breaches
• visibility
• migration of dynamic workloads
• misconfigurations
• unsecured APIs
• access control/unauthorised access
• securing the control plane
• security compliance and auditing
• end user error and lack of security awareness.
The nature of cloud systems is that they are dynamic; cloud resources can be
particularly short-lived, with many being created and deleted multiple times
each day. As a result, each individual ‘building block’ in a cloud network must
be robustly and systematically secured – though it is made more complicated
by working practice shifts such as bring-your-own-device (BYOD) and remote
working.
Cloud data is primarily stored in public cloud and private clouds, although
other cloud strategies – such as multi-cloud and hybrid cloud – are also
popular. There are four main cloud computing service models: infrastructure
as a service (IaaS), software as a service (SaaS), platform as a service (PaaS),
and serverless.
Here are some of the best practices for cloud infrastructure security:
• Use strong authentication methods. This includes using multi-factor

authentication (MFA) or biometrics to verify the identity of users before
granting them access to cloud resources.
• Implement least privilege access. This means that users should only be
granted access to the resources they need to do their jobs.
91 | P a g e
• Use security groups and firewalls to restrict access to cloud
resources. This helps to prevent unauthorized users from accessing sensitive
data or applications.
• Encrypt data at rest and in transit. This helps to protect data from being
accessed by unauthorized individuals, even if they are able to breach cloud
security.
• Monitor cloud activity for suspicious activity. This can be done using
cloud security posture management (CSPM) tools or other security monitoring
tools.
By following these best practices, organizations can help to improve the security of
their cloud infrastructure and protect their workloads and data from a variety of
threats.
What are the threats to cloud infrastructure?
Cloud infrastructure is vulnerable to a variety of threats, including:
• Data breaches: Attackers can steal sensitive data from cloud-based

applications and databases.
• Malware attacks: Malware can be used to disrupt or disable cloud-based
services.
• Denial-of-service (DoS) attacks: DoS attacks can overwhelm cloud
resources and make them unavailable to legitimate users.
• Misconfigurations: Cloud resources can be misconfigured, which can create
security vulnerabilities.
• Insider threats: Malicious insiders can abuse their access to cloud resources
to steal data, launch attacks, or sabotage systems.
How can cloud infrastructure be secured?
Cloud infrastructure can be secured by implementing a variety of security measures,

including:
• Identity and access management (IAM): IAM solutions allow organizations

to manage who has access to cloud resources and what they can do with
them.
• Encryption: Encryption helps to protect data from being accessed by
unauthorized individuals.
• Networking security: Networking security solutions, such as firewalls and
intrusion detection systems, can be used to protect cloud resources from
unauthorized access and attacks.
92 | P a g e
• Security monitoring: Security monitoring solutions can be used to detect
suspicious activity in cloud environments.
• Cloud security posture management (CSPM): CSPM tools can be used to
assess the security posture of cloud environments and identify and mitigate
security risks.
What are the benefits of cloud infrastructure security?
The benefits of cloud infrastructure security include:
• Reduced risk of data breaches and other cyberattacks: Cloud

infrastructure security helps to protect organizations from a variety of
cyberattacks, which can lead to data breaches, financial losses, and
reputational damage.
• Improved compliance: Cloud infrastructure security can help organizations
to meet industry regulations and other compliance requirements.
• Increased customer confidence: Customers are more likely to do business
with organizations that they know take cloud security seriously.
How to implement cloud infrastructure security
To implement cloud infrastructure security, organizations should follow these steps:
1. Understand the shared responsibility model. Organizations need to

understand that cloud security is a shared responsibility between cloud
providers and their customers. Cloud providers are responsible for securing
the underlying infrastructure, while customers are responsible for securing
their workloads and data.
2. Assess your cloud security posture. Organizations should conduct a
regular assessment of their cloud security posture to identify and mitigate
security risks. This assessment should include a review of cloud security
policies, procedures, and technologies.
3. Implement security best practices. Organizations should implement a
variety of cloud security best practices, such as encryption, least privilege
access, and security monitoring.
4. Use cloud security tools. Organizations can use a variety of cloud security
tools to help them protect their cloud infrastructure. These tools can include
CSPM, intrusion detection systems, and vulnerability scanners.
5. Educate employees. Organizations should educate their employees about
cloud security best practices. This helps to reduce the risk of human
error, which is a leading cause of cloud security breaches.
Conclusion
93 | P a g e
Cloud infrastructure security is important for all organizations that use cloud
computing. By following the best practices outlined above, organizations can help to
protect their workloads and data from a variety of threats.
CLOUD DATA SECURITY

Cloud data security defined
Cloud data security protects data that is stored (at rest) or moving in and out of the
cloud (in motion) from security threats, unauthorized access, theft, and corruption. It
relies on physical security, technology tools, access management and controls, and
organizational policies.
Why companies need cloud security
Today, we’re living in the era of big data, with companies generating, collecting, and
storing vast amounts of data by the second, ranging from highly confidential
business or personal customer data to less sensitive data like behavioral and
marketing analytics.
Beyond the growing volumes of data that companies need to be able to access,
manage, and analyze, organizations are adopting cloud services to help them
achieve more agility and faster times to market, and to support increasingly remote
or hybrid workforces.
The traditional network perimeter is fast disappearing, and security teams are
realizing that they need to rethink current and past approaches when it comes to
securing cloud data. With data and applications no longer living inside your data
center and more people than ever working outside a physical office, companies must
solve how to protect data and manage access to that data as it moves across and
through multiple environments.
Data privacy, integrity, and accessibility
Cloud data security best practices follow the same guiding principles of information
security and data governance:
94 | P a g e
• Data confidentiality: Data can only be accessed or modified by authorized
people or processes. In other words, you need to ensure your organization’s
data is kept private.
• Data integrity: Data is trustworthy—in other words, it is accurate, authentic,

and reliable. The key here is to implement policies or measures that prevent
your data from being tampered with or deleted.
• Data availability: While you want to stop unauthorized access, data still needs
to be available and accessible to authorized people and processes when it’s
needed. You’ll need to ensure continuous uptime and keep systems, networks,
and devices running smoothly.
Often referred to as the CIA triad, these three broad pillars represent the core
concepts that form the basis of strong, effective security infrastructure—or any
organization’s security program. Any attack, vulnerability, or other security incident
will likely violate one (or more) of these principles. This is why security professionals
use this framework to evaluate potential risk to an organization’s data assets.
What are the challenges of cloud data security?
As more data and applications move out of a central data center and away from
traditional security mechanisms and infrastructure, the higher the risk of exposure
becomes. While many of the foundational elements of on-premises data security
remain, they must be adapted to the cloud.
Common challenges with data protection in cloud or hybrid environments include:
• Lack of visibility. Companies don’t know where all their data and applications
live and what assets are in their inventory.
• Less control. Since data and apps are hosted on third-party infrastructure,
they have less control over how data is accessed and shared.
• Confusion over shared responsibility. Companies and cloud providers share

cloud security responsibilities, which can lead to gaps in coverage if duties
and tasks are not well understood or defined.
95 | P a g e
• Inconsistent coverage. Many businesses are finding multicloud and hybrid
cloud to better suit their business needs, but different providers offer varying
levels of coverage and capabilities that can deliver inconsistent protection.
• Growing cybersecurity threats. Cloud databases and cloud data storage

make ideal targets for online criminals looking for a big payday, especially as
companies are still educating themselves about data handling and
management in the cloud.
• Strict compliance requirements. Organizations are under pressure to comply

with stringent data protection and privacy regulations, which require enforcing
security policies across multiple environments and demonstrating strong data
governance.
• Distributed data storage. Storing data on international servers can deliver

lower latency and more flexibility. Still, it can also raise data sovereignty
issues that might not be problematic if you were operating in your own data
center.
What are the benefits of cloud data security?

▪ Greater visibility
Strong cloud data security measures allow you to maintain visibility into the inner
workings of your cloud, namely what data assets you have and where they live, who
is using your cloud services, and the kind of data they are accessing.
▪ Easy backups and recovery

Cloud data security can offer a number of solutions and features to help automate
and standardize backups, freeing your teams from monitoring manual backups and
troubleshooting problems. Cloud-based disaster recovery also lets you restore and
recover data and applications in minutes.
▪ Cloud data compliance

Robust cloud data security programs are designed to meet compliance obligations,
including knowing where data is stored, who can access it, how it’s processed, and
how it’s protected. Cloud data loss prevention (DLP) can help you easily discover,
classify, and de-identify sensitive data to reduce the risk of violations.
96 | P a g e
▪ Data encryption
Organizations need to be able to protect sensitive data whenever and wherever it
goes. Cloud service providers help you tackle secure cloud data transfer, storage,
and sharing by implementing several layers of advanced encryption for securing
cloud data, both in transit and at rest.
▪ Lower costs
Cloud data security reduces total cost of ownership (TCO) and the administrative
and management burden of cloud data security. In addition, cloud providers offer
the latest security features and tools, making it easier for security professionals to
do their jobs with automation, streamlined integration, and continuous alerting.
▪ Advanced incident detection and response

An advantage of cloud data security is that providers invest in cutting-edge AI
technologies and built-in security analytics that help you automatically scan for
suspicious activity to identify and respond to security incidents quickly.
❖ Who is responsible for securing your data?
Cloud providers and customers share responsibility for cloud security. The exact
breakdown of responsibilities will depend on your deployment and whether you
choose IaaS, PaaS, or SaaS as your cloud computing service model.
In general, a cloud provider takes responsibility for the security of the cloud itself,
and you are responsible for securing anything inside of the cloud, such as data,
user identities, and their access privileges (identity and access management).
At Google Cloud, we follow a shared fate model. That means we are active partners
in ensuring our customers deploy securely on our platform. We can help you
implement best practices by offering secure-by-default configurations, blueprints,
policy hierarchies, and advanced security features to help develop security
consistency across your platforms and tools.
The cloud data protection and security strategy must also protect data of all
types. This includes:
97 | P a g e
• Data in use: Securing data being used by an application or endpoint through
user authentication and access control
• Data in motion: Ensuring the safe transmission of sensitive, confidential or
proprietary data while it moves across the network through encryption and/or
other email and messaging security measures
• Data at rest: Protecting data that is being stored on any network location,
including the cloud, through access restrictions and user authentication
EXPERT TIP
The cloud is a term used to describe servers — as well as any associated

services, software applications, databases, containers and workloads — that are
accessed remotely via the internet. Cloud environments are typically divided into
two categories: a private cloud, which is a cloud environment used exclusively by
one customer; or a public cloud, which is an environment that is shared by more
than one user.
 How secure is the cloud?
Theoretically, the cloud is no more or less secure than a physical server or data
center so long as the organization has adopted a comprehensive, robust
cybersecurity strategy that is specifically designed to protect against risks and
threats in a cloud environment.
And therein lies the problem: Many companies may not realize that their
existing security strategy and legacy tooling, such as firewalls, do not protect
assets hosted in the cloud. For this reason, organizations must fundamentally
reconsider their security posture and update it to meet the security
requirements of this new environment.
Another big misconception about the cloud is that the cloud provider is
responsible for all security functions, including data security. In fact, cloud
security follows what is referred to as the shared responsibility model.
Hence, cloud security — and, by extension, cloud data security — is a shared

responsibility between the cloud service provider (CSP) and its customers.
 EXPERT TIP
According to this model, the CSP, such as Google Cloud Platform

(GCP), Amazon Web Services (AWS), and Microsoft Azure (Azure), is
responsible for managing and protecting the underlying hardware security.
However, customers are expected to enable security at the infrastructure and
application layer. This includes all tools, technologies, policies and methods
meant to protect the organization’s data and other cloud-based assets.
98 | P a g e
Why should businesses store data in the cloud?
Organizations have shifted to the cloud because it is a key enabler of almost

every digital business transformation strategy. When it comes to cloud data
storage, specifically, organizations can unlock valuable benefits, such as:
• Lower costs: Cloud storage is generally more affordable for businesses and
organizations because the infrastructure costs are shared across users.
• Resource optimization: Typically speaking, in a cloud model, the CSP is
responsible for maintaining cloud-based servers, hardware, databases or
other cloud infrastructure elements. In addition, the organization no longer
needs to host or maintain on-premises components. This not only decreases
overall IT costs but allows staff to be redeployed to focus on other issues,
such as customer support or business modernization.
• Improved access: Cloud-hosted databases can be accessed by any
authorized user, from virtually any device, in any location in the world so long
as there is an internet connection — a must for enabling the modern digital
workforce.
• Scalability: Cloud resources, such as databases, are flexible, meaning they
can be quickly spun up or down based on the variable needs of the business.
This allows the organization to manage surges in demand or seasonal spikes
in a more timely and cost-effective way.
 Business Risks to Storing Data in the Cloud
Though storing data within the cloud offers organizations many important
benefits, this environment is not without challenges. Here are some risks
businesses may face of storing data in the cloud without the proper security
measures in place:
1. Data breaches
Data breaches occur differently in the cloud than in on-premises attacks.

Malware is less relevant. Instead, attackers exploit misconfigurations,
inadequate access, stolen credentials and other vulnerabilities.
2. Misconfigurations
Misconfigurations are the No. 1 vulnerability in a cloud environment and can lead
to overly permissive privileges on accounts, insufficient logging and other
security gaps that expose organizations to cloud breaches, insider threats and
adversaries who leverage vulnerabilities to gain access to data.
3. Unsecured APIs
Businesses often use APIs to connect services and transfer data, either internally
or to partners, suppliers, customers and others. Because APIs turn certain types
99 | P a g e
of data into endpoints, changes to data policies or privilege levels can increase
the risk of unauthorized access to more data than the host intended.
4. Access control/unauthorized access
Organizations using multi-cloud environments tend to rely on default access

controls of their cloud providers, which becomes an issue particularly in a multi -
cloud or hybrid cloud environment. Inside threats can do a great deal of damage
with their privileged access, knowledge of where to strike, and ability to hide their
tracks.
 6 Cloud Data Security Best Practices
To ensure the security of their data, organizations must adopt a comprehensive

cybersecurity strategy that addresses data vulnerabilities specific to the cloud.
Key elements of a robust cloud data security strategy include:
1. Leverage advanced encryption capabilities
One effective way to protect data is to encrypt it. Cloud encryption transforms
data from plain text into an unreadable format before it enters the cloud. Data
should be encrypted both in transit and at rest.
There are different out-of-the-box encryption capabilities offered by cloud service

providers for data stored in block and object storage services. To protect the
security of data-in-transit, connections to cloud storage services should be made
using encrypted HTTPS/TLS connections.
Data encryption is by default enabled in cloud platforms using platform-managed

encryption keys. However, customers can gain additional control over this by
bringing their own keys and managing them centrally via encryption key
management services in the cloud. For organizations with stricter security
standards and compliance requirements, they can implement native hardware
security module (HSM)-enabled key management services or even third-party
services for protecting data encryption keys.
2. Implement a data loss prevention (DLP) tool.
Data loss prevention (DLP) is part of a company’s overall security strategy that
focuses on detecting and preventing the loss, leakage or misuse of data through
breaches, exfiltration and unauthorized access.
A cloud DLP is specifically designed to protect those organizations that leverage

cloud repositories for data storage.
3. Enable unified visibility across private, hybrid and multi-cloud environments.
100 | P a g e
Unified discovery and visibility of multi-cloud environments, along with
continuous intelligent monitoring of all cloud resources are essential in a cloud
security solution. That unified visibility must be able to detect misconfigurations,
vulnerabilities and data security threats, while providing actionable insights and
guided remediation.
4. Ensure security posture and governance.
Another key element of data security is having the proper security policy and
governance in place that enforces golden cloud security standards, while
meeting industry and government regulations across the entire infrastructure.
A cloud security posture management (CSPM) solution that detects and prevents
misconfigurations and control plane threats is essential for eliminating blind
spots and ensuring compliance across clouds, applications and workloads.
5. Strengthen identity and access management (IAM).
Identity and access management (IAM) helps organizations streamline and

automate identity and access management tasks and enable more granular
access controls and privileges. With an IAM solution, IT teams no longer need to
manually assign access controls, monitor and update privileges, or deprovision
accounts. Organizations can also enable a single sign-on (SSO) to authenticate
the user’s identity and allow access to multiple applications and websites with
just one set of credentials.
When it comes to IAM controls, the rule of thumb is to follow the principle of
least privilege, which means allowing required users to access only the data and
cloud resources they need to perform their work.
6. Enable cloud workload protection.
Cloud workloads increase the attack surface exponentially. Protecting workloads

requires visibility and discovery of each workload and container events, while
securing the entire cloud-native stack, on any cloud, across all workloads,
containers, Kubernetes and serverless applications. Cloud workload
protection (CWP) includes vulnerability scanning and management, and breach
protection for workloads, including containers, Kubernetes and serverless
functions, while enabling organizations to build, run and secure cloud
applications from development to production.
CrowdStrike’s Cloud Security Solutions
CrowdStrike has redefined security with the world’s most advanced cloud-native
platform that protects and enables the people, processes and technologies that
drive modern enterprise. The industry continues to recognize CrowdStrike as a
leader, most recently with CRN naming CrowdStrike a Winner of the 2022 Tech
Innovator Award for Best Cloud Security.
101 | P a g e
Powered by the CrowdStrike Security Cloud, the CrowdStrike Falcon® platform
leverages real-time indicators of attack (IOAs), threat intelligence, evolving
adversary tradecraft and enriched telemetry from across the enterprise to deliver
hyper-accurate detections, automated protection and remediation, elite threat
hunting and prioritized observability of vulnerabilities.
 Data security in cloud computing
Organizations in all sectors recognize the benefits of cloud computing. Some are
only beginning their migration journey as part of digital transformation efforts, while
others are adopting advanced multi-cloud, hybrid strategies. One of the biggest
challenges at any stage of implementation is data security in cloud computing,
stemming from the unique risks that the technology brings.
The cloud erodes the traditional network perimeter that drove cybersecurity
strategies in the past. Data security in cloud computing requires a different
approach—one that considers not only the threats but also the complexity of data
governance and security models in the cloud.
The changing business landscape and implications for cloud data security
Strengthening cybersecurity defenses is the top investment that companies

undertaking digital transformation projects plan to make.[1] The emerging trend of
remote and hybrid workplaces is creating a paradigm shift in cybersecurity that’s
changing spending priorities.
As businesses look to improve resilience and employees expect the flexibility to

work from anywhere, cloud computing provides the foundational technology for this
transformation. But many cloud solutions don’t come with built-in security features,
which emphasizes the need for data security in cloud computing.
 Common cloud data security risks
When it comes to data, the cloud poses a variety of risks that the enterprise must
address as part of its security strategy. The biggest risks—as organizations
increasingly rely on the cloud for collecting, storing, and processing critical data—are
cyberattacks and data breaches.
A SailPoint survey, for example, found that 45% of companies that

have implemented IaaS have experienced cyberattacks and 25% have experienced a
data breach. Other research found that IT security professionals cite the proliferation
102 | P a g e
of cloud services as the second-biggest barrier to their ability to respond to a data
breach, and this challenge has grown in recent years.
Some of the common cloud-related risks that organizations face include:
• Regulatory noncompliance—whether it’s the General Protection Data

Regulation (GDPR) or the Healthcare Insurance Portability and Accountability
Act (HIPAA), cloud computing adds complexity to satisfying compliance
requirements.
• Data loss and data leaks—data loss and data leaks can result from poor
security practices such as misconfigurations of cloud systems or
threats such as insiders.
• Loss of customer trust and brand reputation—customers trust organizations
to safeguard their personally identifiable information (PII) and when a security
incident leads to data compromise, companies lose customer goodwill.
• Business interruption—risk professionals around the globe identified
business disruption caused by failure of cloud technology / platforms or
supply chains as one of their top five cyber exposure concerns.[2]
• Financial losses—the costs of incident mitigation, data breaches, business
disruption, and other consequences of cloud security incidents can add up to
hundreds of millions of dollars.
 Cloud computing threats to data security
While cybersecurity threats that apply to on-premises infrastructure also extend to

cloud computing, the cloud brings additional data security threats. Here are some of
the common ones:
• Unsecure application programming interfaces (APIs)—many cloud services

and applications rely on APIs for functionalities such as authentication and
access, but these interfaces often have security weaknesses such as
misconfigurations, opening the door to compromises.
• Account hijacking or takeover—many people use weak passwords or reuse
compromised passwords, which gives cyberattackers easy access to cloud
accounts.
• Insider threats—while these are not unique to the cloud, the lack of visibility
into the cloud ecosystem increases the risk of insider threats, whether the
103 | P a g e
insiders are gaining unauthorized access to data with malicious intent or are
inadvertently sharing or storing sensitive data via the cloud.
 Safeguards for data security in cloud computing
Data security in the cloud starts with identity governance. Organizations need a
comprehensive, consolidated view of data access across its on-premises and cloud
platforms and workloads. Identity governance provides:
• Visibility—the lack of visibility results in ineffective access control, increasing

both risks and costs.
• Federated access—this eliminates manual maintenance of separate identities
by leveraging Active Directory or another system of record.
• Monitoring—the enterprise needs a way to determine if the access to cloud
data is authorized and appropriate.
Governance best practices include automating processes to reduce the burden on

enterprise’s IT team, as well as auditing security tools routinely to ensure continuous
risk mitigation as the organization’s environment evolves.
In addition to governance, other recommended data security safeguards for cloud

computing include:
Deploy encryption. Ensure that sensitive and critical data, such as PII and
intellectual property, is encrypted both in transit and at rest. Not all vendors offer
encryption, and the enterprise should consider implementing a third-party encryption
solution for added protection.
Back up the data. While vendors have their own backup procedures, it’s essential to
back up cloud data locally as well. Use the 3-2-1 rule for data backup: Keep at least
three copies, store them on at least two different media, and keep at least one
backup offsite (in the case of the cloud, the offsite backup could be the one
executed by the vendor).
Implement identity and access management (IAM). IAM technology and policies
ensure that the right people have appropriate access to data, and this framework
needs to encompass the cloud environment. Besides identity governance, IAM
components include access management (such as single sign-on, or SSO)
and privileged access management.
Manage organizational password policies. Poor password hygiene is frequently the

cause of data breaches and other security incidents. Use password management
solutions to make it simple for employees and other end users to maintain secure
password practices.
104 | P a g e
Adopt multi-factor authentication (MFA). In addition to using secure password
practices, MFA is a good way to mitigate the risk of compromised credentials. It
creates an extra hurdle that threat actors must overcome as they try to gain entry to
cloud accounts.
Final thoughts: Keeping data safe in the cloud
As the organization continues on its cloud adoption journey, especially if it starts to

rely on the hybrid multi-cloud, the environment will grow more complex. Data
security in cloud computing is a critical aspect of minimizing the company’s risks
and protecting not only data but also brand reputation.
To safeguard against the ever-evolving cloud threats, consider implementing

solutions for managing cloud access and entitlements. Additionally, integrate these
solutions into the overall IAM strategy for a comprehensive approach to identity
management.
A holistic, identity-centered approach ensures that the enterprise is enforcing access

control consistently—and applying governance more intelligently— whether the data
resides on premises or in the cloud. The organization also benefits from automation
and other features that make identity more efficient and save costs.
A leader in identity security for the cloud enterprises, SailPoint provides technology
that helps the enterprise manage cloud risks in today’s dynamic, distributed
workplace. Learn more about SailPoint’s cloud governance solution.
105 | P a g e
Cloud data security refers to the technologies and controls that discover, classify, and
protect all data in the cloud to mitigate risks arising from data loss, misuse, breaches,
and unauthorized access. This includes:
• Detecting and classifying structured and unstructured data

• Implementing and monitoring access management controls at the file and field
levels
• Identifying storage locations for structured and unstructured data
• Data transmission flows
• Encryption configurations
Data security is a fundamental component of an organization’s cybersecurity strategy.
Why Is Sensitive Data Protection Important in Cloud Computing?

As organizations use more data, they need to protect its confidentiality, integrity, and
availability. Cloud computing models enable collaboration and analytics but present
unique challenges.
Integrity
Cloud computing and analytics enable organizations to make data-driven decisions. One
study found:
• 83% of CEOs want a data-driven organization

• 74% of senior executives require data in decision making
Organizations need to protect sensitive information to ensure the integrity of the data
that their analytics models use. To do this, they need to mitigate risks associated with
unauthorized access, including internal users who can make changes to data.
Availability
As organizations build out their data cultures, breaking down data silos becomes more
important. The cloud enables this collaboration, but organizations need to ensure that
they protect sensitive information’s availability, like ensuring no one accidentally deletes
a data set.
Confidentiality
With hybrid and multi-cloud environments, monitoring data use becomes even more
challenging. As data travels between services, organizations need to worry about
application programming interface (API) configurations. By protecting sensitive
information, organizations prevent data loss and leaks that compromise confidentiality.
What Are the Benefits of Cloud Data Security?

While protecting sensitive data is important, the same practices, controls, and processes
benefit companies, too.
106 | P a g e
Mitigate Data Breach Risk
Over the first half of 2022, the number of weekly cyberattacks increased by 42%. When
broken down by malware type, the data looks like this:
• 23%: Multipurpose malware, including botnets and banking Trojans

• 15%: Cryptominers
• 13%: Infostealer
• 12%: Mobile
• 8%: Ransomware
Some data security controls reduce a cyberattack’s success rate. For example,
implementing data access controls makes it more difficult for attackers to get to the
information. Other data controls, like encryption, make the data unusable and unreadable
if attackers succeed.
Protect Brand Reputation
Brand reputation generates customer interest and provides insight into financial
performance. Research found that 72% of business leaders believe reputation will be a
bigger driver of business performance than margin over the next five years. Every data
breach that makes the news undermines a company’s brand reputation. By mitigating
these risks, organizations protect themselves.
Enhance Customer Trust
Today’s customers consider a company’s data privacy policies and data protections as
part of their buying decisions. Customer trust starts with an organization’s privacy
policies, but it also incorporates brand reputation.
According to one analyst, consumers want companies to provide transparency around

digital-trust policies finding:
• 85% of respondents said knowing a company’s data privacy policies is important

before making a purchase
• 46% of consumers often or always consider another brand if they are unclear
about how a company will use their data
• 53% of consumers make online purchases or use digital services only after
making sure that the company has a reputation for protecting its customers’ data
Cloud data security enables organizations to implement data privacy controls that
ensure safe customer data sharing.
Avoid Fines and Fees
Data privacy and protection law noncompliance leads to costly fines and legal fees. For
example, a company that violates the General Data Protection Regulation (GDPR) can
face fines up to €10 million, or 2% of its worldwide annual revenue. These fines apply to
107 | P a g e
violations which may not be cybersecurity incidents. For example, one of the first GDPR
fines was levied against a Portuguese hospital for allowing too many people to have too
much access. Additionally, companies often face expensive lawsuits in a data breach’s
aftermath.
Who Is Responsible for Cloud Data Security?

Most cloud service providers follow the Shared Responsibility Model for cloud security.
At a high level, the cloud provider is responsible for the security of the cloud while their
customer remains responsible for the security of applications and data in the cloud.
Each service provider and “as-a-Service'' model defines the Shared Responsibility
differently. However, customers are typically responsible for:
• Information and data

• Application logic and code
• Identity and access
• Platform resource configuration
Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) implementations
assign each party additional responsibilities, and these are dictated by the contract.
# 6 Cloud Data Security Challenges

For every benefit that cloud environments provide, they add a data security challenge.
Cloud environments are inherently code-based, creating different risks.
Expanded Attack Surface
Cloud environments are naturally flexible and scalable, meaning that organizations can
add new applications or workloads easily. Often, people deploy cloud assets outside of
the organization’s security policies, creating misconfiguration risks. Further, IT and
security teams may not know that these assets exist since traditional asset
management tools lack real-time detection capabilities.
Complex Environments
Modern IT environments may include:
• One or more public cloud provider

• On-premises servers
• SaaS applications
• Virtual machines
• Containers
• Instances
As data travels between these assets, organizations find discovering all sensitive data
and mapping data flows challenging.
108 | P a g e
Virtual machines, containers, and cloud instances pose new and unique challenges. As
IT environments add more layers of abstraction, data security protections evolve,
requiring security teams to focus on discovering these assets and maintaining secure
configurations.
Divergent Permissions
According to research, 89% of companies have multi-cloud environments. Maintaining

situational awareness and proper security practices poses a challenge because they lack
data normalization across logs. Although vendors provide monitoring tools, each
provider uses different field names and varies the number of fields in the logs. Without
data normalization in a centralized location, organizations struggle to gain visibility
across disparate:
• Permissions
• Log formats
• Network configurations
• Encryption configurations
Dynamic Environment
IT departments can create and delete volumes of cloud assets rapidly. While the cloud’s
flexibility and scalability enables organizations to save money, consistently applying
security policies becomes difficult. Security tools built for traditional environments lack
real-time policy enforcement capabilities. Cloud asset configurations can fall out of
compliance, weakening the organization’s data security posture.
Shadow Data
As engineering teams leverage cloud database technologies, they duplicate data. For
example, they may have DB backups generated with sensitive information that were
moved to the cloud and never deleted. Since most tools fail to discover this data,
organizations are left with shadow data that can lead to a data breach.
Regulatory Compliance
Implementing data security controls is challenging. However, increased regulatory focus

on data privacy means that organizations have to maintain their data security posture
and document their activities. Inconsistent access permissions, configuration drift, and
visibility issues lead to compliance violations and audit failures.
Best Practices for Implementing Cloud Data Security

By following best practices for data detection and classification, you can implement
controls and technologies that help secure data.
109 | P a g e
 Identify Sensitive Data
Before you can secure data, you need to identify what sensitive information you have
and where it resides. To gain visibility into critical data and static data risk, you need to
discover and classify structured and unstructured sensitive data across:
• Public cloud platforms, including storage like S3 buckets, RDS, and EFS
• Virtualization environments
• Data analytics platforms, like Redshift
• Databases as a Service, like Snowflake
• Shadow data
 Classify Data Using Context

Once you know where sensitive data resides, you need to classify it according to:
• Type
110 | P a g e
• Sensitivity level
• Governing regulation
Your classification process should include how the data moves within your
organization, who uses it, and how they use it.
 Limit Access to Resources

With all your data identified and classified, you can set user access permissions. You
should limit access as precisely as possible, granting each user the least amount of
access necessary to complete their job function. You should use a combination of:
• Role-based access controls (RBAC): permissions assigned to someone based

on their role in the organization, like job function or department
• Attribute-based access controls (ABAC): permissions that incorporate context,
like user device security, geographic location, or time of day
 Encrypt Data-in-Transit and Data-at-Rest

Nearly every compliance mandate requires organizations to encrypt data-at-rest and
in-transit. Encryption makes data unusable unless the recipient has the decryption key.
If someone gains unauthorized access to it, they won’t be able to read it.
 Implement Data Loss Prevention (DLP)

As users collaborate, you can experience data leakage or loss, meaning that someone
shares data outside the organization when they shouldn’t have. Data loss can be a
result of:
• Accidental sharing during collaboration

• Threat actors compromising systems and networks to steal data
• Malicious insiders downloading information
You should look for solutions that implement real-time data risk detection across multi-
cloud environments as information travels between clouds and applications.
 Harden Data Posture
As people use data, you need visibility into how they access different datasets so that
you understand the evolving nature of data flows.
You can use Data Security Posture Management (DSPM) to identify static risks like:
• Misconfigurations, including disabled logging

• Encryption being disabled
• Versioning issues
• Permissions
111 | P a g e
 Continuously Monitor Real-Time Data Risk
Since cloud environments are dynamic, your data risk posture continuously changes.
Additionally, you need to use threat modeling and threat intelligence for real-time risk
detection that includes:
• Newly created data assets

• Newly discovered threats
• New attack methodologies impacting your cloud services providers
 Create a Single Source for Continuous Monitoring,

Remediation, and Documentation
For comprehensive visibility that documents your data security posture, you should
aggregate all monitoring and remediation in a single location. With a comprehensive
data security posture management (DSPM) and data detection and response (DDR)
platform, you gain:
• A data-centric view of your cloud data assets, including content, identities and
access, and data vulnerabilities and exposures
• Alerts that prioritize risk based on real-world attack methods for visibility into
exploitability
• Automated remediation of data access violations connected to business
workflows
• Audit documentation based on cloud, geographic region, and compliance
standard
 Why Companies Need Cloud Data Protection
Companies are collecting massive amounts of data, ranging from highly
confidential business, financial and customer data to fairly unimportant
information. They’re also moving more and more of their data to the cloud and
storing it in more places than ever – public, private and hybrid clouds, cloud
storage environments, software-as-a-service applications, and so on.
As they do this, companies are discovering just how complicated protecting and
securing all their data across multiple environments can be. For example:
112 | P a g e
• They no longer know where all their applications and data are.
• With most of their applications and data housed on third-party infrastructure,
companies no longer have visibility into who is accessing and using their
applications and data, which devices are being used for access, or how their data is
potentially being used or shared.
• They have no insight into how cloud providers are storing and securing their data.
• Even though most cloud providers have state-of-the-art security, this security is
limited. After all, companies and cloud providers share responsibilities for cloud
security.
• Different cloud providers have varying capabilities, which can result in inconsistent
cloud data protection and security.
On top of this, companies face a host of security challenges, including the potential
for:
• Security breaches
• Loss or theft of sensitive data
• Application vulnerabilities and malware propagation
Companies must also comply with data protection and privacy laws and
regulations, such as the General Data Protection Regulation, or GDPR, in the EU; the
Health Insurance Portability and Accountability Act of 1996, or HIPAA, in the U.S.,
and others. However, it can be incredibly difficult for companies to consistently
113 | P a g e
establish and enforce security policies across multiple cloud environments, let
alone prove compliance to auditors.
For these reasons, it’s no surprise that nine out of 10 cybersecurity professionals
are concerned about cloud security. They say their biggest challenges are
protecting against data loss and leakage (67%), threats to data privacy (61%) and
breaches of confidentiality (53%).2
This also explains why the data protection market is projected to surpass US$158
billion by 2024.3
How Companies Can Better Protect Their Data in Cloud Environments
To successfully protect and secure their data in cloud environments, companies
must first know:
• Which data they have and where it’s located.
• Which data is exposed, how it’s exposed, and potential risks.
• Which applications are being accessed and by whom.
• What’s happening inside their applications (e.g., how people are accessing and
using them).
• Which data they need to protect and at what level.
With this information in hand, companies must then put consistent, unified, and
automated cloud data protection offering in place – one that will help them
114 | P a g e
discover, classify, monitor, protect, and secure their applications and data across
multiple environments. This offering must also be able to distinguish between
everyday activities and potentially suspicious ones.
The Benefits of Cloud Data Protection
Among the benefits of cloud data protection, it enables companies to:
• Secure applications and data across multiple environments while maintaining
complete visibility into all user, folder and file activity.
• Proactively identify and mitigate risks, such as security threats, suspicious user
behavior, malware and others.
• Better govern access.
• Define policies.
• Prevent and detect data loss and disruption.
CLOUD DATA SECURITY AND STORAGE

Cloud data security and storage is the practice of protecting sensitive data
that is stored in the cloud. This includes data that is at rest (stored in a cloud
server) or in transit (moving between a cloud server and a user device).
Cloud data security is important because cloud computing offers many

benefits, such as scalability, agility, and cost savings. However, it is also
important to be aware of the security risks associated with cloud computing.
These risks include:
115 | P a g e
• Data breaches: Cloud servers are a target for cybercriminals, who may
attempt to gain unauthorized access to data stored in the cloud.
• Insider threats: Malicious insiders may attempt to steal or damage data

stored in the cloud.
• Human error: Accidental mistakes by users or cloud administrators can

lead to data loss or exposure.
To mitigate these risks, cloud providers implement a variety of security

measures, such as encryption, access control, and intrusion detection and
prevention systems. However, it is also important for organizations to take
steps to protect their own data in the cloud. This includes:
• Choosing a reputable cloud provider: Organizations should choose a

cloud provider that has a good track record of security and compliance.
• Encrypting data: Organizations should encrypt all sensitive data before

storing it in the cloud.
• Implementing access control: Organizations should implement access

control measures to ensure that only authorized users can access data
in the cloud.
• Monitoring cloud activity: Organizations should monitor cloud activity

for signs of suspicious activity.
• Educating employees: Organizations should educate employees about

cloud security best practices.
Cloud storage is the practice of storing data in the cloud. Cloud storage
providers offer a variety of storage options, such as object storage, block
storage, and file storage. Organizations can choose the storage option that
best meets their needs.
116 | P a g e
Cloud storage offers a number of benefits, including:
• Scalability: Cloud storage is highly scalable, meaning that organizations

can easily add or remove storage capacity as needed.
• Accessibility: Cloud storage is accessible from anywhere with an

internet connection.
• Durability: Cloud storage providers replicate data across multiple

servers to ensure durability.
• Cost savings: Cloud storage can be more cost-effective than on-

premises storage, especially for organizations that need to store large
amounts of data.
Overall, cloud data security and storage is an important consideration for any
organization that is considering moving to the cloud. By taking steps to
protect their data, organizations can minimize the risks associated with cloud
computing and enjoy the benefits that it offers.
Physical security
Cloud providers implement a variety of physical security measures to protect

their data centers. These measures include:
• Perimeter security: Fences, gates, and other physical barriers are used
to protect the perimeter of the data center.
• Access control: Visitors and employees must pass through security

checkpoints to enter the data center.
• Video surveillance: The data center is monitored by video surveillance

cameras 24/7.
117 | P a g e
• Environmental controls: The data center is equipped with
environmental controls to maintain a safe and secure operating
environment for servers and other equipment.
Technology tools
Cloud providers also use a variety of technology tools to protect data in the
cloud. These tools include:
• Encryption: Data is encrypted at rest and in transit. This means that

data is unreadable to unauthorized users, even if it is intercepted.
• Access control: Cloud providers offer granular access control features

that allow organizations to specify who has access to data and what
they can do with it.
• Intrusion detection and prevention systems (IDS/IPS): IDS/IPS systems

monitor network traffic for suspicious activity. If suspicious activity is
detected, the IDS/IPS system can block traffic or take other corrective
action.
• Data loss prevention (DLP): DLP solutions help organizations to

identify and protect sensitive data. DLP solutions can be used to
prevent unauthorized access to data, as well as to prevent data from
being leaked or stolen.
Access management and controls
Organizations should implement access management and controls to protect

their data in the cloud. These controls should include:
• Least privilege: Users should only be granted the access they need to
perform their job duties.
118 | P a g e
• Multi-factor authentication (MFA): MFA adds an extra layer of security
to user accounts by requiring users to provide two or more factors of
authentication, such as a password and a one-time code.
• Identity and access management (IAM): IAM solutions help

organizations to manage user identities and access privileges. IAM
solutions can be used to automate user provisioning and
deprovisioning, as well as to enforce access control policies.
Organizational policies
Organizations should also implement organizational policies to protect their

data in the cloud. These policies should cover topics such as:
• Data classification: Organizations should classify their data based on its

sensitivity. This will help them to identify the data that needs to be
protected most carefully.
• Data retention: Organizations should establish policies for how long

data is retained. This will help to prevent data from being kept longer
than necessary.
• Data disposal: Organizations should establish policies for how data is

disposed of. This will help to ensure that data is destroyed securely
when it is no longer needed.
Other considerations
In addition to the above, there are a number of other considerations that

organizations should keep in mind when protecting their data in the cloud.
These include:
119 | P a g e
• Compliance: Organizations should ensure that their cloud data security
practices comply with all applicable laws and regulations.
• Transparency: Organizations should be transparent with their

customers about how their data is being protected in the cloud.
• Incident response: Organizations should have an incident response plan

in place in case of a data breach or other security incident.
Encryption
Encryption is one of the most important cloud data security measures.

Encryption converts data into a format that is unreadable to unauthorized
users, even if they are able to access it.
There are two main types of encryption:
• Symmetric encryption: Symmetric encryption uses the same key to

encrypt and decrypt data. This type of encryption is often used for
encrypting data at rest.
• Asymmetric encryption: Asymmetric encryption uses two keys to

encrypt and decrypt data: a public key and a private key. The public key
is used to encrypt data, and the private key is used to decrypt data. This
type of encryption is often used for encrypting data in transit.
Cloud providers offer a variety of encryption options for data at rest and in
transit. Organizations should choose the encryption option that best meets
their needs.
Access control
120 | P a g e
Access control is another important cloud data security measure. Access
control restricts access to data to authorized users.
Cloud providers offer a variety of access control features, such as:
• Role-based access control (RBAC): RBAC allows organizations to assign

users to different roles, and then grant permissions to those roles. This
allows organizations to easily manage user access to data.
• Attribute-based access control (ABAC): ABAC allows organizations to

grant permissions to users based on their attributes, such as their job
title, department, or location. This allows organizations to implement
more granular access control policies.
Organizations should use access control features to restrict access to data to

authorized users.
Monitoring and logging
Organizations should monitor and log cloud activity to detect suspicious

activity. This can be done using a variety of tools, such as:
• Cloud security information and event management (SIEM)

systems: SIEM systems collect and analyze security logs from a variety
of sources, including cloud platforms. This can help organizations to
identify suspicious activity and respond to security incidents quickly.
• Cloud security posture management (CSPM) tools: CSPM tools help

organizations to assess and monitor their cloud security posture. This
can help organizations to identify security vulnerabilities and
misconfigurations.
121 | P a g e
Organizations should use monitoring and logging tools to detect and respond
to security incidents quickly.
Security testing
Organizations should regularly conduct security testing of their cloud

environments. This can be done using a variety of methods, such as:
• Vulnerability scanning: Vulnerability scanning tools identify security

vulnerabilities in cloud environments. This can help organizations to
patch vulnerabilities and reduce their risk of being attacked.
• Penetration testing: Penetration testing involves simulating an attack

on a cloud environment to identify security weaknesses. This can help
organizations to strengthen their security posture.
Organizations should regularly conduct security testing to identify and

address security vulnerabilities in their cloud environments.
Conclusion
Cloud data security and storage is a complex topic, but it is important for
organizations to take steps to protect their data in the cloud. By
implementing the measures described above, organizations can minimize the
risks associated with cloud computing and protect their data.
CLOUD STORAGE
What is Cloud Storage?
Cloud Storage is a mode of computer data storage in which digital data is
stored on servers in off-site locations. The servers are maintained by a third-
122 | P a g e
party provider who is responsible for hosting, managing, and securing data
stored on its infrastructure. The provider ensures that data on its servers is
always accessible via public or private internet connections.
Cloud Storage enables organizations to store, access, and maintain data so

that they do not need to own and operate their own data centers, moving
expenses from a capital expenditure model to operational. Cloud Storage is
scalable, allowing organizations to expand or reduce their data footprint
depending on need.
How does Cloud Storage work?
Cloud Storage uses remote servers to save data, such as files, business data,
videos, or images. Users upload data to servers via an internet connection,
where it is saved on a virtual machine on a physical server. To maintain
availability and provide redundancy, cloud providers will often spread data to
multiple virtual machines in data centers located across the world. If storage
needs increase, the cloud provider will spin up more virtual machines to
handle the load. Users can access data in Cloud Storage through an internet
connection and software such as web portal, browser, or mobile app via an
application programming interface (API).
Cloud Storage is available in four different models:
1. Public
Public Cloud Storage is a model where an organization stores data in a service

provider’s data centers that are also utilized by other companies. Data in
public Cloud Storage is spread across multiple regions and is often offered on
a subscription or pay-as-you-go basis. Public Cloud Storage is considered to
be “elastic” which means that the data stored can be scaled up or down
123 | P a g e
depending on the needs of the organization. Public cloud providers typically
make data available from any device such as a smartphone or web portal.
2. Private
Private Cloud Storage is a model where an organization utilizes its own

servers and data centers to store data within their own network.
Alternatively, organizations can deal with cloud service providers to provide
dedicated servers and private connections that are not shared by any other
organization. Private clouds are typically utilized by organizations that
require more control over their data and have stringent compliance and
security requirements.
3. Hybrid
A hybrid cloud model is a mix of private and public cloud storage models. A
hybrid cloud storage model allows organizations to decide which data it
wants to store in which cloud. Sensitive data and data that must meet strict
compliance requirements may be stored in a private cloud while less sensitive
data is stored in the public cloud. A hybrid cloud storage model typically has a
layer of orchestration to integrate between the two clouds. A hybrid cloud
offers flexibility and allows organizations to still scale up with the public
cloud if need arises.
4. Multicloud
A multicloud storage model is when an organization sets up more than one

cloud model from more than one cloud service provider (public or private).
Organizations might choose a multicloud model if one cloud vendor offers
certain proprietary apps, an organization requires data to be stored in a
specific country, various teams are trained on different clouds, or the
organization needs to serve different requirements that are not stated in the
124 | P a g e
servicers’ Service Level Agreements. A multicloud model offers organizations
flexibility and redundancy.
aDvanTagES Of CLOUD STORagE
✓ TOTAL COST OF OWNERSHIP
Cloud Storage enables organizations to move from a capital expenditure to

an operational expenditure model, allowing them to adjust budgets and
resources quickly.
✓ ELASTICITY
Cloud Storage is elastic and scalable, meaning that it can be scaled up (more
storage added) or down (less storage needed) depending on the
organization’s needs.
✓ FLEXIBILITY
Cloud Storage offers organizations flexibility on how to store and access data,
deploy and budget resources, and architect their IT infrastructure.
✓ SECURITY
Most cloud providers offer robust security, including physical security at data
centers and cutting edge security at the software and application levels. The
best cloud providers offer zero trust architecture, identity and access
management, and encryption.
✓ SUSTAINABILITY
125 | P a g e
One of the greatest costs when operating on-premises data centers is the
overhead of energy consumption. The best cloud providers operate on
sustainable energy through renewable resources.
✓ REDUNDANCY
Redundancy (replicating data on multiple servers in different locations) is an

inherent trait in public clouds, allowing organizations to recover from
disasters while maintaining business continuity.
DISaDvanTagES Of CLOUD STORagE
✓ COMPLIANCE
Certain industries such as finance and healthcare have stringent

requirements about how data is stored and accessed. Some public cloud
providers offer tools to maintain compliance with applicable rules and
regulations.
✓ LATENCY
Traffic to and from the cloud can be delayed because of network traffic
congestion or slow internet connections.
✓ CONTROL
Storing data in public clouds relinquishes some control over access and
management of that data, entrusting that the cloud service provider will
always be able to make that data available and maintain its systems and
security.
✓ OUTAGES
126 | P a g e
While public cloud providers aim to ensure continuous availability, outages
sometimes do occur, making stored data unavailable.
How to use Cloud Storage

Cloud Storage provides several use cases that can benefit individuals and
organizations. Whether a person is storing their family budget on a
spreadsheet, or a massive organization is saving years of financial data in a
highly secure database, Cloud Storage can be used for saving digital data of
all kinds for as long as needed.
a. Backup
Data backup is one of the simplest and most prominent uses of Cloud
Storage. Production data can be separated from backup data, creating a gap
between the two that protects organizations in the case of a cyber threat
such as ransomware. Data backup through Cloud Storage can be as simple
as saving files to a digital folder such as Google Drive or using block storage
to maintain gigabytes or more of important business data.
b. Archiving
The ability to archive old data has become an important aspect of Cloud
Storage, as organizations move to digitize decades of old records, as well as
hold on to records for governance and compliance purposes. Google Cloud
offers several tiers of storage for archiving data, including coldline
storage and archival storage, that can be accessed whenever an organization
needs them.
c. Disaster recovery
A disaster—natural or otherwise— that wipes out a data center or old
physical records needs not be the business-crippling event that it was in the
past. Cloud Storage allows for disaster recovery so that organizations can
continue with their business, even when times are tough.
d. Data processing
127 | P a g e
As Cloud Storage makes digital data immediately available, data becomes
much more useful on an ongoing basis. Data processing, such as analyzing
data for business intelligence or applying machine learning and artificial
intelligence to large datasets, is possible because of Cloud Storage.
e. Content delivery
With the ability to save copies of media data, such as large audio and video
files, on servers dispersed across the globe, media and entertainment
companies can serve their audience low-latency, always available content
from wherever they reside.
 TYPES OF CLOUD STORAGE

Cloud Storage comes in three different types: object, file, and block.
1. Object
Object storage is a data storage architecture for large stores of unstructured

data. It designates each piece of data as an object, keeps it in a separate
storehouse, and bundles it with metadata and a unique identifier for easy
access and retrieval.
2. File
File storage organizes data in a hierarchical format of files and folders. File
storage is common in personal computing where data is saved as files and
those files are organized in folders. File storage makes it easy to locate and
retrieve individual data items when they are needed. File storage is most
often used in directories and data repositories.
3. Block
Block storage breaks data into blocks, each with an unique identifier, and
then stores those blocks as separate pieces on the server. The cloud network
128 | P a g e
stores those blocks wherever it is most efficient for the system. Block storage
is best used for large volumes of data that require low latency such as
workloads that require high performance or databases.
WhY IS CLOUD STORagE ImPORTanT?
Cloud storage delivers cost-effective, scalable storage. You no longer need to

worry about running out of capacity, maintaining storage area networks
(SANs), replacing failed devices, adding infrastructure to scale up with
demand, or operating underutilized hardware when demand decreases. Cloud
storage is elastic, meaning you scale up and down with demand and pay only
for what you use. It is a way for organizations to save data securely online so
that it can be accessed anytime from any location by those with permission.
Whether you are a small business or a large enterprise, cloud storage can
deliver the agility, cost savings, security, and simplicity to focus on your core
business growth. For small businesses, you no longer have to worry about
devoting valuable resources to manage storage yourself, and cloud storage
gives you the ability to scale as the business grows.
For large enterprises with billions of files and petabytes of data, you can rely
on the scalability, durability, and cost savings of cloud storage to create
centralized data lakes to make your data accessible to all who need it.
 COST EFFECTIVENESS
With cloud storage, there is no hardware to purchase, no storage to

provision, and no extra capital being used for business spikes. You can add or
remove storage capacity on demand, quickly change performance and
retention characteristics, and only pay for storage that you actually use. As
data becomes infrequently and rarely accessed, you can even automatically
129 | P a g e
move it to lower-cost storage, thus creating even more cost savings. By
moving storage workloads from on premises to the cloud, you can reduce
total cost of ownership by removing overprovisioning and the cost of
maintaining storage infrastructure.
 INCREASED AGILITY
With cloud storage, resources are only a click away. You reduce the time to
make those resources available to your organization from weeks to just
minutes. This results in a dramatic increase in agility for your organization.
Your staff is largely freed from the tasks of procurement, installation,
administration, and maintenance. And because cloud storage integrates with
a wide range of analytics tools, your staff can now extract more insights from
your data to fuel innovation.
 FASTER DEPLOYMENT
When development teams are ready to begin, infrastructure should never

slow them down. Cloud storage services allow IT to quickly deliver the exact
amount of storage needed, whenever and wherever it's needed. Your
developers can focus on solving complex application problems instead of
having to manage storage systems.
 EFFICIENT DATA MANAGEMENT
By using cloud storage lifecycle management policies, you can perform

powerful information management tasks including automated tiering or
locking down data in support of compliance requirements. You can also use
cloud storage to create multi-region or global storage for your distributed
teams by using tools such as replication. You can organize and manage your
data in ways that support specific use cases, create cost efficiencies, enforce
security, and meet compliance requirements.
130 | P a g e
 VIRTUALLY UNLIMITED SCALABILITY
Cloud storage delivers virtually unlimited storage capacity, allowing you to

scale up as much and as quickly as you need. This removes the constraints of
on-premises storage capacity. You can efficiently scale cloud storage up and
down as required for analytics, data lakes, backups, or cloud native
applications. Users can access storage from anywhere, at any time, without
worrying about complex storage allocation processes, or waiting for new
hardware.
 BUSINESS CONTINUITY
Cloud storage providers store your data in highly secure data centers,
protecting your data and ensuring business continuity. Cloud storage services
are designed to handle concurrent device failure by quickly detecting and
repairing any lost redundancy. You can further protect your data by using
versioning and replication tools to more easily recover from both unintended
user actions or application failures.
With cloud storage services, you can:
• Cost-effectively protect data in the cloud without sacrificing

performance.
• Scale up your backup resources in minutes as data requirements

change.
• Protect backups with a data center and network architecture built for
security-sensitive organizations.
How does cloud storage work?
Cloud storage is delivered by a cloud services provider that owns and

operates data storage capacity by maintaining large datacenters in multiple
131 | P a g e
locations around the world. Cloud storage providers manage capacity,
security, and durability to make data accessible to your applications over the
internet in a pay-as-you-go model. Typically, you connect to the storage
cloud either through the internet or through a dedicated private connection,
using a web portal, website, or a mobile app. When customers purchase cloud
storage from a service provider, they turn over most aspects of the data
storage to the vendor, including capacity, security, data availability, storage
servers and computing resources, and network data delivery. Your
applications access cloud storage through traditional storage protocols or
directly using an application programming interface (API). The cloud storage
provider might also offer services designed to help collect, manage, secure,
and analyze data at a massive scale.
What cloud storage requirements should you consider?

Ensuring your company’s critical data is safe, secure, and available when
needed is essential. There are several fundamental requirements when
considering storing data in the cloud.
Durability and availability
Cloud storage simplifies and enhances traditional data center practices

around data durability and availability. With cloud storage, data is
redundantly stored on multiple devices across one or more data centers.
Security
With cloud storage, you control where your data is stored, who can access it,
and what resources your organization is consuming at any given moment.
Ideally, all data is encrypted, both at rest and in transit. Permissions and
access controls should work just as well in the cloud as they do for on-
premises storage.
132 | P a g e
What are cloud storage use cases?
Cloud storage has several use cases in application management, data
management, and business continuity. Let’s consider some examples below.
 Analytics and data lakes
Traditional on-premises storage solutions can be inconsistent in their cost,

performance, and scalability — especially over time. Analytics demand large-
scale, affordable, highly available, and secure storage pools that are
commonly referred to as data lakes.
Data lakes built on object storage keep information in its native form and
include rich metadata that allows selective extraction and use for analysis.
Cloud-based data lakes can sit at the center of multiple kinds of data
warehousing and processing, as well as big data and analytical engines, to
help you accomplish your next project in less time and with more targeted
relevance.
 Backup and disaster recovery
Backup and disaster recovery are critical for data protection and accessibility,
but keeping up with increasing capacity requirements can be a constant
challenge. Cloud storage brings low cost, high durability, and extreme scale to
data backup and recovery solutions. Embedded data management policies can
automatically migrate data to lower-cost storage based on frequency or
timing settings, and archival vaults can be created to help comply with legal
or regulatory requirements. These benefits allow for tremendous scale
possibilities within industries such as financial services, healthcare and life
sciences, and media and entertainment that produce high volumes of
unstructured data with long-term retention needs.
 Software test and development

133 | P a g e
Software test and development environments often require separate,
independent, and duplicate storage environments to be built out, managed,
and decommissioned. In addition to the time required, the up-front capital
costs required can be extensive.
Many of the largest and most valuable companies in the world create
applications in record time by using the flexibility, performance, and low cost
of cloud storage. Even the simplest static websites can be improved at low
cost. IT professionals and developers are turning to pay-as-you-go storage
options that remove management and scale headaches.
 Cloud data migration
The availability, durability, and low cloud storage costs can be very
compelling. On the other hand, IT personnel working with storage, backup,
networking, security, and compliance administrators might have concerns
about the realities of transferring large amounts of data to the cloud. For
some, getting data into the cloud can be a challenge. Hybrid, edge, and data
movement services meet you where you are in the physical world to help ease
your data transfer to the cloud.
 Compliance
Storing sensitive data in the cloud can raise concerns about regulation and
compliance, especially if this data is currently stored in compliant storage
systems. Cloud data compliance controls are designed to ensure that you can
deploy and enforce comprehensive compliance controls on your data, helping
you satisfy compliance requirements for virtually every regulatory agency
around the globe. Often through a shared responsibility model, cloud vendors
allow customers to manage risk effectively and efficiently in the IT
environment, and provide assurance of effective risk management through
compliance with established, widely recognized frameworks and programs.
134 | P a g e
 Cloud-native application storage
Cloud-native applications use technologies like containerization and

serverless to meet customer expectations in a fast-paced and flexible manner.
These applications are typically made of small, loosely coupled, independent
components called microservices that communicate internally by sharing data
or state. Cloud storage services provide data management for such
applications and provide solutions to ongoing data storage challenges in the
cloud environment.
 Archive
Enterprises today face significant challenges with exponential data growth.

Machine learning (ML) and analytics give data more uses than ever before.
Regulatory compliance requires long retention periods. Customers need to
replace on-premises tape and disk archive infrastructure with solutions that
provide enhanced data durability, immediate retrieval times, better security
and compliance, and greater data accessibility for advanced analytics and
business intelligence.
 Hybrid cloud storage
Many organizations want to take advantage of the benefits of cloud storage,

but have applications running on premises that require low-latency access to
their data, or need rapid data transfer to the cloud. Hybrid cloud storage
architectures connect your on-premises applications and systems to cloud
storage to help you reduce costs, minimize management burden, and innovate
with your data.
 Database storage
Because block storage has high performance and is readily updatable, many
organizations use it for transactional databases. With its limited metadata,
135 | P a g e
block storage is able to deliver the ultra-low latency required for high-
performance workloads and latency sensitive applications like databases.
Block storage allows developers to set up a robust, scalable, and highly

efficient transactional database. As each block is a self-contained unit, the
database performs optimally, even when the stored data grows.
 ML and IoT
With cloud storage, you can process, store, and analyze data close to your
applications and then copy data to the cloud for further analysis. With cloud
storage, you can store data efficiently and cost-effectively while supporting
ML, artificial intelligence (AI), and advanced analytics to gain insights and
innovate for your business.
Is cloud storage secure?

Security is our number one priority at AWS. AWS pioneered cloud computing
in 2006, creating cloud infrastructure that allows you to securely build and
innovate faster. With AWS, you control where your data is stored, who can
access it, and what resources your organization is consuming at any given
moment. Fine-grain identity and access controls combined with continual
monitoring for near real-time security information ensures that the right
resources have the right access, wherever your information is stored. On
AWS, you will gain the control and confidence you need to securely run your
business with the most flexible and secure cloud computing environment
available. As a result, the most highly regulated organizations in the world
trust AWS, every day.
Challenges of cloud storage
136 | P a g e
While there are undeniable advantages of adopting cloud storage, there are a
few cons to remember as well. By navigating these cons or challenges, you
can arrive at a pragmatic cloud storage strategy that maximizes its benefits.
o Risk of vendor lock-in: If all your data is stored in a single

public cloud platform, there’s a risk of vendor lock-in and
potential inflexibilities. Address this with a hybrid or
multi-cloud blueprint where there is sufficient
interoperability between environments.
o Security issues around multi-tenancy: Public cloud
environments are shared by multiple tenants, which can
multiply your security vulnerabilities. You can prevent
this through cloud data protection and by leveraging the
private cloud for sensitive data.
o Fragmentation of IT landscape: Unplanned cloud storage
adoption can cause your IT landscape to become
fragmented over time. That’s why you need a detailed
strategic blueprint outlining your short, mid, and long-
term cloud roadmap.
o Outage and downtime risk: Cloud platforms managed by
external providers could suffer from an outage, rendering
the data and applications stored in these environments
inaccessible. Service level agreements should specify
downtime metrics, and you need additional redundancy
for your most critical data.
o Short-term budget overruns: Cloud cost worries are
extremely common, where data storage and storage
processes occupy more space than estimated. A cloud
137 | P a g e
resource management tool can help address this, giving
you visibility and control.
# Selecting the right cloud storage provider
Let’s look at the most critical aspects businesses need to consider when
selecting a cloud storage provider.
o Storage space: The amount of data a business processes

determines the requirement for storage space. A small
organization (around 250 employees) could opt for
public cloud storage services, which offer employees
storage space of over 15 GB each. It is recommended to
compare various public cloud storage pricing plans
before signing the deal.
o Maintenance & uptime: Cloud servers need to be
maintained to make sure the data stored is secure.
However, downtimes and network failures can occur
anytime. Therefore, understanding the maintenance and
uptime needed by cloud service providers is essential.
Organizations should ask their chosen cloud service
providers to demonstrate their downtime plans and run
checks before buying any cloud solution.
o Security: If data is compromised, then cloud storage
comes in handy as a useful backup. There is no
guarantee, however, that cloud storage providers are safe
138 | P a g e
from security threats. Understanding the security
measures in place at the cloud storage provider is
important. Two main factors need to be considered for
security: the physical security of the cloud solution
provider’s servers and the level of encryption applied to
the data stored.
o Speed: The speed of downloads from the cloud has a
major impact on businesses and their ability to process
critical data. If cloud storage providers place a cap on the
download speed, retrieving data and running applications
will take longer. Therefore, organizations need to gauge
the cloud storage download speeds of a provider before
buying any storage space.
Top 8 Best Practices to Implement Cloud

Storage for Companies in 2021
Even if it involves a few challenges, cloud storage implementation is now a

top priority for companies. It enables easy access to information for large,
distributed teams operating in a WFH environment. It can help you gain from
sophisticated data analytics without investing in on-premise storage for large
volumes of data. Most importantly, it enables interconnectivity between
different applications and data sources, generating efficiencies and business
value.
139 | P a g e
In the last year, cloud storage adoption has accelerated at a dramatic pace,
and the momentum will continue for the foreseeable future. Here are 8 best
practices that can help make the most of this opportunity.
1. Pilot cloud storage using non-business-critical data
The implementation of cloud storage marks a significant change in your IT

operational approach, transforming how other related processes are carried
out.
It will influence data-driven applications, business analytics, integrations, and

other components of the IT landscape. Therefore, it is important to first trial
cloud storage at a limited scale before implementing it across the
organization. This will allow you to observe its impact on related IT processes,
tweaking the implementation SLAs and configurations accordingly. Conduct
the initial pilot using non-business-critical data to avoid interrupting live
processes and keep any adverse impacts restricted to a sandboxed
environment.
2. Leverage multi-cloud to avoid vendor lock-in
As the cloud storage market matures, providers are eager to deliver a wide
variety of services and capabilities under one offering. However, this could
lead to vendor lock-in. If you rely on a single cloud environment for all your
storage requirements, any downtime or outage experienced by that
environment could cripple your entire storage landscape.
140 | P a g e
And, as your storage volumes increase with time, you will find it increasingly
harder to shift out if necessary. To prevent such a situation, it is advisable to
leverage a multi-cloud landscape where different data and application
buckets are stored in a different cloud environment, and there is
interoperability among platforms.
3. Specify your data retention policies before migrating
Data retention refers to the practice of holding on to a data asset for a

limited period, as per the wishes of the data owner, business relevance, or
industry rules. Retention policies not only mention how long to store data but
also the timeline and methodology for retiring it. Data retention policies will
determine how much cloud storage you occupy, the frequency of backup and
transfer processes, and cloud storage costs.
Without a detailed retention policy document in place, enterprises are likely
to exceed their projected storage volumes well ahead of time, leading to
budget overruns. That’s why you need to specify your data retention policies
before migrating to the cloud, incorporating these into service level
agreements (SLAs) to ensure predictability and compliance later on.
4. Bring cloud storage under the ambit of IT compliance and audits
IT compliance and audits tend to focus on on-premise environments and

first-party managed storage, overlooking data housed in a remote location or
by an external cloud vendor. This could cause non-compliance risks later on.
Even if the data is stored by a public cloud vendor or a third-party MSP,
enterprises must still take complete ownership of regulatory compliance
around data privacy, compliance, and security. Cloud storage must be
141 | P a g e
regularly audited with a detailed inventory of your assets, their utilization,
and retention plans.
5. Invest in the private cloud if you operate in a regulated industry
Regulated industries such as healthcare, financial services, governments, and

educational institutions typically generate and store large volumes of
sensitive information. This could range from the medical histories of patients
to the names and address information of school students or payment card
details. It can be helpful to leverage private cloud storage for information
such as these, protecting the data from the risks of a multi-tenant cloud
architecture.
Private cloud storage also means that you are immune to vendor-related
outages and downtimes, which would render these vital data assets
inaccessible. In fact, the private cloud is mission-critical for companies in
regulated industries, where sensitive data is essential for day-to-day business
processes and not just compliance-related archives.
6. Make remote work a focus area when planning for cloud storage
Remote work is now a major use case for cloud storage implementation and is
poised to be the new normal for the foreseeable future. Therefore, your cloud
storage strategy must take the needs of a remote worker into account, from
connecting with the right productivity tools to enforcing security policies that
restrict remote access in certain scenarios. Outline measures to prevent
employees from accessing cloud storage from unfamiliar and unauthorized
devices. Specify clear policies to regulate which data can be stored on the
cloud and which information needs to be kept on-premise.
142 | P a g e
7. Optimize data transfer to avoid egress fees
Most public cloud platforms charge you for data retrieval (also known as
egress fees) to move data out of their cloud platform. This tactic encourages
more dependency and possibly vendor lock-in, as you keep data immobile on
the cloud for longer periods. Your data transfer frequency is directly linked to
your cloud costs, and frequent retrieval (for example, to run on-premise
analytics) will add to your resource consumption in the form of egress fees.
There are two ways to address this. First, you can host analytics applications
within the same public cloud so that data doesn’t need to be moved out for
processing. Second, you can optimize each transfer by compressing data
volumes to reduce the retrieval fees.
8. Adopt a cloud-first cybersecurity solution
Finally, ensure that your cybersecurity solution takes your cloud storage
investments into account. For example, Trend Micro offers a cloud-first
solution called Cloud One – Conformity, and there are several cloud access
security broker (CASB) tools available. Even if only a portion of your total
data assets is stored in the cloud, it has to be covered by a cybersecurity
solution to close any vulnerabilities and demonstrate compliance with data
protection laws.
Wrapping up
143 | P a g e
Even if the cloud plays a central role in data processing and storage, the
future of cloud and data storage is changing rapidly. Data security is one of
the major concerns in cloud storage, and in the future, mass data breaches
will be a strong point of concern for businesses that opt for cloud storage.
In such a scenario, will the cloud become obsolete? What are the possible
alternatives to store complex data in the future? There are many options on
the table, including serverless computing. Our two essential tips for techies
looking at optimizing cloud services are conducting regular reviews and
identifying redundant tasks on cloud services. The idea is to enjoy the
freedom that the cloud offers without overspending.
Cloud storage considerations

To determine whether using cloud storage will result in operational
efficiencies and be cost-effective, a company must take these four steps:
1. Compare the one-time and recurring costs of purchasing and

managing storage capacity in-house versus the ongoing costs of
storing and accessing data in the cloud.
2. Determine if additional telecommunications expenses will be

required for the appropriate access to the service provider.
3. Decide if the cloud storage service provides adequate security and

data governance.
4. Develop an in-house cloud security strategy, with procedures for

access and use of cloud storage to maintain effective management
of data and control expenses.
144 | P a g e
Examples of cloud storage
The most common uses for cloud storage are:
• cloud backup
• disaster recovery (DR)
• archiving infrequently accessed data
An increasing number of companies are using cloud storage services

for DevOps as a way to cut capital costs. Developers can spin up the compute
and storage resources for the durat
ion of the project development and testing, and then spin them down when it
ends.
From data backup to unstructured file sharing to object storage, find out the
many ways cloud storage is used.
Increasingly, organizations are moving key applications to the cloud as the

service providers have improved performance and tightened security. In
145 | P a g e
addition, companies that experience substantial seasonal fluctuations in the
volume of data they create can tap into cloud storage to handle these bursts
of data creation activity.
For small to medium-sized businesses (SMBs), some specialized cloud

storage services, such as file sync and share, may be useful on an individual
server or user basis. The file syncing features of these services ensure the
versions of files stored locally on the sync client -- a server or end user's PC --
and in the cloud are consistent. Versioning and file-sharing capabilities also
are often included.
Cloud storage service providers

The cloud-based storage market is dominated by Amazon Web Services,
Google and Microsoft Azure, but traditional storage vendors like Dell EMC,
Hewlett Packard Enterprise, Hitachi Data Systems, IBM and NetApp also
operate in the space with products for both enterprise and small business
owners that include self-service cloud portals to provision and monitor use.
Some online file storage services, such as Box and Dropbox, have business-
to-consumer (B2C) cloud storage services, as well as business-to-business
(B2B) offerings.
Organizations considering the use of cloud storage should be aware of

the pros and cons of using cloud computing technologies, in general. If the
decision is made to move forward with the cloud, organizations can use topic-
based cloud guides to determine which cloud storage types and services best
fit their business needs.
Cloud storage is believed to have been invented by computer scientist Dr.

Joseph Carl Robnett Licklider in the 1960s. About two decades later,
CompuServe began to offer its customers small amounts of disk space in
146 | P a g e
order to store some of their files. In the mid-1990s, AT&T launched the first
all web-based storage service for personal and business communication.
Since then, a number of different services have become gained traction.
Some of the most popular cloud storage providers are Apple (iCloud),
Amazon (Amazon Web Services ), Dropbox, and Google.
How Cloud Storage Benefits Businesses

Cloud storage helps businesses with major data storage needs to save a
significant amount of space and money by eliminating the need for data
storage infrastructure on the business premises. The cloud storage provider
owns and maintains all the necessary hardware and software so the cloud
users don’t have to. Purchasing ongoing cloud storage may cost more in the
long run, but it can be significantly less expensive upfront. Further,
businesses can almost instantly scale up or down how much cloud storage
they have access to as their storage needs change.
The cloud also enables employees to collaborate with colleagues—and work

remotely and outside of regular business hours—while facilitating smooth
document collaboration by allowing authorized employees easy access to the
most updated version of a file. At the personal level, cloud storage allows
mobile data and enables digital life in the holistic way we live it today.
Without the cloud, smart phones would not be able to be the interface of so
much data ( photos, documents, information on the go). Using the cloud to
store files can also have a positive effect on the environment since it cuts
down energy consumption
Cloud Storage Security

There is so much attention on cloud storage today in the digital era because
so much of our sensitive personal data is stored in the cloud whether we
voluntarily store it there or whether a company we do business with decides
to store it there. As a result, cloud security has become a major concern.
147 | P a g e
Users wonder whether their information is safe, and increasing data
breaches have demonstrated that sometimes it isn’t. Users are also
concerned about whether the data they have stored on the cloud will be
accessible when they need it.
While cloud storage may seem vulnerable due to the prevalence of hacking,
the alternatives, such as onsite storage, have security vulnerabilities, too.
Company-provided cloud storage can actually improve security by giving
employees an alternative to using their personal accounts to back up and
transfer files that they need to access outside the office.
A good cloud storage provider will have data redundancy, storing the same
files in multiple physical locations so that it survives any human errors,
equipment failures, or natural disasters. A reputable provider will also store
and transmit data securely so that no one can access it without permission.
Some users might also require that data be stored in such a way that it can
only be read but not changed; this feature, too, is available through cloud
storage.
Here are a few well-known companies that offer some form of cloud storage:
• Google Docs allows users to upload documents, spreadsheets and

presentations to Google's data servers. Users can edit files using a
Google application. Users can also publish documents so that other
people can read them or even make edits, which means Google Docs is
also an example of cloud computing.
• Web e-mail providers like Gmail, Hotmail and Yahoo! Mail store e-mail
messages on their own servers. Users can access their e-mail from
computers and other devices connected to the Internet.
148 | P a g e
• Sites like Flickr and Picasa host millions of digital photographs. Their
users create online photo albums by uploading pictures directly to the
services' servers.
• Web site hosting companies like StartLogic, Hostmonster
and GoDaddy store the files and data for client Web sites.
• Social networking sites like Facebook and MySpace allow members to
post pictures and other content. All of that content is stored on the
respective site's servers.
• Services like Xdrive, MediaMax and Strongspace offer storage space for
any kind of digital data.
To secure data, most systems use a combination of

techniques, including:
• Encryption, which means they use a complex algorithm to encode

information. To decode the encrypted files, a user needs the encryption
key. While it's possible to crack encrypted information,
most hackers don't have access to the amount of computer
processing power they would need to decrypt information.
• Authentication processes, which require to create a user name and
password.
• Authorization practices -- the client lists the people who are authorized
to access information stored on the cloud system. Many corporations
have multiple levels of authorization. For example, a front-line
employee might have very limited access to data stored on a cloud
system, while the head of human resources might have extensive access
to files.
Even with these protective measures in place, many people worry that data
saved on a remote storage system is vulnerable. There's always the possibility
149 | P a g e
that a hacker will find an electronic back door and access data. Hackers could
also attempt to steal the physical machines on which data are stored. A
disgruntled employee could alter or destroy data using his or her
authenticated user name and password. Cloud storage companies invest a lot
of money in security measures in order to limit the possibility of data theft or
corruption.
The other big concern, reliability, is just as important as security. An unstable

cloud storage system is a liability. No one wants to save data to a failure-
prone system, nor do they want to trust a company that isn't financially
stable. While most cloud storage systems try to address this concern through
redundancy techniques, there's still the possibility that an entire system could
crash and leave clients with no way to access their saved data.
Cloud storage companies live and die by their reputations. It's in each
company's best interests to provide the most secure and reliable service
possible. If a company can't meet these basic client expectations, it doesn't
have much of a chance -- there are too many other options available on the
market.
Some of the most popular cloud data storage providers include:
• Amazon Web Services (AWS)
• Microsoft Azure
• Google Cloud Platform
• Dropbox
• Box
• iCloud
150 | P a g e
Cloud data storage can be used for a variety of purposes, including:
• File storage: Cloud data storage can be used to store and share files of
all types, including documents, photos, videos, and music.
• Data backup: Cloud data storage can be used to back up data from on-
premises servers and computers. This can help to protect data from
loss in the event of a hardware failure or other disaster.
• Application hosting: Cloud data storage can be used to host websites

and applications. This can free businesses from the need to manage
their own servers.
What are the drawbacks of using cloud data storage?
There are a few drawbacks to using cloud data storage, including:
• Vendor lock-in: Once you have stored your data with a cloud provider, it
can be difficult and expensive to switch to a different provider. This is
because you may need to convert your data to a format that is
compatible with the new provider's platform.
• Security: While cloud providers typically have strong security measures

in place, there is always the risk of a data breach. This is why it is
important to choose a reputable cloud provider and to encrypt your
data before storing it in the cloud.
• Compliance: If your business is subject to industry regulations, you

need to make sure that your cloud provider complies with those
regulations. For example, if your business is subject to the Health
Insurance Portability and Accountability Act (HIPAA), you need to
choose a cloud provider that is HIPAA compliant.
151 | P a g e
How to choose a cloud data storage provider
When choosing a cloud data storage provider, there are a few factors to
consider:
• Pricing: Compare the pricing of different providers to find the one that
best suits your budget.
• Features: Consider the features that are important to you, such as

scalability, security, and compliance.
• Customer support: Make sure that the provider offers good customer
support in case you have any problems.
. Here is some more information about cloud data storage:
• Cloud data storage is a pay-as-you-go model. This means that you only
pay for the storage that you use. This can be a cost-effective option for
businesses that have fluctuating storage needs.
• Cloud data storage is highly scalable. This means that you can easily
add or remove storage capacity as needed. This can be beneficial for
businesses that are experiencing rapid growth or that have seasonal
fluctuations in demand.
• Cloud data storage is highly reliable. Cloud providers typically have

redundant systems in place to ensure that data is always available. This
means that your data is less likely to be lost or corrupted than if it were
stored on-premises.
• Cloud data storage is highly secure. Cloud providers typically have

strong security measures in place to protect data from unauthorized
access. This includes encryption, firewalls, and intrusion detection
systems.
152 | P a g e
Here are some examples of how cloud data storage can be used:
• Businesses can use cloud data storage to store their customer

data. This can include contact information, order history, and purchase
preferences. This data can be used to improve customer service and
marketing campaigns.
• Businesses can use cloud data storage to store their business data. This
can include financial records, sales data, and marketing materials. This
data can be used to make better business decisions.
• Businesses can use cloud data storage to store their website and
application data. This can make their websites and applications more
reliable and scalable.
• Individuals can use cloud data storage to store their personal files. This
can include photos, videos, documents, and music. This can make it
easier to access and share these files from anywhere in the world.
Cloud data security is important because cloud environments can be

vulnerable to a variety of threats, including:
• Data breaches: Data breaches can occur when unauthorized users gain
access to cloud data. This can be done through hacking, malware
attacks, or human error.
• Denial-of-service attacks: Denial-of-service attacks can flood cloud

resources with traffic, making them unavailable to legitimate users.
• Insider threats: Insider threats can occur when authorized users abuse
their access to cloud data or systems.
153 | P a g e
Cloud data storage providers typically have a number of security measures in
place to protect their customers' data, including:
• Encryption: Encryption is one of the most important security measures

for cloud data storage. It scrambles data so that it cannot be read by
unauthorized users.
• Access control: Access control lists and role-based access control

(RBAC) are used to restrict access to cloud resources to authorized
users.
• Auditing: Auditing logs track all activity on cloud resources. This

information can be used to detect and investigate suspicious activity.
• Data loss prevention (DLP): DLP systems can be used to prevent

sensitive data from being leaked or lost.
In addition to the security measures provided by cloud providers, customers

can also take steps to protect their own cloud data, such as:
• Using strong passwords and multi-factor authentication: Strong

passwords and multi-factor authentication can help to prevent
unauthorized access to cloud accounts.
• Educating employees about cloud security: Employees should be

trained on cloud security best practices, such as how to identify and
avoid phishing attacks.
• Encrypting sensitive data: Sensitive data should be encrypted before it

is stored in the cloud.
• Backing up data regularly: Data should be backed up regularly to

protect against data loss.
154 | P a g e
Common use cases for cloud storage are:
• Data backups.
• Primary file storage (most common in a hybrid and multi-cloud setup).
• Email storage.
• Disaster Recovery as a Service (DRaaS) for responding to unforeseen
events.
• File archives.
• Test and development environments for DevOps teams spinning up
storage resources.
As cloud-stored data does not reside on an on-prem server, a company using

a public cloud must in part rely on the provider to keep data safe. The good
news is that a top vendor's data center uses various practices to ensure data
remains secure. These measures often include:
• End-to-end data encryption.

• Advanced cybersecurity capabilities.
• Secure authentication protocols and access control mechanisms.
• Features that guarantee high availability.
• Storing data on servers distributed across multiple locations.
• High-end physical device and infrastructure security.
• Advanced cloud monitoring features.
Is data security your top priority? Created together with Intel and VMware,
PNAP's Data Security Cloud is a platform that protects data with robust
encryption, strict segmentation controls, and advanced threat intelligence.
155 | P a g e
How Secure Is Cloud Storage?
If you partner with the right provider, your cloud storage will be safer than
any on-prem infrastructure. However, not all cloud storage platforms are the
same, and some of them are less secure than the provider likes to admit.
The right provider offers many features and frameworks a company cannot
easily (or cheaply) deploy on an on-prem setup. These capabilities include:
• Top-tier redundancy: A provider-level data center has top equipment

and software redundancy for disaster recovery scenarios.
• Robust physical security: A high-end data center keeps servers in a far
more secure facility than an average in-office server room. Typical
measures include 24-hour facility surveillance, fingerprint locks, and
armed guards.
• Multi-tiered security features: Cloud providers rely on top hardware
and software-based firewalls to filter traffic coming into and out of the
cloud storage. The use of an intrusion detection system (IDS) is also a
standard measure.
• High-end security testing: Cloud providers run regular vulnerability
assessments and penetration tests to ensure the storage security levels
are up to par with the latest threats.
• Continuous monitoring (CM): CM ensures the security team has real-
time visibility into every server and cloud storage in the facility.
Cloud Storage Security Challenges
While beneficial, the decision to move data to the cloud means exposing files
to new risks. Below is a look at the most common risks and concerns of cloud
storage security.
1. Operational Risks
156 | P a g e
Nearly all cloud security failures result from an operational mistake made on
the client's side. The most common mistakes include:
• Employees using unapproved cloud storage services or

platforms without the security or IT team's knowledge.
• Sharing files with the wrong user.
• Accidentally deleting valuable data.
• Losing an encryption key due to poor key management.
• Relying on a weak and easy-to-crack passwords.
• Employees using unapproved and unsecured devices.
The use of unauthorized devices is an especially high risk for a company with
a Bring Your Own Device (BYOD) culture. In that case, the management must
create and enforce a strict BYOD policy to ensure safe operations.
2. Data Availability Concerns
Operational risks can also occur on the service provider's side. Common
issues include:
• Service disruptions due to server failure or a staff member's mistake.

• A local disaster (power outage, fire, earthquake, etc.) that causes
hardware failure and downtime.
• A successful cyberattack targeting the provider directly or through
another cloud user.
If something affects your storage provider, the event will directly impact
access to your data. You must wait for the provider to fix the issue, and the
team may not have access to cloud-based data until the vendor's team
resolves the problem.
3. More Data Exposure
157 | P a g e
A large part of data security is making sure no one outside the team can
access the data. When you rely on a partner to store files, you increase the
attack surface via which a malicious actor can reach your data.
Even if you take proper precautions to ensure no one in the team leaks data,
your storage provider might accidentally expose your files and cause data
leakage or pave the way for a costly attack.
4.Regulatory and Compliance Obligations
Since compliance demands vary based on how and where a business stores
data, cloud storage must meet all the relevant requirements. These demands
can dictate the way a provider must:
• Store and process data.

• Control access to files.
• Segment the storage.
• Delete data.
• Keep data safe.
Besides meeting current requirements, the cloud service must also be flexible
enough to enable a business to adapt to new demands and regulations.
5. Misconfiguration Issues
Cloud misconfiguration is any error or glitch that exposes cloud data to risk.
Since the end users have reduced visibility and control over data and
operations, misconfigurations are a common problem.
Cloud storage misconfigurations typically result from:
• Inexperienced engineers.
• IT mistakes.
158 | P a g e
• Poor resource and operation policies.
A misconfiguration can often lead to a data breach, either from an insider

threat or an external actor who gains access to the cloud.
6. Inconsistent Security Controls
Conflicting and overly complex security controls can also cause issues. The
most common problems appear when the provider's and client's teams set up
inconsistent rules that leave security gaps a hacker can exploit.
There are two ways to alleviate the risk of conflicting security controls:
• Go with a cloud storage solution that enables your team to set up and
manage basic security controls.
• Partner with a reliable provider that agrees to shoulder the entire
responsibility of data storage security.
Our article on cybersecurity best practices outlines security measures and

tactics that play a vital role both on-premises and in the cloud.
159 | P a g e
➢ Data Encryption
A cloud provider must encrypt cloud data. That way, if a malicious actor or
program accesses a file, all the unauthorized user will find is scrambled data.
The only way to decipher data is to use a decryption key.
A provider should encrypt data both at rest and in transit:
• Encryption at rest protects stored cloud data that is not currently in use
(AES 256-bit encryption is the most popular option).
• Encryption in transit protects data while files move between two cloud
or network points (TLS/SSL 128-bit encryption is the most common
choice).
A company can boost cloud storage security with client-side encryption. With
this strategy, encryption and decryption happen on the target user's device.
There are no encryptions or decryptions on the provider's server as the
160 | P a g e
vendor does not keep any keys. Even if a hacker breaches the provider's
server, the thief will not obtain your decryption key.
Regardless of what type of encryption you rely on, you should

enforce encryption key management best practices to ensure the team
handles keys without adding unnecessary risk to data.
➢ Two-Factor Authentication (2FA)
Two-factor authentication (2FA) requires a user to provide two pieces of info

during login. Besides a username and password, 2FA also requires the
employee to give an additional credential, which can be:
• A biometric scan (face or finger scans are the most common options).
• A one-time PIN sent to the user's email address or phone.
• A hardware token (typically a USB).
Two-factor authentication adds an extra layer of security that prevents an

unauthorized actor from accessing cloud storage with a stolen password (a
common target of phishing attacks). Always look for a provider that enables
the use of 2FA.
➢ Data Backups (On Both Sides)
Both you and your cloud provider should create regular backups:
• The provider should create regular cloud data backups and spread files
across several data centers. If one of the servers goes offline, the client
will not suffer downtime.
• You should back up your most sensitive (or all) cloud-based files in an
on-prem hard drive. Keep these backups immutable and update them
regularly to avoid data loss in any scenario.
161 | P a g e
PhoenixNAP's cloud backup solutions enable you to set up customizable,
immutable backups of all critical data and workloads.
➢ Develop a Cloud Storage Policy
A cloud storage policy ensures your employees understand the company's

approach to storing and managing data in the cloud. This document should
evolve with your company's current needs and the cloud services the team
uses. A policy should provide:
• A clear overview of all cloud-related business objectives.

• Guidelines for when and how employees should use cloud storage.
• A list of best practices when working with cloud data.
• Instructions on what data should go to which cloud storage.
• An overview of all compliance and regulation responsibilities.
• All configuration standards.
If you rely on hybrid cloud architecture, your policy should also cover
practices for accessing, managing, integrating, and governing cloud usage
within your unique hybrid environment.
Our article on cloud security policies shows how to create a company-wide

guideline that dictates how the team operates in the cloud.
➢ Ransomware Protection
A ransomware attack enables a hacker to encrypt your data and demand a

ransom in exchange for the decryption key. If the victim refuses to meet the
demand, the criminal deletes the key and, as a result, renders target data
useless.
This cyberattack type can be devastating to your finances and reputation, so

you should always partner with a cloud provider that offers high-end
ransomware protection.
162 | P a g e
PhoenixNAP offers robust ransomware protection that relies on a mix of
infrastructure security and immutable backups. To learn more about this
threat, check out our article on different ransomware examples and our DIY
guide to preventing ransomware.
➢ Cloud Storage Monitoring
Continuous change, access, and activity monitoring help identify and remove
potential threats to cloud storage. Most storage services include robust cloud
monitoring with alerts for:
• New sign-ins.
• Account activity.
• Data shares.
• File deletion.
• Unusual and suspicious activity.
In addition to the provider team's alerts, you can also deploy your own cloud
monitoring tool. An extra tool ensures you take a proactive approach to cloud
storage security and that your team can identify threats emerging from your
end.
➢ Educate Employees About Cloud Storage Security
Educating employees about cloud storage security goes a long way toward
protecting files in the cloud. Organize training sessions that familiarize
employees with all major aspects of your cloud storage policy, including:
• What data they should store on the cloud, and what files should stay
on-prem.
• Safe data-sharing practices.
• Approved cloud storage tools and platforms.
• The risks posed by sharing and storing data on the cloud.
163 | P a g e
• Relevant configuration standards.
• Internal and external access rules.
If you are preparing a training session with your employees, our article
on security awareness training programs will help get the most out of the
upcoming session.
 The Future of Secure Cloud Storage
Cloud storage is already considerably safer than an average on-prem server,

and projections suggest that this difference in security will only get bigger.
Here are several notable trends you can expect from cloud storage security in
the near future:
• AI tools: Providers are gradually turning towards AI to help protect

cloud data. An AI-powered tool can take the burden off staff members
and oversee the first few levels of security analysis.
• The increase in multi-cloud storage: Storing second copies of data in
alternate clouds will continue to increase in popularity as providers
seek ways to mitigate the threat of ransomware and improve cloud
disaster recovery.
• Better performance: Besides the security boosts, cloud storage
solutions will also become more scalable and flexible to rival on-prem
setups.
• Lower prices: Cloud providers will increasingly focus on reducing
costs to make cloud storage more competitive. The likely first change
will be the removal of hefty egress fees.
• The move towards the edge: We will see more cloud consumers move
their cloud storage toward the network's edge. Edge computing enables
clients to set up and run processes closer to the customer base.
164 | P a g e
• Confidential computing: More providers will start using confidential
computing to make cloud storage security even more robust. This
capability expands at-rest and in-transit encryption with additional in-
use encryption that keeps data safe during operations.
CLOUD SERVICE PROVIDER

(CLOUD PROVIDER)
A cloud service provider, or CSP, is a company that offers components of
cloud computing -- typically, infrastructure as a service (IaaS), software as a
service (SaaS) or platform as a service (PaaS).
Cloud service providers use their own data centers and compute resources to
host cloud computing-based infrastructure and platform services for customer
organizations. Cloud services typically are priced using various pay-as-you-
go subscription models. Customers are charged only for resources they
consume, such as the amount of time a service is used or the storage capacity
or virtual machines used.
For SaaS products, cloud service providers may host and deliver their own
managed services to users. Or they can act as a third party, hosting the app of
an independent software vendor.
The most well-known cloud service platforms are Amazon Web Services
(AWS), Google Cloud (formerly Google Cloud Platform or GCP) and
Microsoft Azure.
What are the benefits and challenges of using a cloud service

provider?
Using a cloud provider has benefits and challenges. Companies considering using
these services should think about how these factors would affect their priorities and
165 | P a g e
risk profile, for both the present and long term. Individual CSPs have their own
strengths and weaknesses, which are worth considering.
Benefits
• Cost and flexibility. The pay-as-you-go model of cloud services enables

organizations to only pay for the resources they consume. Using a cloud
service provider also eliminates the need for IT-related capital equipment
purchases. Organizations should review the details of cloud pricing
to accurately break down cloud costs.
• Scalability. Customer organizations can easily scale up or down the IT

resources they use based on business demands.
• Mobility. Resources and services purchased from a cloud service

provider can be accessed from any physical location that has a working
network connection.
• Disaster recovery. Cloud computing services typically offer quick and

reliable disaster recovery.
Challenges
• Hidden costs. Cloud use may incur expenses not factored into the
initial return on investment analysis. For example, unplanned data needs
can force a customer to exceed contracted amounts, leading to extra
charges. To be cost-effective, companies also must factor in additional
staffing needs for monitoring and managing cloud use. Terminating use of
on-premises systems also has costs, such as writing off assets and data
cleanup.
• Cloud migration. Moving data to and from the cloud can take time.
Companies might not have access to their critical data for weeks, or even
months, while large amounts of data are first transferred to the cloud.
• Cloud security. When trusting a provider with critical data, organizations

risk security breaches, compromised credentials and other substantial
security risks. Also, providers may not always be transparent about
166 | P a g e
security issues and practices. Companies with specific security needs may
rely on open source cloud security tools, in addition to the provider's tools.
• Performance and outages. Outages, downtime and technical issues on

the provider's end can render necessary data and resources inaccessible
during critical business events.
• Complicated contract terms. Organizations contracting cloud service

providers must actively negotiate contracts and service-level agreements
(SLAs). Failure to do so can result in the provider charging high prices for
the return of data, high prices for early service termination and other
penalties.
• Vendor lock-in. High data transfer costs or use of proprietary cloud

technologies that are incompatible with competitor services can make it
difficult for customers to switch CSPs. To avoid vendor lock-in, companies
should have a cloud exit strategy before signing any contracts.
❖ Types of cloud service providers
Customers are purchasing an increasing variety of services from cloud service

providers. As mentioned above, the three most common categories of cloud-based
services are IaaS, SaaS and PaaS.
• IaaS providers. In the IaaS model, the cloud service provider delivers
infrastructure components that would otherwise exist in an on-premises
data center. These components include servers, storage, networking and
the virtualization layer, which the IaaS provider hosts in its own data
center. CSPs may also complement their IaaS products with services such
as monitoring, automation, security, load balancing and storage resiliency.
• SaaS providers. SaaS vendors offer a variety of business technologies,

such as productivity suites, customer relationship
management software, human resources management software and data
management software, all of which the SaaS vendor hosts and provides
over the internet. Many traditional software vendors sell cloud-based
versions of their on-premises software products. Some SaaS vendors will
167 | P a g e
contract a third-party cloud provider, while other vendors -- usually larger
companies -- will host their own cloud services.
• PaaS providers. The third type of cloud service provider, PaaS vendors,
offers cloud infrastructure and services that users can access to perform
various functions. PaaS products are commonly used in software
development. In comparison to an IaaS provider, PaaS providers will add
more of the application stack, such as operating systems and middleware,
to the underlying infrastructure.
Cloud providers are also categorized by whether they deliver public cloud, private
cloud or hybrid cloud services.
Understand the similarities and differences between the public cloud, private cloud
and hybrid cloud models.
❖ Common characteristics and services
In general, cloud service providers make their offerings available as an on-demand,

self-provisioning purchase. Customers can pay for the cloud-based services on a
subscription basis -- for example, under a monthly or quarterly billing structure.
168 | P a g e
Some cloud service providers differentiate themselves by tailoring their offerings to a
vertical market's requirements. Their cloud-based services might deliver industry-
specific functionality and tools or help users meet certain regulatory requirements.
For instance, several healthcare cloud products let healthcare providers store,
maintain, optimize and back up personal health information. Industry-specific cloud
offerings encourage organizations to use multiple cloud service providers.
Amazon and
Microsoft lead the cloud infrastructure market. See how the market share breaks out
among the top five providers.
❖ Major cloud service providers and offerings
The cloud services market has a range of providers, but AWS, Microsoft and Google
are the established leaders in the public cloud market.
Amazon was the first major cloud provider, with the 2006 offering of Amazon Simple
Storage Service. Since then, the growing cloud market has seen rapid development
of Amazon's cloud platform, as well as Microsoft's Azure platform and Google Cloud.
These three vendors continue to jockey for the lead on a variety of cloud fronts. The
169 | P a g e
vendors are developing cloud-based services around emerging technologies, such
as machine learning, artificial intelligence, containerization and Kubernetes.
Other major cloud service providers in the market include the following:
• Adobe
• Akamai Technologies
• Alibaba Cloud
• Apple
• Box
• Citrix
• DigitalOcean
• IBM Cloud
• Joyent
• Oracle Cloud
• Rackspace Cloud
• Salesforce
❖ How to choose a cloud service provider
Organizations evaluating potential cloud partners should consider the following

factors:
• Cost. The cost is usually based on a per-use utility model, but all
subscription details and provider-specific variations must be reviewed.
Cost is often considered one of the main reasons to adopt a cloud service
platform.
• Tools and features. An overall assessment of a provider's features,

including data management and security features, is important to ensure it
meets current and future IT needs.
170 | P a g e
• Physical location of the servers. Server location may be an important
factor for sensitive data, which must meet data storage regulations.
• Reliability. Reliability is crucial if customers' data must be accessible. For

example, a typical cloud storage provider's SLA specifies precise levels of
service -- such as 99.9% uptime -- and the recourse or compensation the
user is entitled to should the provider fail to deliver the service as
described. However, it's important to understand the fine print in SLAs,
because some providers discount outages of less than 10 minutes, which
may be too long for some businesses.
• Security. Cloud security should top the list of cloud service provider
considerations. Organizations such as the Cloud Security Alliance offer
certification to cloud providers that meet its criteria.
• Business strategy. An organization's business requirements should align

with the offerings and technical capabilities of a potential cloud provider to
meet both current and long-term enterprise goals.
171 | P a g e
Capacity planning and self-service portals are among the capabilities to look for in a
private cloud service provider.
What are Cloud Services?
Cloud services providers allow an organization to lease infrastructure from them

rather than maintaining an in-house data center. These cloud services come in a
variety of service models, including:
• Infrastructure as a Service (IaaS): In an IaaS model, the cloud services

provider supplies the infrastructure, and the cloud customer can install an
operating system and use it to store data and run applications.
• Platform as a Service (PaaS): A PaaS model reduces the cloud customer’s

responsibility to their data and applications with the cloud service provider
handling everything else.
172 | P a g e
• Serverless: Serverless models allow development of applications with the
cloud service provider providing and managing all aspects of the environment
that the application needs to run.
• Function as a Service (FaaS): A FaaS model enables a customer to write

individual functions that run in response to certain events.
• Software as a Service (SaaS): SaaS solutions, like Office 365, are software
created and managed completely by the cloud service provider and made
available to the customer.
A certain provider may only offer specific service models, and each provider’s
implementation may be different. This means that certain providers may have
specializations or optimizations that are more or less effective at meeting an
organization’s specific business needs and use cases.
Selecting a Cloud Service Provider
One of the most important considerations when selecting a cloud services provider is
whether a public or private cloud meets an organization’s business and security
requirements. However, this does not have to be an either-or decision as hybrid and
multi-cloud deployments enable a company to take advantage of the benefits of both
public and private clouds.
Public Cloud
A public cloud deployment is hosted on shared infrastructure. The cloud service

provider uses virtualization to host multiple different customers’ infrastructure on the
same server while isolating these deployments from one another. Examples of public
cloud service platforms include:
• Amazon AWS
• Microsoft Azure
• Google Cloud Platform
• Alibaba
• IBM Cloud
173 | P a g e
• Oracle
A public cloud deployment provides a number of advantages to an organization but

has its downsides as well. Some important considerations when considering a public
cloud deployment include:
• Cost: Public cloud deployments are less expensive than private clouds. This
is because the cloud service provider can distribute costs over multiple clients
that are sharing the same infrastructure.
• Flexibility: Public cloud deployments are implemented using virtualization.

This means that an organization can spin up or take down services based
upon business needs.
• Scalability: The public cloud offers a high level of scalability. An organization

can easily add additional capacity to its cloud deployment to support surges in
demand or business growth.
• Security: Public cloud deployments are hosted on shared infrastructure.

While the cloud services provider isolates these co-hosted systems, this
shared infrastructure introduces security risks for public cloud users.
Public cloud deployments offer a number of benefits when compared to hosting a

data center on-premises. However, the unique environment of the cloud also
introduces new security considerations.
Private Cloud
Like public cloud deployments, private clouds are implemented using infrastructure
leased from a cloud services provider. Unlike a public cloud, a private cloud
deployment is hosted on a dedicated infrastructure. The most commonly used
private cloud service providers include:
• Cisco ACI
• VMware NSX
• OpenStack
• Alibaba
174 | P a g e
• Oracle
• Salesforce
A private cloud deployment splits the difference between an on-premises data

center and a public cloud deployment. Some of the important considerations
associated with a private cloud deployment include:
• Cost: Because it relies on dedicated infrastructure, private cloud deployments

are pricier than the public cloud. However, they can be cheaper than an in-
house data center because cloud services providers have the advantage of
economies of scale for setting up and operating a data center.
• Flexibility and Scalability: Since private cloud users lease dedicated

infrastructure, the flexibility and scalability of their cloud deployment is limited.
Private clouds are not as flexible or scalable as public clouds.
• Security: Private cloud deployments are hosted on dedicated infrastructure.

This eliminates many of the security concerns associated with sharing
infrastructure with other, unknown cloud customers.
• Regulatory Compliance: As data protection regulations grow more

numerous and complex, regulatory compliance is an important consideration.
It is often easier to demonstrate compliance with applicable regulations when
using a private cloud as opposed to a public cloud deployment.
The choice of a private cloud reduces some of the cost, flexibility, and scalability
benefits of the cloud as compared to a public cloud deployment. However, these
downsides may be offset by the increased privacy and security that a private cloud
deployment offers.
Hybrid or Multi-Cloud
175 | P a g e
An organization is not limited to the choice between a public and a private cloud
deployment. Two other options are hybrid and multi-cloud deployments.
A hybrid cloud incorporates both a private and a public cloud. The use of private
cloud infrastructure provides all of the security benefits of dedicated infrastructure,
which can be invaluable for data security and regulatory compliance. On the other
hand, a public cloud has a number of benefits in terms of cost, flexibility, and
scalability. A hybrid cloud deployment uses both a public and a private cloud and
allows data and applications to move between them as needed, providing the best of
both worlds.
The diversity of options and the specializations of different cloud providers may
mean that different platforms are best-suited to different use cases. As a result,
many organizations adopt a multi-cloud deployment, where applications and data are
hosted on the cloud platform that is best suited to them. This enables an
organization to develop
The Challenges of Securing the Cloud
One of the main selling points of the cloud is that it allows an organization to
outsource many of the responsibilities associated with its infrastructure to a third-
party cloud services provider. However, transitioning to a cloud-based deployment
does not mean that an organization gives up full control over its infrastructure or full
responsibility for securing it.
Since a cloud services provider has full control over certain parts of the infrastructure
that it leases to its customers, it also has the responsibility for securing these
components. However, the customer is responsible for securing the parts of their
infrastructure stack that remain under their control.
The breakdown of security responsibilities depends on the cloud services model that
a customer selects. Cloud services providers delineate this breakdown in a Shared
Responsibility Model. Based on the cloud services model used, a cloud customer
can identify which security responsibilities are wholly theirs and which are shared
with their cloud services provider.
176 | P a g e
Cloud services providers often offer tools designed to help their customers meet their
security responsibilities, such as AWS Security Groups. However, these tools differ
from one platform to another, and many cloud customers lack a full understanding of
the shared responsibility model, their security responsibilities, and how to properly
configure the available security settings.
This problem is exacerbated in multi-cloud deployments (which most organizations

adopt), where an organization is responsible for learning to secure multiple different
cloud platforms. As a result, security misconfigurations are the most common cause
of data breaches and security incidents in the cloud.
Securing the Cloud
Securing cloud-based infrastructure can be difficult, and few organizations have the
knowledge and expertise in-house to effectively secure multi-cloud deployments.
Since the provided tools are often vendor-specific and many traditional security
solutions do not work effectively in the cloud, it can be very difficult to achieve
consistent visibility, threat detection, and security policy enforcement across an
organization’s entire cloud-based infrastructure.
Partnering with a cloud security provider can help an organization to ensure that its
move to the cloud doesn’t create additional security challenges and risks. A cloud
security company offers an organization the tools and capabilities that it needs to
secure its cloud-based infrastructure, which include:
• Cloud Network Security: Organization’s cloud-based applications and data

stores may interact with applications and users in the same cloud deployment,
on other cloud-based platforms, and outside of the cloud entirely. Securing
these communications requires north-south and east-west network visibility
and security control. Check Point’s CloudGuard Network helps an
organization to monitor and secure the network communications of their
cloud-based resources.
• Cloud Security Posture Management: Security misconfigurations are the

leading cause of cloud security incidents. As organizations’ cloud deployments
expand and adapt to meet business needs, oversights and mistakes can
177 | P a g e
expose data and applications to attack. CloudGuard Posture
Management monitors cloud security settings for dangerous
misconfigurations, enabling the issues to be quickly detected and remediated.
• Workload Protection: The use of containers, Kubernetes, and serverless

applications is increasingly common in cloud deployments. These cloud-
based workloads have unique security requirements that may not be met by
integrated cloud security solutions. CloudGuard Workload provides granular
visibility and security management for cloud-based workloads.
• Web Application and API Protection: Cloud deployments are ideally suited
to hosting web applications and APIs, but these resources can be easily
exploited if not properly protected. CloudGuard AppSec uses artificial
intelligence (AI) to identify and block attempted exploitation of cloud-based
web apps and APIs, protecting them against even novel attacks.
• Security Intelligence and Threat Hunting: Cloud security threats are

constantly evolving, and organizations need robust threat intelligence to
identify the latest attacks. Cloud security also requires support for threat
hunting to enable analysts to efficiently and effectively identify and remediate
intrusions within their cloud deployments. CloudGuard Intelligence provides
an organization’s security team with the information and tools that it requires
to perform threat detection and response in any cloud environment.
The cloud offers organizations several benefits, but it creates new and unique
security risks as well. Check Point’s cloud security solutions
support AWS, Azure, GCP, and all other major cloud platforms.
Here is a list of my top 10 cloud service providers:

1. Amazon Web Services (AWS)
2. Microsoft Azure
3. Google Cloud
4. Alibaba Cloud
5. IBM Cloud
6. Oracle
7. Salesforce
8. SAP
9. Rackspace Cloud
178 | P a g e
10. VMWare
The following table summarizes the top 3 key players and their offerings in cloud
computing. For Q3 2022, AWS reported revenue increased 27 percent year-over-year to
$20.5 billion from $16.5 billion in Q3 2021. In addition, AWS's operating income was $5.4
billion, compared with operating revenue of $4.9 billion in the third quarter of 2021.
For the same quarter, Microsoft reported revenue from its Intelligent Cloud of $20.3
billion, which increased 20 percent from the previous quarter in 2021. Google Cloud says
revenue of $6.86 billion, up from $4.99 billion in 2021. However, its losses widened
slightly, from $644 million to $699 million.
AWS Azure Google Cloud
Company AWS Inc. Microsoft Google
Launch year 2006 2010 2008
Geographical
25 54 21
Regions
Availability
78 140 (countries) 61
Zones
Compute, storage, database, Compute, storage, mobile, data Compute, storage, d

analytics, networking, machine management, messaging, media networking, big dat
Key offerings learning, AI, mobile, developer services, CDN, machine learning and AI, management too
tools, IoT, security, enterprise AI, developer tools, security, Identity and securit
applications, blockchain. blockchain, functions, IoT. platform
Compliance
46 90
Certificates
Q3, 2022
$20.5 billion $20.3 billion $6.8 billion
Revenue
1. Amazon Web Services (AWS)
Amazon Web Services (AWS) is an Amazon company that was launched in the year 2002.
AWS is the most popular cloud service provider in the world.
Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted
cloud platform, offering over 165 fully-featured services from data centers globally.
Millions of customers use this service.
AWS's revenue in 2018 was $25.6 billion, with a profit of $7.2 billion. The revenue is
expected to grow to $33 billion in 2019.
AWS Services
179 | P a g e
AWS offers hundreds of services. These include Virtual Private Cloud, EC2, AWS Data
Transfer, Simple Storage Service, DynamoDB, Elastic Compute Cloud, AWS Key
Management Service, AmazonCloudWatch, Simple Notification Service, Relational
Database Service, Route 53, Simple Queue Service, CloudTrail, and Simple Email Service.
The following graphic lists the various categories of services available in AWS. The right
side of the list includes AWS's featured services.
AWS Security
Cloud security is the highest priority for AWS. As a customer, you will benefit from a data
center and network architecture built to meet the requirements of the most security-
sensitive organizations.
AWS security offers infrastructure security, DDoS mitigation, data encryption, inventory
and configuration, monitoring and logging, identity and access control, and penetration
testing.
Compliances
AWS provides 40+ compliance certifications for the global, US, and other countries. Here is
the list of various supported compliance certifications:
180 | P a g e
181 | P a g e
AWS global availability
AWS offers the most significant global footprint in the market. No cloud provider offers as
many regions or Availability Zones (AZs). This includes 78 AZs within 25 geographic regions
around the world. Furthermore, AWS has announced plans for nine more AZs and three
more regions in Cape Town, Jakarta, and Milan.
182 | P a g e
AWS Certifications
AWS certifications are divided into four categories: Foundational, Associate, Professional,
and Specialty.
2. Microsoft Azure
Microsoft Azure is one of the fastest-growing clouds among them all. Azure was launched
years after the release of AWS and Google Cloud but is still knocking on the door to
become the top cloud services provider. Microsoft Azure recently won a $10 billion US
government contract.
While Microsoft Azure's revenue is difficult to predict, Microsoft broke down its last
quarter's revenue into three categories: Productivity and Business Processes, Intelligent
183 | P a g e
Cloud, and Personal Computing. The respective revenue was $11.0 billion, $11.4 billion,
and $11.3 billion.
Microsoft's Azure revenue is expected to grow between $33 billion to $35 billion. This
makes Azure one of the most profitable cloud services in the world.
Azure Services
Azure offers hundreds of services within various categories, including AI + Machine

Learning, Analytics, Blockchain, Compute, Containers, Databases, Developer Tools,
DevOps, Identity, Integration, Internet of Things, Management, Media, Microsoft Azure
Stack, Migration, Mixed Reality, Mobile, Networking, Security, Storage, Web, and
Windows Virtual Desktop.
Azure, the Intelligent Cloud
What makes Azure the most attractive and intelligent is its exclusive offering of
Microsoft's previous products and services in the cloud. Azure's cloud supremacy revolves
around its intelligence. Azure provides the most advanced and maximum number of
intelligent products and services.
Microsoft's Windows operating system Windows and database SQL Server are now
available in the Cloud via Windows Virtual Desktop.
Microsoft's mixed reality technology (products for HoloLens) is also available in the Azure
Cloud.
Microsoft's TFS and VSTS are now available in Azure via Azure DevOps.
Microsoft's popular Office suite and enterprise products, such as Sharepoint and Power BI,
are now available as Office 365 and PowerXXX tools in the cloud. Furthermore, some of
the most popular and advanced developer tools and compilers are available in Azure via
various UI, workflows, and interfaces.
Microsoft is a leader in AI + Machine Learning, and Microsoft Cognitive Services is one of

the company's most advanced offerings.
Azure Security
Azure offers the most advanced security products and services. The following table lists
Azure security options:
184 | P a g e
Azure Compliance
Azure offers 90 compliance certifications for global, US government, region-specific, and

industry-specific. The following is a list of Azure compliance certifications.
Azure Stack
Azure Stack is a service of Azure that allows enterprises to run apps in an on-premises
environment and perform Azure services in your data center. Azure Stack syncs with
global Azure and upgrades when new services and updates are available on Azure.
185 | P a g e
Azure for Government
Azure for Government is an exclusive cloud designed for federal, state, and local US
government agencies.
Azure Government offers government exclusivity. As a result, only US federal, state, local,
and tribal governments and their partners have access to this dedicated instance with
operations controlled by screened US citizens.
Azure Government offers the broadest and most compliance certifications. It runs on six
government-only data center regions, all granted an Impacted Level 5 Provisional
Authorization.
Azure global availability
Azure offers more data centers around the world than any other cloud provider.
186 | P a g e
Azure Certifications
Here is a list of Microsoft Azure certifications.
1. AZ-103: Microsoft Azure Administrator

2. AZ-203: Developing Solutions for Microsoft Azure
3. AZ-300: Microsoft Azure Architect Technologies
4. AZ-301: Microsoft Azure Architect Design
5. AZ-400: Microsoft Azure DevOps Solutions
6. AZ-500: Microsoft Azure Security Technologies
7. AZ-900: Microsoft Azure Fundamentals
8. 70-487: Developing Microsoft Azure and Web Services
9. 70-537: Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack
3. IBM Cloud
IBM Cloud, developed by IBM, is a set of cloud computing services for businesses. Like
other cloud service providers, the IBM cloud includes IaaS, SaaS, and PaaS services via
public, private, and hybrid cloud models.
Compute, Network, Storage, Cloud Packs, Management, Security, Database, Analytics, AI,
IoT, Mobile, Dev Tools, Blockchain, Integration, Migration, Private Cloud, and VMware.
Annual revenue: $19.16 billion
4. Google Cloud
Google Cloud Platform is Google's Cloud. Like AWS and Azure, Google Cloud offers similar
services in various categories, including computing, storage, identity, security, database,
AI and machine learning, virtualization, DevOps, and more.
187 | P a g e
Here is a list of complete products and services categories for Google Cloud Platform
services:
AI and Machine Learning, API Management, Compute, Containers, Data Analytics,

Databases, Developer Tools, Healthcare and Life Sciences, Hybrid and Multi-cloud,
Internet of Things, Management Tools, Media and Gaming, Migration, Networking,
Security and Identity, Serverless Computing, and Storage.
Google products in the cloud also offer G Suite, Google Maps Platform, Google Hardware,
Google Identity, Chrome Enterprise, Android Enterprise, Apigee, Firebase, and Orbitera.
Google Cloud Services are available in 20 regions, 61 zones, and 200+ countries.
Google Cloud's annual revenue is close to $8 billion.
Google Cloud Certifications
Here is a list of Google Cloud certifications:
1. Associate Cloud Engineer

2. Professional Data Engineer
3. Professional Cloud Architect
4. Professional Cloud Developer
5. Professional Cloud Network Engineer
6. Professional Cloud Security Engineer
7. G Suite
5. Oracle Cloud
Oracle cloud platform is the cloud offering of Oracle corporation. Oracle Cloud offers IaaS,
PaaS, SaaS, and Data as a Service (DaaS).
Oracle offerings include the following:
188 | P a g e
Oracle IaaS offerings are Compute, Storage, Networking, Governance, Database, Load
Balancing, DNS Monitoring, Ravello, and FastConnect.
Oracle PaaS offerings are Data Management, Application Development, Integration,

Business Analytics, Security, Management, and Content and Enterprise.
Oracle SaaS offerings are CX, HCM, ERP, SCM, EPM, IoT, Analytics, Data, and Blockchain
Applications.
Oracle DaaS is the Oracle Data Cloud.
6. Alibaba Cloud
Alibaba Cloud is the largest cloud provider in China. Alibaba Cloud, founded in 2009, is
registered and headquartered in Singapore. It was initially built to serve Alibaba's e-
commerce ecosystem and is now offered to the public.
Alibaba offers various products and services in multiple categories, including Elastic
Computing, Storage and CDN, Networking, Database Services, Security, Monitoring and
Management, Domains and Websites, Analytics and Data Technology, Application
Services, Media Services, Middleware, Cloud Communication, Apsara Stack, and Internet
of Things.
Alibaba Cloud is available in 19 regions and 56 availability zones around the globe.
Alibaba Cloud's revenue is $4.5 million annually.
❖ What is a Cloud Service Provider?
A cloud service provider is a third party offering cloud-based

platform, infrastructure, application, or storage services to clients.
A few examples of cloud services are:
• Data storage services like Dropbox and Google Drive
• Email services like Gmail and Hotmail
• Messaging services like Slack, Skype, and Microsoft

Teams
• Media streaming services like Netflix and Amazon Prime

Amazon Web Services (AWS) is currently the top cloud service
provider in popularity and usage, accounting for 34% of the
market for cloud infrastructure. Other popular cloud service
189 | P a g e
providers are Microsoft Azure, with a 21% market share, Google
Cloud, with an 11% market share, and IBM Cloud.
Types of cloud services
A cloud service provider can rent and deliver four main categories of
cloud services, functionalities, or strategies. These include:
1. Infrastructure-as-a-Service (IaaS)
The ownership, provisioning, and maintenance of servers, virtual
machines (VMs), storage, networks, operating systems, and other
resources to help organizations build and manage their operating
systems, data storage, and network infrastructure. Examples
include Amazon Web Services (AWS) and Microsoft Azure.
2. Platform-as-a-Service (PaaS)
One step further, PaaS provides a platform, or environment, for
developing, testing, delivering, and managing software that includes
servers, storage, network, and databases. Examples include Google App
Engine and OpenShift.
3. Serverless computing
Building on PaaS, serverless computing adds additional services to
manage infrastructure and services, including capacity, set-up, and server
maintenance. Examples include Google App Engine, AWS Lambda, IBM
OpenWhisk, and Microsoft Azure Functions.
4. Software-as-a-Service (SaaS)
In SaaS, a software provider hosts and delivers a software application,
and its underlying infrastructure, to users over the Internet.
Benefits of a Cloud Service Provider
The increased market pressure, from competition to consumer demand,

has required that businesses look for ways to become more flexible and
agile. At the same time, cloud platforms have helped spur innovation and
create cost efficiencies.
Let’s take a look at the common reasons organizations turn to cloud
services:
190 | P a g e
1. Reduced costs
Cloud service providers charge you on a pay-as-you-go basis. You only
need to pay for the services or bandwidth you need. This way, you save a
lot of money you could otherwise spend on hiring a full-time IT staff.
Cloud service providers also reduce IT costs by letting teams quickly
access data, saving on capital investments and energy costs, and
improving employee productivity.
2. Security
Security is a significant concern. By choosing a cloud service provider,
you can take the worry of security maintenance off your shoulders.
Cloud services are also much more efficient in security maintenance than
a conventional in-house system. According to RapidScale, 94% of
businesses saw an improvement in security after switching to the cloud.
Also, 91% of businesses say that the cloud makes it easier to meet
government compliance requirements.
3. Data Loss Prevention
You can use a cloud service provider as an alternate backup plan to
protect against natural disasters, power sources, or other failures. Most
CSPs will create redundancy in backup plans to protect against regional
disruptions. If something goes wrong, it will permanently prevent you
from losing your precious data.
4. Regular Software Patches and Updates
Cloud service providers are responsible for updating software, including
regular and security updates. This way, you can save yourself from the
worry of having to regularly patch your servers and devote your time to
other essential tasks.
5. Reliability
Organizations moving to the cloud experience greater uptime and 24/7
support. It makes you more reliable and offers you a significant edge over
competitors who’ve not yet migrated to the cloud.
6. Mobility
Choosing a cloud services provider ensures that your team can access
data anywhere, anytime. It proved significant in the last two years as
most teams had to work in remote and hybrid environments. Cloud
191 | P a g e
computing played a crucial part in ensuring that they could work
seamlessly.
7. Unlimited Storage Capacity
You can only buy and maintain a limited infrastructure on-premise. There
will be a time when you will run out of budget, or your servers will fail to
accommodate more resources. However, you don’t have to worry about
storage in the Cloud. You can enjoy unlimited storage while only paying
for the services you need.
8. Quick Development & Deployment
In cloud computing, organizations can quickly take an idea from design to
development without worrying about delays in building new
infrastructure. PaaS and serverless cloud service providers provide
complete development services and tools, including testing and debugging
environments.
CHALLENGES OF USING A CLOUD SERVICE PROVIDER
Here are the challenges of choosing a cloud service provider:

1. Performance can vary
While every cloud service provider will make promises on performance
and availability, actual performance varies. If you are not careful enough,
you may end up with a provider who fails to deliver on their promise and
your business needs.
2. Lack of technology compatibility
To gain a competitive advantage, businesses need to accommodate new
technologies into their business process. However, not all cloud service
providers may be compatible with your organization’s existing
technologies. Hence, ensuring that the provider’s services are compatible
with your organization’s existing technologies and systems is a big
challenge.
3. Cybersecurity threats
Cloud computing increases fears of cyber-attacks, increasing the attack
surface beyond the organization’s perimeter.
192 | P a g e
However, security can be improved by finding the right cloud service
provider and taking an active part in shared responsibility, particularly
around access and identity-proof authentication.
4. Lack of Support
Every organization faces challenges as advanced technologies emerge.
However, some cloud providers need more documentation or support staff
to navigate them.
How Do I Choose a Cloud Provider? Factors to Consider

Expand
The cloud computing market is flooded with several cloud service

providers. While Amazon (AWS), Microsoft (Azure), and Google
(Cloud) are the three leading cloud platforms, according
to Gartner’s Magic Quadrant and market share, sometimes a niche
provider is a better fit.
Ultimately, organizations should consider the following factors in

choosing a new cloud provider(s):
1. Technologies & services roadmap
Choose a cloud service provider that supports the technologies
your organization is using and aligns with its strategic objectives.
Most cloud service providers offer limited support, and you need
to fill this gap using third-party partners.
Here are a few questions you need to ask yourself:
• Do the cloud provider’s architecture, standards, and

services support your workloads and management
preferences?
• How would they grow and innovate in the future?
• Does their long-term vision suit your business needs?
• Has the cloud provider done similar deployments to the

ones you’re planning?
193 | P a g e
• Do they have a portfolio you can evaluate to see if
they’re a good fit?
These questions would help you ensure you don’t choose a cloud
service provider that prevents you from achieving your vision in
the long run.
2. Cost
Consider the cost of use (upfront, pay-as-you-go) alongside
whether there are any minimums associated with cost, volume
discounts, reservations on service that can be made, or type of
billing (e.g., by hour/month, execution, user, or gigabyte). Also,
weigh the cost against other factors. For example, AWS has
innovated its engineering of CPUs to offer the best
price/performance against all counterparts. Many cloud providers
will offer aggressive pricing to first time-customers, so pay careful
attention to fine print about price increases over time.
3. Security & Reliability
Organizations must consider factors such as robust security as
well as the resiliency of the provider, with particular attention
paid to regional capabilities / historical figures on uptime.
Document disaster recovery provisions, backup/restore, integrity
checks, and the roles/responsibilities of each party. Most cloud
service providers will detail security features (free or paid) or
integrations available. Look at specific areas, including identity
management, access controls, authentication, and where data will
be stored or processed.
4. Compliance
When choosing a cloud provider, organizations must consider the
implications of federal, state, and industry regulations. Cloud
providers often have a statement of shared responsibility for
compliance and should be able to answer questions about
compliance with specific regulations. Certain rules may prohibit
customer data storage, transfer, or processing to cloud providers
whose data storage capabilities lie within a geographic boundary
194 | P a g e
or may have specific requirements around protection,
confidentiality, or access controls. Each regulation also has
particular requirements around breach response and reporting.
a. HIPAA
Cloud can be leveraged in healthcare for the back-end, data

sharing, or for patient-facing applications as long as the
infrastructure and all its parts and integrations are HIPAA
compliant in terms of administrative, physical, and technical
safeguards. The vendor must be willing to sign a business
associate agreement. HHS guides HIPAA & Cloud Computing here.
b. GDPR
GDPR covers organizations in the EU that process data of EU

citizens with specific requirements on data protection, records of
processing, and security of processes. GDPR requires data storage
and processing within EU data centers and places specific
restrictions on data transfers outside the EU.
c. ISO
To be ISO compliant, a cloud service provider must be able to

demonstrate certifications including ISO 27001 (for information
security management systems) and ISO 27018 (code of practice
for protection of personally identifiable information in public
clouds acting as PII processors). ISO standards apply to any
organization in more than 160 countries.
5. Tools & Features

Each cloud service provider will offer different features as part of
the base capabilities or include others as add-ons. Look for both
types of service (PaaS) and specific features around computing
resources, monitoring, security, deployment, and even user
experience. According to Gartner, Microsoft currently leads in
terms of the broadest range of capabilities for Saas, PaaS, and
IaaS.
195 | P a g e
6. Business Compatibility
The cloud service provider must match the organization’s
business, technical, and operational goals.
7. Architecture
Consider how the cloud architecture incorporates existing
technology or services within the organization, as there are
technological and cost synergies to staying within large
ecosystems such as Microsoft, Amazon, or Google. Ensure the
chosen cloud provider can support current and future needs,
looking at multi-cloud and microservices support container
capabilities and serverless options.
8. Contracts, Commercials & SLAs

Contracts and SLAs should be reviewed carefully and amended if
needed. Ensure the SLA includes a penalty or exit clause for
unmet service levels. Given the experiences of COVID-19, many
organizations are also writing force majeure clauses.
9. Migration Support, Vendor Lock-in & Exit Planning
Vendor lock-in is a severe concern, either by contract or
proprietary technologies. This is why Gartner reports that some
cloud providers are pressuring annual spending increases at
contract renewal time. Organizations are responding to this risk
by using more than one cloud service provider and being wary of
proprietary technologies that can lead to lock-in.
10. Data Migration Support
Examine each cloud provider for the services it offers for
migration. Most cloud service providers have assessment tools to
assist in migration, with specific tools to support database, server,
or application migration.
11. Data Governance
196 | P a g e
Cloud governance outlines the policies and controls applied to
cloud services in areas of privacy and security as well as to cost
usage. For example, these controls would set a maximum spend
for an organization or department for cloud use to prevent the
overuse of cloud resources.
12. Project Size
The project’s size, scope, and goals will place different
requirements on the cloud service provider.
13. Service Dependencies & Partnerships
To choose the right cloud service provider, it’s essential to
understand their relationship with different vendors, accreditation
levels, technical capabilities, and staff certifications. An ideal
service provider can easily fit into a larger ecosystem. Also, all the
partnerships and dependencies should be clearly defined, so
there’s no confusion in the future.
197 | P a g e

CS Notes UNIT-2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS Notes UNIT-2

Uploaded by

Copyright:

Available Formats

UNIT-2

What is Cloud Security?

Cloud security definition

Cloud security is a discipline of cyber security dedicated to securing cloud computing

At its core, cloud security is composed of the following categories:

What is cloud security?

As an overview, backend development against security vulnerabilities is largely within the

• Physical networks — routers, electrical power, cabling, climate controls, etc.

1. Cloud service types are offered by third-party providers as modules

• Platform-as-a-Service cloud services provide clients a host for developing their

• Infrastructure-as-a-Service (IaaS) cloud services offer clients the hardware and

The currently used cloud environments are:

• Public cloud environments are composed of multi-tenant cloud services where a

• Private in-house cloud environments also composed of single-tenant cloud service

• Hybrid cloud environments consist of using a blend of private third-party cloud

Cloud security tools

Some cloud-specific tools include the following:

• Cloud workload protections platforms (CWPPs). A CWPP is a security

• Cloud security posture management (CSPM). CSPM is a group of security

Security as a service, often shortened to SaaS or SECaaS, is a subset of software as a

7. security information and event management (SIEM)

9. BC/disaster recovery (BCDR)

10. network security

These include services such as firewall as a service, cloud-based virtual private

WhaT aRE SOmE Of ThE kEY TEChnOLOgIES fOR CLOUD SECURITY?

A cloud security strategy should include all of the following technologies:

• Identity providers (IdP) authenticate user identity

• Multi-factor authentication (MFA) services strengthen the user authentication

• Access control services allow and restrict user access

What is cloud security management? Guide and best

How cloud security works

Cloud computing operates in three main environments:

1. Public cloud services are hosted by CSPs. These include software as a

2. Private clouds are hosted by or for a single organization.

3. Hybrid clouds include a mix of public and private clouds.

THE SHARED RESPONSIBILITY MODEL

Although not standardized, the shared responsibility model is a framework

CSP SECURITY RESPONSIBILITIES

Security controls supplied by CSPs vary by service model, be it SaaS, PaaS or

In a PaaS environment, CSPs assume more responsibility, including securing

CUSTOMER SECURITY RESPONSIBILITIES

To supplement the CSP security controls listed above, customers are

In PaaS environments, customers take on fewer security tasks, generally only

Adding a company's own security tools to cloud environments is typically

HOW TO SECURE DATA IN THE CLOUD

• Encrypt data at rest, in use and in motion.

• Use two-factor authentication (2FA) or multifactor authentication

• Adopt cloud edge security protections, including firewalls, IPSes and

• Isolate cloud data backups to prevent ransomware threats.

• Ensure data location visibility and control to identify where data

Emerging cybersecurity tools should also be considered to help secure data in

Top cloud security challenges

• distributed denial-of-service (DDoS) attacks

• insecure application programming interfaces (APIs)

• cloud account hijacking;

• lack of cloud visibility and control;

• working with cloud security tools that in-house administrators may

• tracking and monitoring where data is located both in transit and at

• weak cloud control plane;

• challenges understanding the shared responsibility model;

• nefarious use of cloud services;

• incompatibilities with on-premises environments;

• cloud compliance; and

It's also important to establish communications channels between in-house IT and