Cloud Security: Principles, Solutions, and Architectures

Cloud Security Explainers:

> Cloud Security: Principles, Solutions, and Architectures
What is Cloud Security Posture Management (CSPM)?
What Is Cloud Security Monitoring?
Cloud Security Solutions: 8 Solution Categories You Must Know
Cloud Security Threats: Top Threats and 3 Mitigation Strategies
Cloud Security Tools: Cloud Provider or Third Party Tools?
Cloud Security Controls: Key Elements and 4 Control Frameworks
Cloud Security Standards: ISO, PCI, GDPR and Your Cloud
9 Cloud Security Best Practices You Must Know
Cloud Security Audits: Step By Step

Cloud Security: Principles, Solutions, and Architectures

Cloud security is gaining importance at many organizations, as cloud computing becomes mainstream. Most organizations use cloud infrastructure or services, whether software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS), and each of these deployment models has its own, complex security considerations.

Cloud systems are shared resources and are often exposed to, or exist on, the public Internet, and so are a prime target for attackers. In recent years, many high profile security breaches occurred due to misconfigured cloud systems, which allowed attackers easy access to sensitive data or mission critical systems. 

Securing cloud systems requires a different approach than security for on-premise systems. New security tools, such as Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP), help organizations gain visibility over cloud environments, understand security gaps, and remediate them automatically.

How does cloud security differ from traditional cyber security?

The following table illustrates how responsibility is divided between the cloud users and cloud providers across different cloud models.

Cloud SecurityOn-Premises Security
ResponsibilitiesThe cloud service provider and customer share security responsibilityThe enterprise is responsible for security end-to-end
ConnectivityRelies on API-driven security toolsUses individually managed security tools
ResourcesDynamic resources lead to blurred security boundaries and no clear perimeterStatic resources contain security boundaries at the network perimeter

Why is cloud security important?

According to the analyst reports, the top four public cloud security threats are:

  1. Cloud platform misconfiguration
  2. Unauthorized access
  3. Insecure interfaces and APIs
  4. Privileged account hijacking

In light of these risks, cloud security can provide several important benefits:

  • Cloud native capabilitiescloud security solutions are built to secure cloud native infrastructure, such as infrastructure as a service (IaaS) workloads, containers and serverless applications. These new types of resources are difficult to monitor using traditional security tools.
  • Improved visibility – cloud security systems help organizations, first and foremost, understand what exactly is running in their cloud environment, understanding their attack surface, and learning where weaknesses and vulnerabilities lie.
  • Centralized security – cloud security solutions provide central management of security for cloud resources, services, and endpoint devices across multiple clouds. This provides visibility over misconfigurations and security events across complex cloud infrastructure.
  • Reduced overhead cost – cloud security solutions are commonly offered as a service, with fully managed infrastructure. This converts the traditional capital expense of security licenses and specialized hardware to an operating expense, and reduces overheads.
  • Managed security services – many cloud security services not only provide security software, they also provide services like threat intelligence, setup of security rules, monitoring by human experts, and even managed response and remediation of security incidents. 

Finding the most appropriate cloud security solutions

Cloud service providers (CSPs) typically offer standard security, monitoring, and alerting features to help organizations secure their workloads and data in the cloud. However, these tools cannot provide complete coverage, creating additional security gaps. As a result, the attack surface increases and so does the risk of data loss and theft.

Instead of attempting to cover all security aspects – an arguably impossible endeavor – organizations can assess their unique posture and define the security requirements that suit their needs. It often involves assigning risk and sensitivity levels to data and systems and assessing the impact on the organization if the data or systems are compromised.

Cloud security challenges in different cloud environments

There are three primary types of cloud environments—public clouds, private clouds and hybrid clouds. These three environments offer different types of security configurations, based on the shared responsibility model. This model defines how resources are utilized, how data moves and where, how connectivity is established, and who takes care of security.

Public cloud

Public cloud services are hosted by third-party companies like Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. While the services offer efficient and cost-effective authentication management and access control, the shared resources model of these services can result in comparatively poor security.

In order to secure your environment, you need to overcome the challenges that come with introducing new security tools. While some tools are available for free, some incur overhead costs. You need to learn how to use the tools or hire an expert to take care of that responsibility. Otherwise, misconfiguration or misuse of the tools can lead to security breaches.

Private clouds

Private clouds aren’t necessarily safer than public clouds. While public cloud services provide built-in security measures implemented in the service ecosystem, private cloud security falls solely on the in-house team.

Companies that don’t perform regular updates and security maintenance will leave themselves exposed to security vulnerabilities. Additionally, the lack of transparency in some private cloud setups can lead to security issues. For example, software upgrades can create security exploits. Private clouds are especially vulnerable to social engineering attacks and access breaches.

Related product offering: managed private cloud and virtual private cloud.

Hybrid clouds

Hybrid clouds combine elements of public and private clouds in one environment. This approach gives companies more control over their data and resources. However, poor network execution, inefficient security protocols, and broken management chains can turn hybrid clouds into easy targets for attacks.

Since hybrid clouds integrate multiple services within one structure, compliance becomes a complex task, because each environment is different, yet needs to follow the same protocols. Each environment that transmits data within the hybrid network is vulnerable to eavesdropping and cyber attacks. Hybrid clouds with lack of encryption, poor data redundancy, insufficient risk assessment, and data leakage are wide open to attacks.

Multicloud

Multi cloud is a strategy that enables organizations to deploy workloads across multiple cloud environments, combining private clouds with public clouds such as Microsoft Azure, Google Cloud Platform, and Amazon Web Services (AWS). 

Organizations implementing a multi cloud strategy can avoid vendor lock-in, improve resiliency, and optimize costs. However, a multi cloud deployment introduces complexities that may increase the attack surface. It requires a holistic security approach that establishes consistent security controls across several heterogeneous environments.

Top cloud security risks

Cloud systems provide increased access to sensitive data while allowing less control over the network, making them highly vulnerable. Following are the common risks facing cloud-based systems:

  • Data breaches – many high profile data breaches have been associated with cloud infrastructure. Because cloud resources can be deployed on the open iInternet, insecure resources expose an organization to loss or theft of sensitive data.
  • Contractual breaches – sometimes entities sign a contract specifying the terms for their joint use of data, including access authorization. One example is the transfer of data from local to cloud servers without authorization. Attacks can cause these organizations to violate their contracts and face financial losses or legal liability.
  • Data loss – while cloud security doesn’t eliminate all data loss threats, it offers cost-effective and easy solutions for backup and disaster recovery. As opposed to on-premise solutions, cloud environments can store data on multiple cloud data centers and provide added disaster recovery resilience.
  • Gaps in compliance – compliance standards help prevent data breaches by binding organizations into a set of security rules. Unfortunately, at many organizations there are significant gaps in compliance due to the complexity and lack of visibility of cloud environments.
  • Hacked interfaces and insecure APIs – APIs and integration points power cloud computing. While APIs help connecting systems, they can also be used as a back door for attackers.
  • Malware infections – used by hackers to hijack systems and accounts, delete data and harvest identity information and bank details. Cybercriminals use cloud services as an entry point for data exfiltration.
  • Identity management and weak authentication – cloud authentication security requires managing identity across different services. Poorly executed identity management can lead to data breaches and access authorization issues—weak identity management gives cybercriminals easy access to credentials and sensitive systems.
  • Insufficient due diligence and shared vulnerabilities – transitioning to the cloud without ensuring the cloud service provider security measures operate within the standard best practices or offer necessary security controls can lead to massive security breaches and shared vulnerabilities that leave all parties open to attack.
  • Abuse and misuse – cheap infrastructure or pirated software expose companies to security breaches.
  • Data migration complexity and misconfiguration – cloud migrations, in particular data migrations to and from the cloud, can be complex, and misconfigurations during this process can lead to security vulnerabilities. A lack of understanding or oversight of security settings can leave data exposed.

7 core principles of a cloud security architecture

The architecture of a cloud security system should account for tools, policies and processes needed to safeguard cloud resources against security threats. Among its core principles, it should include:

  1. Security by design – cloud architecture design should implement security controls that are not vulnerable to security misconfigurations. For example, if a cloud storage container holds sensitive data, external access should be locked, and there should be no way for an administrator to open access to the public Internet. 
  2. Visibility – many organizations use multi-cloud and hybrid-cloud deployments that traditional security solutions fail to protect. An effective strategy accounts for both the tools and the processes to maintain visibility throughout an organization’s complete cloud-based infrastructure.
  3. Unified management – security teams are often overworked and understaffed, and so cloud security solutions must provide unified management interfaces. Teams must be able to centrally manage a wide range of cloud security solutions from one pane of glass. 
  4. Network security – the cloud uses a shared responsibility model, and the organization is responsible for securing traffic flows to and from cloud resources, and between the public cloud and on-premise networks. Segmenting networks is also important to limit an attacker’s ability to move laterally once they have gained access to a network.
  5. Agility – the cloud fosters development and deployment of new solutions. Security should not inhibit this agility. Organizations can use cloud-native security solutions that integrate seamlessly into the agile development lifecycle.
  6. Automation – automation is critical to swift provisioning and updating of security controls in a cloud environment. It can also help identify and remediate misconfigurations and other security gaps in real time.
  7. Compliance – regulations and standards like GDPR, CCPA, and PCI/DSS protect both data and processes in the cloud. Organizations can leverage cloud provider solutions, but will often need third party solutions to manage compliance across multiple cloud providers.

Cloud security solutions types

Here are several common technologies that help organizations secure their cloud deployments.

Cloud Workload Protection Platform (CWPP)

CWPP is a security solution that can protect cloud workloads, by providing visibility of resources across multiple clouds, ensuring they are appropriately deployed, and have the necessary security controls. 

CWPP can perform active security tasks like hardening operating systems and applications, scanning and remediating vulnerabilities, whitelisting applications, and performing integrity checks.

Cloud Security Posture Management (CSPM)

CSPM reviews cloud environments and detects misconfigurations and risks pertaining to compliance standards. Its main goal is to automate security configuration and provide central control over configurations that have a security or compliance impact.

CSPM is usually delivered as a cloud service. It creates an inventory of cloud resources, enables setting and enforcing enterprise-wide policies, and can scan resources like compute instances, storage buckets, or databases for harmful configuration errors. It can also perform risk assessments according to frameworks like ISO, NIST, and CSI Benchmarks.

Related content: ‍Learn more in the detailed guide to secret management.

Cloud Access Security Broker (CASB)

CASB can help detect and control SaaS applications in use by the organization. Common uses are to identify shadow IT (unauthorized use of cloud services), as well as sensitive data being transferred to and from cloud applications. Many organizations use multiple CASB solutions, each supporting the specific APIs or ecosystem of a specific SaaS solution.

CASB solutions include several technologies to ensure network traffic flowing to and from the cloud are in line with security policies: traditional firewalls, web application firewalls (WAF), which can block threats at the application layer, authentication to prevent unauthorized access to content, and data loss prevention (DLP) to detect and prevent data exfiltration.

eXtended Detection and Response (XDR)

XDR is a holistic security platform that can protect cloud systems, as well as on-premise networks, endpoints, and other systems. Its goal is to enable visibility, detection and response for threats, regardless of whether they appear in the IT environment. In the cloud, it integrates with endpoints like compute instances and containers, and can gather data from cloud networks. 

XDR can complement other cloud security systems by identifying sophisticated or hidden threats, especially when these threats hide in the interfaces between systems. It can combine data from disparate sources to create a complete attack story—so that events that seem benign in one system can be identified as part of a larger attack.

Related content: read our explainer to XDR.

SaaS Security Posture Management (SSPM)

SSPM provides visibility, monitoring, and assists with remediation of security issues for a portfolio of SaaS applications. 

SSPM allows organizations to identify and remediate gaps in SaaS security controls, including misconfiguration and lack of compliance with common organizations and standards like Center for Internet Security (CIS) benchmarks, Service Organization Control 2 (SOC 2), and PCI DSS.

Related content: read our guide to SSPM.

Managed Detection and Response (MDR)

MDR is a managed service that hunts, detects, and eliminates threats. It can be used to protect cloud and on-premises environments. MDR services typically include endpoint detection and response (EDR) technology and human experts to operate and maintain it.

MDR security platforms offer organizations the benefits of continuous monitoring with a modern security operations center (SOC) without the overhead or responsibility of maintaining their own SOC. MDR services give organizations security benefits like:

  • Advanced analytics
  • Threat intelligence
  • Human security expertise  
  • Incident investigation experience
  • Incident response experience

Related content: read our guide to MDR.

Cloud data security

Cloud data security software implements access controls and security policies for cloud-based storage services, across multiple cloud providers. It can protect data stored in the cloud, or transferred to or from cloud-based resources. 

Among the key capabilities of cloud data security systems are central management of data encryption, governance and permissions for sensitive data, and data loss prevention (DLP) to detect anomalous activity that could result in loss or exfiltration of sensitive data.

Cloud monitoring

Cloud monitoring solutions are an essential component of a cloud security strategy. Organizations need continuous monitoring of cloud-based resources, both for visibility – to know what is running and where – and to identify anomalies which might be security incidents. There are five main types of cloud monitoring:

  • Database monitoring – tracking availability, utilization, performance, and access to cloud-based databases.
  • Website monitoring – tracking users, traffic, performance, and availability of cloud-deployed websites and web applications.
  • Virtual network monitoring – virtual networks are critical to cloud security, and must be monitored at the router, firewall, and load balancer level.
  • Cloud storage monitoring – gaining visibility into how storage is used by applications, databases, services, and compute instances.
  • Virtual machine monitoring – just like you would monitor servers deployed on-premises, it is important to monitor uptime, traffic, and access to compute instances in the cloud.

Cloud compliance

Cloud compliance software can help organizations ensure they are meeting their compliance obligations in a cloud environment. It provides visibility over workloads running on public and private clouds, network traffic, and configurations, reporting which cloud services may be violating specific compliance requirements.

Cloud compliance systems are similar to CWPP, but they are different in that CWPP focus on controlling security in the cloud environment and enforcing security controls. While cloud compliance solutions are passive tools that can notify about violations, provide remediation instructions, and generate detailed reports and audits.

Related content: read our guide to Compliance in the Cloud.

Cloud backup and disaster recovery

Cloud backup is a critical part of an effective cloud security program. It can help protect against threats like ransomware and malware, as well as accidental or malicious tampering or sabotage of cloud assets. Cloud backup allows an organization to send a copy of files or entire systems (such as virtual machines or containers) to a cloud-based location. The copy is stored in a cloud data center and can be restored if the original data is lost.

Cloud backup services typically charge a fee based on the storage space used, data transfer bandwidth, and frequency of access. They can be used to backup both on-premises and cloud-based resources.

Another important function of cloud backup is disaster recovery. Traditionally, disaster recovery involved setting up an entire secondary data center and switching over to it in case of a disaster. This was expensive and out of the reach of smaller organizations. Cloud disaster recovery solutions are an attractive alternative, which lets organizations easily set up replicas of their systems in the cloud, and activate them on demand if a disaster occurs.

Related content: read our guides to Cloud Backup and Disaster Recovery.

How to secure cloud native applications

A cloud native application is software that is designed to run on cloud infrastructure. There are many definitions of cloud native applications, and the term is used interchangeably with a microservices architecture. 

Cloud native applications are commonly built with the following characteristics:

  • Resilient – cloud native applications applications are distributed, and able to deal with failures as a normal occurrence, without downtime or disruption to service. 
  • Agile – cloud native applications are developed using automated continuous integration / continuous delivery (CI/CD) processes, and are made up of small, independent components, each of which can be rapidly developed and updated.
  • Operable – cloud native applications are easy to test, deploy, and operate. They have advanced automation that manages system components at all stages of their lifecycle. 
  • Observable – cloud native applications easily expose information about application state, malfunctions and failures. Each component in the system is responsible for generating meaningful logs to provide insights into its operation.

Below are several best practices you can use to secure cloud native applications.

Shift security left

Cloud native development is fast paced, and relies on automated deployment, whether using container images, infrastructure as code (IaC) templates, or cloud automation mechanisms. This makes it more important to start the security process from the onset of development. 

Shifting security left in a cloud native environment involves:

  • Scanning container images and cloud infrastructure on an ongoing basis
  • Automatically testing for security issues in code long before it is deployed to production
  • Automatically identifying misconfiguration and security malpractices, such as missing authentication or hard-coded secrets

Apply perimeter security at the function and container level

Traditional security methods focused on securing the overall network perimeter. In a cloud native environment, there is no network perimeter. Instead, organizations must create micro-perimeters around infrastructure units:

  • In a serverless architecture – protecting each serverless function and paying attention to security of event streams
  • In a containerized architecture – securing individual containers, pods, clusters, and master nodes of container orchestration
  • When using container platforms – you are responsible for securing worker nodes, while the cloud provider is responsible for securing the Kubernetes control plane

Related products: read more about cloud containers.

Minimal roles and privileges

Identity and access management (IAM) plays an important role in cloud security. Use IAM to define permissions on a granular basis for containers or serverless functions. Ensure each element has the least privileges it needs to perform its activities. Use zero trust principles to ensure that all communications, even between trusted entities, are authenticated and verified.

Secure open source and dependencies

Cloud native applications commonly include open source components, which may include a large number of dependent packages. It is important to scan these components and their dependencies for open source vulnerabilities. This must be automated, and integrated into deployment processes, so that every component deployed in the cloud native environment is verified to be free of security vulnerabilities. 

Shared responsibility for security

Cloud native security takes a DevSecOps approach, with close cooperation between developers, operations, and security professionals:

  • Developers should be educated in security practices and take responsibility for secure coding practices
  • Operations and DevOps must take into account security practices at all stages of the software development lifecycle (SDLC)
  • Security teams must understand development practices and provide relevant advice and guidance for improving security

Leverage eBPF

eBPF technology runs sandboxed programs in the operating system kernel. It securely and efficiently extends the kernel’s capabilities without changing the kernel source code or loading kernel modules. Use cases include next-generation networking, security functionality, and observability. 

Application developers can use eBPF to add capabilities to the operating system during runtime. The operating system guarantees execution efficiency and security as if it was natively compiled using a Just-In-Time (JIT) compiler and verification engine.

Cloud security best practices for major cloud computing platforms

Most organizations operating in the cloud run at least some services on the three major cloud providers—Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Each of these cloud providers provides a large ecosystem of infrastructure and services, which includes security tools and best practices. 

Before we go into specific best practices for each cloud providers, here are general guidelines for improving security in a public cloud environment:

  • Network segmentation – split networks into segments for improved performance and security. If segmentation is already in place you can assess the resources and leverage a zone approach to isolate systems and components.
  • Identity and access management (IAM) – mitigate security threats like unauthorized access and hijacking of accounts. High-quality IAM solutions help define and enforce access policies and capabilities such as role permissions and multi-factor authentication. Cloud computing requires access control lists (ACL) that monitor and record access.
  • Training your staff – employees are responsible for individual use of company tech and need to understand security risks. Educate staff on strong passwords, identifying dangerous emails and shadow IT. Using unauthorized cloud services without permission can put the company and the employee at risk.
  • Implementation of cloud security policies – establish guidelines that define the level of access of each user, the proper use of each service, which type of data can be stored in the cloud, and the security technologies used.
  • Endpoint security – secures endpoints and monitors user activity in the cloud environment. You can create a strong defense with intrusion detection, firewalls, access control, and anti-malware.
  • Data encryption – since data is vulnerable to attacks in motion (during transit) and at rest (in storage), encryption provides and important layer of security.
  • Audits and penetration testing – ensures your security infrastructure remains effective and helps identify points for improvement. Through audits and testing, you can analyze vendors’ capabilities and compliance with your SLA, and make sure that access logs show only authorized personnel.
  • Cloud disaster recovery – protect data by setting up robust backup solutions. Make sure your cloud provider’s standards align with yours for data backup, retention, and recovery policies.
  • Plan for compliance – ensure you have the expertise and tools to fully comply with relevant regulations and industry standards. Don’t take cloud vendor statements about standards compliance at face value; understand exactly what is required to become compliant in the cloud.

AWS security best practices

1) Limit security groups

Security groups limit network access to AWS resources. Make sure that you only enable communication to and from ports and IP ranges that are absolutely necessary for components to function. Amazon provides AWS Config and AWS Firewall Manager services, which can automatically configure virtual private cloud (VPC) network policies, and apply WAF rules to resources accessible from the public Internet.

2) Automate backup

Backup is an important security practice, which can protect against data corruption, accidental deletion, and attacks such as ransomware. The AWS Backup service provides central control over backups in all main Amazon services, including Elastic File Service (EFS), Elastic Block Storage (EBS), DynamoDB, and Amazon Relational Database Service (RDS). Amazon also provides API and CLI access to backup functions.

3) Centralize logs

Amazon CloudTrail is a service that collects logs and events from all Amazon services. Store CloudTrail logs to S3 buckets, alongside logs from load balancers, other monitoring services, or and own cloud native applications. By creating a central log archive, you can analyze and correlate logs across all Amazon systems. You can use a security information and event management (SIEM) system to generate security alerts from the data.

4) Isolate Kubernetes Nodes

Another important practice is to isolate Kubernetes nodes, for example when running Kubernetes clusters in Amazon Elastic Kubernetes Service (EKS). Kubernetes is a powerful orchestration tool for managing containerized applications. However, it can also be a potential attack vector if not properly secured. 

Isolating nodes means segregating them into different security groups or virtual private clouds (VPCs). This reduces the attack surface by limiting the potential impact of a security breach. If one node is compromised, the attacker cannot easily move to other nodes in the network. It  is also advised to use network policies to control traffic flow between pods in a Kubernetes cluster.

Related content: read more about AWS EKS.

5) Scan Container Images

Container images can contain vulnerabilities that can be exploited by attackers. Therefore, scanning container images for vulnerabilities is a critical part of securing your AWS environment.

A common way to run containers in AWS is using Fargate, a serverless compute engine. It allows you to run containers without having to manage the underlying infrastructure. You can use CloudFormation to automate image scanning for all containers deployed to Amazon Fargate (learn more in the Amazon blog post).

Related content: read more about AWS Fargate.

Azure security best practices

1) Encrypt your data

There are numerous ways to encrypt data in Azure:

  • Azure Disk Encryption, with encryption keys stored in Azure Key Vault (AKV), or in your own key repository
  • Encryption at Rest, enabled by default for all Azure storage services, using FIPS 140-2 compliant 256-bit AES encryption
  • Encryption in Transit, with built in data link encryption in and between Azure data centers, and TLS encryption for all communications

2) Limit data access

Follow these best practices to limit access to sensitive data and resources:

  • Always restrict access to Secure Shell (SSH), Remote Desktop Protocol (RDP), and similar services in your Network Security Groups configuration, unless absolutely necessary. 
  • Close all ports that are not actively used by your services or applications. 
  • Share data or files securely using Azure Information Protection service, which lets you set a security priority for files, mark them as sensitive, and protect them with relevant permissions.
  • Use Azure Rights Management (RMS) to define encryption and authorization policies, which remain attached files wherever they are stored, ensuring only authorized users can view them. 

3) Identity management

Azure provides the state of the art in identity management supporting zero trust practices. The primary service used for identity management is Azure Active Directory (Azure ID). A few key access control best practices are:

  • Use identity as the primary security perimeter
  • Centrally manage identity management
  • Enable single sign-on (SSO)
  • Turn on conditional access to all cloud resources
  • Enable automated password management
  • Enforce ongoing multi-factor verification
  • Use role-based access control (RBAC)
  • Isolate privileged accounts to lower their exposure
  • Use Azure AD to authenticate any access to storage

4) Use Just-In-Time (JIT) Virtual Machine Access

JIT access is a method of providing temporary, time-bound access to resources. Azure Security Center’s JIT VM access reduces the attack surface by enabling you to lock down inbound traffic to your Azure VMs. When someone needs to connect to a VM, they request access, and if approved, Security Center automatically configures the NSG rule to allow inbound traffic. After the time window expires, Security Center automatically reconfigures the NSG to deny traffic.

This practice not only reduces the potential for unauthorized access but also provides an audit trail of who accessed what and when.

5) Use the Azure Security Center’s Compliance Dashboard and Security Benchmark

The Azure Security Center’s Regulatory Compliance Dashboard provides a centralized view of our security posture and helps meet industry compliance standards. The dashboard provides insights into compliance status, and offers recommendations on how to improve the compliance score and reduce potential security risks.

The Azure Security Benchmark provides a set of high-impact security recommendations following industry best practices. These recommendations go beyond the baseline security policies and are tailored to the specific needs of Azure workloads.

Google cloud security best practices

1) Resource hierarchy

GCP offers a flexible resource hierarchy that lets you define the structure of cloud resources and apply permissions in a granular way. Create a hierarchy using Folders, Teams, Projects and Resources that mimics your organizational structure. Otherwise, follow the structure of your development projects or cloud-based applications. 

2) Managing firewalls and unrestricted traffic

Use VPC firewalls to manage network traffic to VPCs, virtual machines, and other Google Cloud resources. Avoid allowing access to broad IP ranges, both for inbound and outbound communications. Google Cloud VPC lets you assign network targets using tags and Service Accounts, which makes it possible to define traffic flows logically. For example, you can specify that a certain front-end service can only connect to VMs using a specific service account.

3) Retain admin activity logs

Google provides Admin Activity Logs which are retained for 400 days, and provide insights into a range of services and resources in the Google Cloud environment. Export them or save the logs to Google Cloud Storage if you want to retain them for longer, or for compliance purposes.

What is a Certified Cloud Security Professional (CCSP)?

CCSP is a role that was created to help standardize the knowledge and skills needed to ensure security in the cloud. This certification was developed by (ISC)² and the Cloud Security Alliance (CSA), two non-profit organizations dedicated to cloud computing security.

CCSP is designed to help professionals supplement and modify traditional security approaches to better ensure cloud protection. It does this by helping organizations train security professionals and recognize the level of competence in their current teams. This ensures that professionals understand how to secure the cloud and what tools are most effective.

Any professional in the information security or IT fields can gain a CCSP certification. Those who most commonly seek one include:

  • Systems and security engineers
  • Enterprise, system, or security architects
  • Security administrators or managers

Why do you need a CCSP certification?

There are many professional and organizational benefits that can come with getting CCSP certified. The most common benefits include:

  • Career advancement
  • Validation and authentication of your skills and knowledge in cloud computing and security best practices and requirements
  • Maintenance of certification level ensures that you remain up-to-date on best practices and technologies related to to cloud based security
  • Access to a community of equally or more highly-skilled security professionals

How to become a CCSP

To gain your CCSP certification, you need to study for and pass the examination offered by (ISC)². This certification is only one of six certifications offered by the organization but is the only one focused solely on secure cloud computing.

To obtain your CCSP certification, you need at least five years of paid experience, including three years in information security and one year in one or more of six CCSP areas:

  • Architecture and design concepts
  • Data security
  • Platform and infrastructure security
  • Application security
  • Security operations
  • Legal, risk and compliance

Cloud security with Exabeam

The Exabeam Security Management Platform (SMP) offers a comprehensive solution for protecting your digital resources in the cloud and on-premises.

Exabeam Cloud Connectors allow you to reliably collect logs from over 40 cloud services into Exabeam Data Lake, Exabeam Advanced Analytics or any other SIEM. Updates are made automatically whenever there are API changes, so you don’t need coding skills or costly professional service engagements to ensure the right data is being collected.

Exabeam provides the connectivity necessary to monitor all your cloud services, including:

  • Cloud services – such as Salesforce, Office 365, and Box. Exabeam monitors your cloud services at scale, providing unlimited logging for the ingestion and modeling cloud data. The pricing model is flat and user-based, ensuring visibility within your budget.
  • Cloud infrastructure providers – such as AWS, Azure, and Google Cloud. Exabeam scans for anomalous activity throughout your cloud infrastructure through intelligent and automated detection.

Related content: read our guides to Disaster Recovery and Information Security.

The Exabeam SMP platform organizes the data in a user-friendly and visually appealing interface. The cloud security modules of the Exabeam platform take a data-driven approach that enables enhanced controls for visibility, monitoring, and security in the cloud:

See Our Additional Guides on Key Cloud Security Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of cloud security.

Cloud Backup

Authored by NetApp

Cloud Security Solutions

Authored by NetApp

SSPM

Authored by Cynet

Learn about SaaS Security Posture Management (SSPM), a new security category that helps organizations identify misconfigurations and security issues in SaaS applications and automatically resolve them.

What is MDR

Authored by Cynet

Learn about managed detection and response (MDR), a managed service that can help organizations operate endpoint detection and response (EDR) and related technologies without burdening in-house staff.

Disaster Recovery

Authored by Faddom

Cloud Containers

Authored by Atlantic

Managed Private Cloud

Authored by Atlantic

Virtual Private Cloud

Authored by Atlantic

Secret Management

Authored by Configu

AWS EKS

Authored by Spot

AWS Fargate

Authored by Spot

Additional Cloud Security Resources

Below are additional resources about different aspects of cloud security and cloud operations, authored by our content partners:

Quick Links:

Why is cloud security important
Cloud security challenges in different cloud environments
Top cloud security risks
7 core principles of a cloud security architecture
Cloud security solutions types
How to secure cloud native application
Cloud security best practices for major cloud computing platforms
What is a Certified Cloud Security Professional
Cloud security with Exabeam