• Identity 101
  • Cloud Computing Security: Your Comprehensive Guide

Cloud Computing Security: Your Comprehensive Guide

Okta
Updated: 02/14/2023 - 11:31
Time to read: 9 minutes

Is the data you send to the cloud really secure? Cloud security practices aim to answer that question with an emphatic "yes."

Your cloud provider will tackle many security tasks for you. Still, every business with a cloud presence also needs to create policies, procedures, and practices to ensure that their data is secure and they are meeting their compliance needs.

Why is cloud computing security important?

Pushing services to the cloud should mean that you tap into an army of experts who help protect and defend your data. But unfortunately, security issues are common. In one study, nearly 80 percent of companies had at least one data breach in the 18 months prior.

Cloud computing security concerns tend to stem from two factors.

  • Providers: Software, platform, or infrastructure issues can lead to breaches.
  • Customers: Companies don't have solid policies to support security in the cloud.

Data breaches are the top risk companies face. Attackers want data, and companies don't always use commonsense tools (like encryption) to protect it.

Companies often struggle to understand what safety services their cloud providers offer. Many companies also don't build internal systems that put security first.

Companies that work in concert with their providers can lower their breach risks. They'll avoid time-consuming manual security configurations and updates. And they'll have a team available around the clock to monitor and report. Policies at the corporate level can ensure the company does its part to protect security too.

Cloud computing company structure & models

Every vendor has unique security strengths and vulnerabilities. Understanding common cloud types and service models can help you assess risks.

Three main types of clouds are available.

  1. Public clouds: Third-party cloud service providers (like Google) create one product that many individuals and companies use. Individual companies typically develop policies based on the security requirements for their organisation in order to secure access to data stored within the public cloud service. 
  2.  Private clouds: You're the only one who has access to and uses this cloud. Disgruntled former employees may inadvertently expose data, so it’s still important to have a proper security implementation in place.  
  3. Hybrid clouds: Most midsize to large companies choose this model of cloud computing. The majority of information stays on a private cloud, but companies can shift to a public cloud if they need to. The risks of both cloud types apply here.

Cloud-computing companies offer three main types of services.

  1. IaaS: Infrastructure as a service companies provide servers, firewalls, and data centres. 
  2. PaaS: Platform as a service companies offer all the benefits listed above, along with operating systems, development tools, database management, and analytics. 
  3. SaaS: Software as a service companies offer all of the benefits listed above, along with hosted applications.

3 common areas vendors protect

How do companies guarantee the security of cloud computing? Three areas are critical, and most companies require an in-depth partnership with their customers to implement them.

Those areas involve:

  • Employees. How does your company screen people for prior data-theft-related criminal activity before they join the team? How do you protect their logins and accounts when they leave? 
  • Identity. How do users gain access to the resources on the cloud? Some cloud computing companies tap into their customers' identity management system. Others build their own infrastructure to support security. 
  • Physical. How do you protect your hardware from thieves and intruders? Will your system go down in the case of fires and floods? Most companies have strong protocols that ensure they protect their buildings and the resources within them.

Before signing on with any cloud computing provider, it's critical to understand what they will and will not do to protect and ensure the safety of your data in all three of these areas.

Cloud-based security controls to adopt

In security terms, a "control" is a set of best practices companies adopt and protect through their policies and procedures. If you're diving into cloud computing, thinking about protection is vital.

Experts suggest that seven controls are crucial, including:

  1. Communicate. Know what your company must do to protect security, and understand the steps your vendor takes. Ensure there are no gaps between your services that could allow intruder access. 
  2. Control access. Know what parts of your server you expose to the internet, and ensure that connections aren't left open unintentionally. 
  3. Protect data. Don't allow unencrypted data to rest on the cloud. Protect encryption keys to avoid theft. 
  4. Have protection credentials. Ensure you don’t expose your access keys or leak them in public places. 
  5. Enhance security hygiene. Your company probably has strong protocols in place. Don't remove them just because you're moving to the cloud. 
  6. Watch user logs. Keep a close eye on who is accessing your servers and take charge to remove them if needed. 
  7. Put security first. Many companies consider security steps last, when all other product necessities are complete. Switch that up and talk about security first.

You may have other security controls that apply to your company, industry, and business. Customise them as needed to protect your data. But ensure that you do have some kind of controls ready to help when needed.

The role of encryption in cloud computing security

Experts say encryption forms the cornerstone of any cloud security program. You should encrypt all the data you place on the cloud, and you should protect your decryption keys carefully. Even if a hacker gets into your cloud, nothing will be readable.

Several encryption types exist, such as these:

  • Attribute-based encryption (ABE)
  • Ciphertext-policy ABE (CP-ABE)
  • Key-policy ABE (KP-ABE)
  • Fully homomorphic encryption (FHE)
  • Searchable encryption (SE)

Some cloud computing companies require their buyers to use a specific encryption method. But others leave the decision up to you.

No matter what method you choose, ensure that you use it consistently and constantly. Unencrypted data is very easy to steal, and a breach could result in loss of revenue, loss of customer trust, or both.

Security of cloud computing Is a moving target

Despite your best efforts, you'll never eliminate every security risk that comes with cloud computing. Risks will always remain.

A few that might trouble you include:

  • Loss of control. You won't own the hardware, software, or applications that run your cloud. Your vendor may explain plans and policies, but you can't provide direct oversight. 
  • Integration. Many cloud companies interface with other databases and applications. Sometimes, those connections put your data at risk, and you can't ask a public cloud vendor to work with you alone. 
  • Lack of clarity. Cloud computing technology is complex, and it can be difficult to understand where your responsibility ends and the vendor's begins. Asking questions is vital.

In any case, you should always closely oversee and monitor your systems so you can catch any problems that arise as soon as possible.

Cloud security compliance frameworks to know

Protecting your data is good for your business. But for some companies, it's also critical to staying open. Local, state, and federal regulations can impact your security plans.

In most cases, the government gives you a set of regulations. You perform an audit to determine if you're complying with each rule. And then you document why you're in compliance and how you plan to stay that way.

Common compliance frameworks include:

  • NIST: The National Institute of Standards and Technology guides innovation at top organisations. Compliance with its guidelines is a priority for most high-tech companies. 
  • FedRAMP. Federal agencies, cloud service providers, and third parties follow these standardised rules as they work to secure documents in the cloud. 
  • Sarbanes-Oxley. Publicly traded companies must comply with the rules of this federal law. While most rules concern accounting, plenty touch on security too.

Depending on your industry and location, you may have other security compliance frameworks to follow, such as:

  • Health Insurance Portability and Accountability Act. Health care organisations and their vendors must protect the personal information of consumers. 
  • General Data Protection Regulation. Companies in the European Union, and some American companies doing business in Europe, must protect data and give users control over the information companies collect. 
  • Payment Card Industry Data Security Standard. Companies that collect cardholder data must protect it from outsiders.

The regulatory landscape is vast, and some companies have more than one set of guidelines to follow. Cloud computing companies are adept at handling the challenges, and some can assist with compliance reporting.

But it’s critical to discuss the rules in play before compliance deadlines are due. Fines for noncompliance are common, and they can be punishing.

Cloud security best practices

Every company faces a unique threat landscape. That's why penetration testing and other security tasks are so critical. When you know where you're vulnerable, you can take mitigation steps.

But following industry best practices is always a good idea. You should:

  • Encrypt data. A robust encryption policy that you widely enforce is your best protection against a data breach. Even if an attacker gets inside, your data remains protected. 
  • Manage access carefully. Identify and authenticate users, assign them specific rights, and enforce access policies. Ensure you know who is on your cloud server, and make sure that person is only taking on appropriate tasks. 
  • Accept responsibility. Know what parts of the security plan are yours to handle. Don't assume that your vendor will do all the work to keep your company safe. 
  • Monitor regularly. A cloud shouldn't be a set-it-and-forget-it project. Watch over your logs, and perform regular testing to ensure your plans still work. 
  • Keep abreast. The security landscape changes regularly, and new threats appear almost every day. Ensure you know what's happening in the hacker world and respond accordingly.

Don't let this list intimidate you. Cloud computing can save you time and money, and it's typically well worth the risks. But ensure that you're doing all you can to keep your company safe.

The future of securing data in the cloud

Cloud computing is here to stay, but its success and ability to improve a company are based on the quality of that company’s cloud security.

A best-in-class cloud security platform will ensure that you’re protecting your users and their data and will empower IT to spend less time on unnecessary administrative tasks and more time thinking about the future of the business. After all, the future might be closer than you think.

Protect your organisation with cloud security top of mind. Try Okta’s Workforce Identity products, including SSO and MFA, free for 30 days.

References

Nearly 80 Percent of Companies Experienced a Cloud Data Breach in the Past 18 Months. (June 2020). Security.

11 Top Cloud Security Threats. (October 2020). CSO.

IT Governance Critical as Cloud Adoption Soars to 96 Percent in 2018. (April 2018). CIO.

Difference Between IAAS, PAAS and SASS. Geeks for Geeks.

7 Cloud Security Controls You Should Be Using. (October 2019). CSO.

Why Encryption Is the Cornerstone of Your Cloud Security. (April 2019). Security Intelligence.

Cloud Control Matrix (CCM). Cloud Security Alliance.

Home. FedRAMP.

Sarbanes-Oxley 101. Sarbanes-Oxley.

7 of the Most Significant Cloud Compliance Regulations. (March 2018). Charles Phillips.

Implement Cloud Security Best Practices With This Guide. (November 2020). Security Intelligence.

Best Practices for Cloud Security. (March 2018). Carnegie Mellon University.