Cloud Security Architecture: Defending Your Data

A cloud security architecture should cover three core capabilities: confidentiality, integrity, and availability. A better understanding of each capability will help you plan a more secure cloud deployment.

• Confidentiality. Keeping information private and unreadable from those who should not have access, such as attackers or people within an organization without appropriate credentials, is paramount. Privacy and trust are related aspects of confidentiality.
• Integrity. Systems and applications should consistently and reliably function according to expectations. Losses are inevitable if a system or application is compromised to produce unknown, unexpected, or misleading output.
• Availability. Organizations must strive to prevent denial-of-service attacks and other causes of downtime. If an attacker disrupts your systems, you cannot carry out essential tasks to maintain and develop your business.

Security tools can help organizations address confidentiality, integrity, and availability in cloud platforms in order to define a trusted execution environment. These include:

• Multi-Factor Authentication
• Data Encryption
• Data Loss Prevention
• Privileged Access Management
• Cloud Security Monitoring
• Vulnerability management
• Cloud Configuration Management
• Monitoring

The cloud services you employ also affect the security tools protecting your data and applications. The primary cloud service models are Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS).

Cloud service providers adhere to a model of shared responsibility in regard to security. The cloud service provider keeps the components secure (software, computing, storage, database, networking, hardware, and infrastructure), while the customer keeps data and information safe. Depending on the service type, responsibilities can vary.

Software-as-a-Service (SaaS)

A SaaS provider supplies cloud-based applications to customers for a fee. A SaaS customer is typically only responsible for the security of components associated with accessing the software, such as access controls and network security. Information security in the cloud relies on a cloud-provided shared responsibility model.

The SaaS security architecture should include application security, identity and access management, and a cloud access security broker (CASB) to facilitate visibility, access controls, and data protection.

Platform-as-a-Service (PaaS)

In a PaaS model, customers purchase platform use from a cloud provider to develop, run, and manage applications without managing the underlying infrastructure. The customer is responsible for the security associated with application implementation, configuration, and permissions.

A PaaS security architecture may require standard solutions, as well as less common solutions like a cloud workload protection platform.

Infrastructure-as-a-Service (IaaS)

IaaS requires customers to purchase the infrastructure from a cloud provider and install its own operating systems, applications, and middleware. As part of an IaaS model, the customer often is responsible for the security of any equipment it owns or installs.

IaaS security architecture components routinely include endpoint protection, a vulnerability management solution, access management, and data and network encryption.

Cloud security architecture allows businesses to utilize cloud services fully while limiting exposure and vulnerability. It is important to understand the shared responsibility model, know cloud security best practices, and implement the best approach to cloud security based on your needs, obligations, and risks. 

Depending on your organization's cloud service, cloud security architectures can be complex. The time and skill required to develop a robust and effective security architecture should not be underestimated.