What is cloud security?
Cloud security comprises the tools, methods, and best practices protecting the infrastructure, applications, and data within a cloud deployment. Some tools that are integral to cloud security, like encryption, are also widely used for on-premises resources. Others, like cloud security access brokers (CASBs), were developed specifically to protect the cloud from unauthorized intrusion.
Gartner analysts first proposed CASBs in 2012, and within a few years, cloud service providers (CSPs) and third-party security vendors were offering them. As one of the pillars of cloud security, these systems permit or deny user access to cloud-based applications according to organizational security policies.
Not long after CASBs emerged, end-to-end encryption of cloud traffic and configuration became acknowledged as key cloud security features. The latter's importance cemented itself in a particularly attention-grabbing fashion—in the wake of catastrophic failures and breaches attributed to incorrect configuration by CSPs and customers.
Other common cloud security tools and methods include virtual private networks (VPNs), identity access management, secure information and event management (SIEM) platforms, and next-generation firewalls (NGFWs).
Modern cloud security is jointly handled by CSPs and their customers according to the shared responsibility model. For example, in an infrastructure as a service (IaaS) deployment from Amazon Web Services (AWS), Microsoft Azure, or Google Cloud, the CSP keeps the server infrastructure secure while customers manage application, data, workload, endpoint, network, and user security.
5 key trends in the evolution of cloud security
As businesses look to maintain a strong cloud security posture, they'll need to keep up with the latest developments in the field. Here are five of the most notable.
1. Zero trust
Zero-trust models only grant cloud users access to the apps and resources they need for their regular job responsibilities—no more, no less. Users' devices must be authenticated for each access attempt, even if the network would ordinarily "recognize" devices. Also, zero trust uses features like microsegmentation and meticulous policies to keep workloads and other important traffic secure.
Forward-thinking software and app development teams that use platform as a service (PaaS) and similar solutions for dev have embraced a new approach to their process—one that meets the need for greater cloud security.
DevSecOps ensures that various security checks and authentications are carried out at every step of the software development life cycle (SDLC). This can reduce potential vulnerabilities and exploits within app designs, lower developers' dependency on infrastructure as code processes, and help eliminate downtime.
Numerous industry experts agree that improper configuration causes the majority of cloud security breaches. To mitigate this issue, cybersecurity teams have begun adopting a new method called cloud security posture management (CSPM).
CSPM frameworks use automation to survey the configuration of every cloud platform account within an enterprise and then scan each account for any signs of misconfiguration. When vulnerabilities are detected, CSPM then helps cybersecurity professionals determine whether a misconfigured app or platform can be repaired or if it must be eliminated. The framework also monitors account permissions, storage buckets, and encryptions, even in expansive multi-cloud environments.
Secure access service edge (SASE) combines software-defined wide area network (SD-WAN) network architecture with cloud-native security features. First introduced in 2019, SASE quickly caught on as the distributed/hybrid workforce era began in earnest.
Secure web gateways (SWGs), which protect the cloud from unwanted internet traffic the way CASBs protect applications from unauthorized access, are integral to SASE—as are CASBs themselves. Zero-trust network access (ZTNA) and NGFWs round out SASE's four core security features, but some SASE architectures include additional safeguards like advanced threat detection and data loss prevention (DLP).
5. Cybersecurity mesh
Cybersecurity mesh—another Gartner-coined concept—isn't widespread yet, but adoption is expected to increase exponentially in the years ahead. It involves a unified workflow where standalone cybersecurity tools from the cloud, network, and on-premises resources work together to strengthen enterprise-wide security posture.
4 known and emerging cloud security threats
Phishing, compromised credentials, and misconfiguration are often considered the three most common threat types facing the cloud right now. But there are also newer, fast-emerging threats to consider, such as these four examples.
1. Cloud hacks via on-premises compromises
Undetected vulnerabilities in on-premises servers or devices are a risk to the cloud. A hacker savvy enough to infiltrate any network asset that regularly accesses the cloud puts both environments in danger. To minimize this risk, it's critical for enterprises to regularly scan on-premises resources for vulnerabilities—especially in legacy systems.
2. Container vulnerabilities
As more employees work remotely, container-based cloud app orchestration and workload deployment becomes more common. While this is efficient, container images—the static files required for container-based apps to run—can be a threat vector. Container image libraries from Docker or Kubernetes are open-source and could include malicious or outdated—and thus vulnerable—images. Stakeholders responsible for supervising orchestration must diligently verify any image.
3. API risks
Though application programming interfaces (APIs) are quite useful in the cloud, they can easily become an attack surface. If they're misconfigured or deployed without proper authentication and authorization, they'll quickly become vulnerable to malicious actors. Organizations must regularly test the security of their APIs while also avoiding hazardous practices like reusing API keys.
Distributed denial of service (DDoS) attacks aren't new, but in a cloud-first world, they're a bigger threat than ever before. The more cloud apps an enterprise uses, the more operational areas a successful DDoS campaign can take over. Security tools that offer continuous monitoring, such as managed detection and response (MDR), will be critical in mitigating DDoS risks.
Face cloud security threats with support from Teradata
The evolution of cloud and data security has given enterprises many ways to protect their cloud-hosted resources. But the width and breadth of the cyberthreat landscape means there isn't a single area of cloud operations—for example, analytics—that needs anything less than airtight security.
With Teradata VantageCloud, the complete data and analytics platform, organizations can ensure their cloud analytics workloads are only accessible to those who need them. Data encryption in transit and at rest, our in-house SIEM system, identity access management protocols, and strict compliance with key government and industry standards combine to create a safe operating environment for analytics projects.
To learn more about Vantage's versatility in mitigating numerous cloud risks, including security, download our whitepaper "De-Risking Hybrid, Multi-Cloud Analytics."
De-Risking Hybrid, Multi-Cloud Analytics