2022: A Complete Guide to Cloud Security Best Practices
What is Cloud Security? | Who is Responsible for Cloud Security? | Software as a Service (SaaS) | Platform as a Service (PaaS) | Infrastructure as a Service (IaaS) | Cloud is Security’s new Achilles Heel? | Approaches for Cloud Security | Manual auditing | Scripts and Opensource tools | Best practices and tools | Native security tools of Cloud Providers | Continuous auditing | Which Tool to use? | SECaaS (Cloud Security as a Service) | Cloud Security Frameworks | Summary
Cloud data breaches have become a common occurrence. Billions of customer records have been exposed in just the last 12 months alone. Industry experts have projected matters to continue to get much worse. How did we get here?
Public Clouds ushered in an era of unprecedented agility. Naturally, organizations of every size are adopting the cloud and making it a mainstay of their infrastructure. The explosive growth of the cloud bears a close resemblance to its previous cousin — the Internet.
Most successful attacks on cloud services involve the exploitation of various misconfigurations. To keep up the insatiable user demand, Cloud Providers are adding more services at a dizzying pace, with each new service coming with its own set of access and security configurations. Imagine the complexity involved in keeping tabs on all the configurations across all of those services, from multiple cloud providers, who are constantly updating and releasing services. Additionally, regulators bring out a swath of regulatory frameworks with frequent revisions that do not help any. All of these forces together make cloud security incredibly complex. As this requires a multitude of skills, it is proving to be an impossible task for the vast majority of organizations.
This guide explains who is responsible for cloud security, between cloud providers and cloud users, and explores different approaches, tools and service models available for cloud security.
What is Cloud Security?
Cloud security breaches come in many forms, like data leakage, access compromise, privilege misuse, and malicious attacks (malware, DoS, etc). Just like information security (infosec) and network security, cloud security is also about ensuring the security of hosted services on the cloud over the internet, with a combination of –
- Technical Controls
- Policy & Standards as Controls
- Procedures & Services as Controls
Who is Responsible for Cloud Security?
Most Cloud Users mistakenly assume that Cloud Providers would be responsible for “entire” cloud security. That’s flawed complacency. Cloud Providers do carry responsibility for some parts of the cloud (‘security of the cloud’) and Cloud Users are responsible for the rest (‘security in the cloud’). It has been reported that in the vast majority of the data breaches, if not in all of them, Cloud Providers have not been technically at fault, but rather were the result of some or other security or access misconfigurations set up by Cloud Users. The graphic below describes the responsibility matrix between Cloud Providers and various types of Cloud Users.
The accountability, ownership & responsibility map to the level of access the actors have over the cloud stack, and widely varies based on the service model adopted by the organization as part of the cloud adoption.
Read the full guide at https://wati.com/2022-a-complete-guide-to-cloud-security/
