How to ensure the security of the cloud infrastructure and applications

Security in cloud environments

As organisations shift more and more of their infrastructure to the cloud, their traditional security policies and approaches may remain valid for some instances, but they have to be adapted to hybrid, distributed architectures. Thus, a different approach is needed to address security in this new environment.

Securing the cloud infrastructure

Let's start with the security of the cloud infrastructure. To do this, we have to take into account a combination of policies, best practices and technologies to ensure that cloud resources (including computing environments, applications and databases) are secure against threats (both internal and external) from the cloud.

The security of the cloud infrastructure should not be confused with the cloud security services offered by various security firms through a software as a service business model.

Rather, cloud security consists of different controls, procedures and technologies to protect any organisation's critical systems and data from cybersecurity threats and risks originating in cloud environments.

Depending on the type of cloud computing you use, you can adopt one type of cloud security or another:

• Public cloud services operated by a public cloud provider. This includes software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS).
• Private cloud services operated by a public cloud provider. These services provide a computer environment devoted to one customer, operated by a third party.
• Private cloud services operated by internal staff. In other words, it's the evolution of the traditional data centre where internal staff operate a virtual environment that they control.
• Hybrid cloud services. This combines private and public cloud computing configurations to host workloads and data by optimising factors, such as cost, security, operations and access. The operation will involve internal staff and, optionally, the public cloud provider.

Securing applications in a cloud environment

If we turn now to the need to secure cloud-based software applications, we must also talk about policies, tools, technologies and rules at the application level to keep all the assets visible, protect cloud-based applications from cyberattacks, and restrict access to authorised users.

The security of cloud applications is essential for organisations that use web applications that run in a multi-cloud environment hosted by a third-party cloud provider. By their nature, these cloud services or applications significantly increase the attack surface by providing multiple new access points for attackers to enter the network.

Best practices to secure cloud applications

In any case, and as always in security, there are a series of recommendations for the proper use of technology to avoid compromising the security of both the cloud infrastructure and applications. These include:

• Taking advantage of multi-factor authentication (MFA) as one of the most effective mechanisms to limit the risk of the account being compromised.
• Social engineering. Human error is one of the most common causes of data breaches. Employees have to be trained and tools implemented, such as URL filters, antimalware and smart firewalls.
• Automation. Companies should, to the extent possible, automate the monitoring of cloud applications, incident response and configurations. Manual workflows are prone to errors and are a common cause of oversights and data breaches.
• Minimum privileges. User accounts and applications should be configured to only grant access to the assets needed to do a job, applying the principle of minimum privilege on all cloud platforms.
• Data security. For applications in particular, most of the security efforts should focus on ensuring the integrity and inviolability of data. If encryption systems can be used, so much the better.
• Audits and testing. Finally, audits should be conducted constantly, as well as tests to ensure that everything works correctly and that the security systems and policies are able to handle a potential security incident.