What Is Cloud Security? Cloud security is a family of security policies, procedures, tools, and technologies designed to protect users, sensitive data, apps, and infrastructure in cloud computing environments. The most comprehensive cloud security solutions span workloads, users, and SaaS resources in the cloud to protect them from data breaches, malware, and other security threats.

Zscaler Cloud Security
Watch

Why Is Cloud Security Important?

The advent of remote work and cloud adoption has accelerated digital transformation, but as workforces, data, and cloud applications have become more distributed, legacy networking models—built around local workers and resources—have made them slower and less secure. To make up for their losses in security, productivity, and user satisfaction, organizations need to reconsider how they protecting their environments.

Ironically, many organizations cite security concerns as a primary reason not to move to the cloud. But today, in a complex economy driven by innovation—and shadowed by the growing business of cybercrime—organizations need the flexibility and scalability of cloud services, which can only be effectively secured by cloud security solutions that rise to meet the unique needs of the cloud.

How Does Cloud Security Work?

A cloud environment is only as secure as its weakest point, so effective cloud security means multiple technologies working together to protect data and applications from all angles. This often includes firewalls, identity and access management (IAM), segmentation, and encryption, though security needs can vary by the type of cloud deployment.

Rather than protecting a perimeter, cloud security protects resources and data individually. This means implementing more granular and specific security measures, such as cloud security posture management (CSPM), data protection, data security, and disaster recovery as well as a bevy of tools to meet compliance requirements.

Cloud environments, especially hybrid clouds that combine public clouds with remote or on-premises private data centers, can have many internal and external vulnerabilities. That’s why it’s critical to leverage access controls, multifactor authentication, data protection, encryption, configuration management, and more to keep them accessible and secure.

What Is Cloud Computing?

Cloud computing, more often just “the cloud,” is increasingly dominant worldwide as a means of accessing applications, data, systems, and more over the internet, instead of only on local hardware or networks. It allows organizations to entrust some of their data, apps, and infrastructure to third parties, which manage and secure those resources to varying degrees depending on the service.

Cloud Service Types

SaaS offerings, cloud storage, and various platform and infrastructure services are available from public cloud service providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.

Some organizations, such as government agencies and financial firms, adopt private clouds to better protect sensitive resources. All told, there are four subtypes of cloud infrastructure deployment as well as four main service models.

The four cloud deployment subtypes are:

  • Private cloud: Dedicated infrastructure used by one organization and owned by a third party or the organization itself, which is responsible for all aspects of security management
  • Public cloud: Infrastructure owned by a third party and shared among multiple organizations, which also share security responsibilities with the provider per the shared responsibility model
  • Hybrid cloud: A combination of private and public deployment where an organization uses each for its strengths, such as scalability (public cloud) or stricter controls (private cloud)
  • Multicloud: Shared infrastructure, generally used by organizations that need access to the same applications and/or have the same segmentation and privacy requirements (e.g., PCI DSS)

The four cloud service models are:

  • Software as a service (SaaS): Complete software solutions delivered from the cloud, which can be free or paid (e.g., Google Docs)
  • Platform as a service (PaaS): Cloud-delivered tools developers can use to build, test, and deploy applications in a scalable environment
  • Infrastructure as a service (IaaS): Virtualized infrastructure, managed by a third party, onto which an organization can install software
  • Functions as a service (FaaS): Similar to PaaS, but suited to individual functions of apps, which can be spun up or down very quickly (FaaS is also called serverless computing)

Security Risks of Cloud Computing

The cloud helps you build, deploy, use, and maintain resources in a flexible way. Because your organization isn’t responsible for the hardware, you can use as much of the cloud as you need without investing in more appliances to handle the scale.

However, when you move your resources off your network, perimeter-style defenses don’t work anymore, forcing you to re-evaluate how and where your employees work as well as how to most effectively identify security issues, mitigate vulnerabilities, block malware, and prevent data loss.

Network security architectures that place the enterprise data center at the center of connectivity requirements are an inhibitor to the dynamic access requirements of digital business.

Gartner, The Future of Network Security Is in the Cloud

Pros and Cons of Cloud Security

Let’s examine how cloud security benefits an organization and potential ways that it can actually increase cloud risk.

Pros

  • Improved visibility over cloud resources
  • Security that scales to meet customer needs
  • Better protection over cloud data and unique endpoints

Cons

  • The looming risk of misconfiguration
  • Possible poor partnership/deployment strategy
  • Unauthorized access to resources, which increases the attack surface

The above cons list may seem a bit scary, but with proper due diligence and a careful partner selection, these cons can be eliminated, and it’s definitely worth the resulting pros.

Cloud Security vs. Traditional Network Security

Network security stacks were designed to protect enterprise networks, not the cloud. They can’t provide the comprehensive cybersecurity and cloud data protection today’s cloud-based applications and mobile users need. To support business-critical SaaS apps (e.g., Microsoft 365) and handle other bandwidth-hungry services as well as more network traffic without added costs or complexity, you need a multitenant security platform that scales elastically. You’ll never get that with a traditional network security architecture.

The best way to secure apps, workloads, cloud data, and users—no matter where they connect—is to move security and access controls to the cloud. Cloud-based security is always up to date, able to protect your data and users from the latest ransomware and other sophisticated threats.

Benefits of Cloud Security

A comprehensive cloud security platform builds in security services and cloud access controls that give you visibility into all traffic moving across your distributed networks (cloud and on-premises). Through one interface, you can gain insight into every request—by user, location, server, and endpoint device around the world—in seconds. API integrations with other cloud service providers, such as those who offer SD-WAN, cloud access security broker (CASB), IAM, and endpoint protection services, further strengthen your security posture.

Common Cloud Security Challenges

Nothing worth doing comes easy, and the same can be said about cloud security. Despite its potential to ease security management and increase visibility, it certainly comes with its share of challenges to mitigate. Let’s go into some of these challenges in detail.

Identity and Access Control

Cloud providers continue to add more services, and the average number of distinct entitlements for these services now exceeds 5,000. This volume of entitlements can be challenging to manage using traditional identity and access management (IAM) approaches.

Logging, Monitoring, and Incident Response

Comprehensive and accurate logs are the cornerstone for a proper incident response. The case for many companies is that their install accounts are ill-equipped for this purpose and are unable to sufficiently log everything, as such.

Storage and Encryption

Queueing and notification services often hold sensitive information before it’s processed and proper security measures applied. The sensitivity of this is frequently overlooked—many services lack server-side encryption.

Cloud Ransomware

Cloud environments are not immune from malware and ransomware attacks. The most common ways attackers infiltrate businesses are by taking advantage of a 'misstep' or ‘misconfiguration’, such as an improperly configured asset, exploiting weak passwords, or exploiting insufficient policy controls.

Supply Chain Attacks In the Cloud

Cloud environments are at increased risk of a supply chain attack and can even lead to compliance risks. Security teams need to focus on minimizing the risk of third parties in a cloud environment, because it provides room for a supply chain attack.

Why the Cloud Offers Better Protection Than Appliances

Protecting users with consistent and enforceable policies requires much more than simple URL or web filtering. That’s why thousands of organizations have already moved their IT security from appliances to security controls in the cloud. Here are some of the differences between appliance-based security and a cloud-delivered approach.

Enterprise-Wide Protection

Appliance-based security requires security stacks at all egress points or backhauling traffic over costly MPLS links from branch offices and remote sites to DMZs. Mobile users go unprotected.

With cloud-based security, users get the same protection, whether they’re in the HQ, branch offices, on the road, or at home.

Integrated Security

With appliance-based security, point appliances from different vendors work in isolation, so there’s no simple way to aggregate their data.

With cloud-based security, integrated security controls and cloud services correlate information to give you a complete picture of your entire network.

User Experience

With appliance-based security, every appliance between your users and the internet causes latency. If users have to VPN into the data center, their experience is even worse.

Cloud-based security with Zscaler provides fast local breakouts, and our single-scan multi-action technology enables our security services to scan simultaneously for faster performance.

IT Complexity

With appliance-based security, deploying and maintaining appliances from multiple security vendors is expensive and difficult, requiring continuous patching, updates, and hardware upgrades.

Cloud-based security consolidates point products into an integrated platform; there's no hardware or software to buy or manage.

Intelligence

With appliance-based security, point products generally apply a single technique to identify threats and pass the data on to the next appliance. Patches are applied as they become available.

Cloud-based security brings intelligence from a variety of sources, meaning that any time a threat is detected anywhere in the cloud, protection is deployed everywhere. Zscaler applies more than security updates to its cloud every day.

Value

Appliance-based security is expensive to buy and own, and as threats increase, you're forced to buy more appliances.

Zscaler cloud-based security moves security from CapEx to OpEx for about the price of a cup of coffee per user per month.

4 Pillars of Cloud Security

Cloud security aims to protect more than just the perimeter, bringing security all the way down to the data. Some of the most common measures include:

  • Identity and access management (IAM) to help provision access to resources in cloud environments. IAM also helps you prevent unauthorized access to data, apps, and infrastructure shared across clouds.
  • Data loss prevention (DLP) to monitor and inspect data to prevent exfiltration. DLP is an essential element of cloud computing security that a traditional security model can’t carry out effectively.
  • Data encryption to encode data so that attackers can’t interpret it without decrypting it. Encryption also helps establish trust and preserve anonymity, and is required by various privacy regulations worldwide.
  • Security information and event management (SIEM) to analyze security logs in real time, giving your security team increased visibility over your cloud ecosystem.

These were the classic techniques for securing the cloud as it became mainstream. But threat actors are much more savvy now, and compliance requirements demand more from security and data protection than they did before. Cloud security has had to evolve to keep up.

How Is Cloud Security Evolving?

The cloud has changed the global technology landscape, and cloud security is changing along with it. More recently, we’ve seen this in the discourse around security service edge (SSE) and zero trust.

As a growing industry trend, SSE solves fundamental challenges related to remote work, the cloud, secure edge computing, and digital transformation, providing secure access to the internet, SaaS and cloud apps, and your organization’s private apps.

Learn more about SSE.

Zero trust, a key component of SSE, is also also seeing rapid adoption. Based on the idea that no user or entity should be inherently trusted, a zero trust approach grants access to data and applications based on specific context—identity, content, location, device, and more—while delivering enhanced user experiences.

Learn more about zero trust.

How is cloud security evolving?

Why Should You Embrace Zero Trust?

Endpoints, resources, and data are everywhere, and the benefits of the cloud are quickly overtaking reliance on on-premises technology. Securing cloud environments means investing in technologies that will prevent data breaches while helping users stay satisfied and productive, and today, zero trust is the only security paradigm today that can offer that.

According to Cybersecurity Insiders, 72% of organizations are prioritizing zero trust adoption. They understand that archaic, siloed security tools simply don’t have the capacity or scalability to protect all your cloud resources, wherever they’re being accessed from.

As you evaluate zero trust offerings, keep something in mind: any vendor can say they offer zero trust. Many vendors bolt a cloud platform onto a legacy network appliance and call it “cloud ready.” You need a partner with a zero trust solution that was built in the cloud, for the cloud.

How Zscaler Can Help

Zscaler takes the headache out of cloud workload security management. Part of the Zero Trust Exchange™, Zscaler Cloud Protection combines four natively integrated data protection solutions, enabling your organization to:

Working together, these solutions can help you eliminate up to 90% of your security policies and reduce your costs by 30% or more. Ultimately, you'll minimize your attack surface, simplify your security strategy with automation, and dramatically lower your security risk.

Zscaler Cloud Protection

Zscaler Cloud Protection secures cloud workloads without introducing operational complexity. With an innovative zero trust architecture, it automatically remediates security gaps and misconfigurations, minimizes the attack surface, secures user-to-app and app-to-app communications, and eliminates lateral threat movement, ultimately reducing business risk. Visit the Zscaler Cloud Protection page to learn more.

Want to know if your company could be safer with cloud security? Take our free security preview test to find out how well you're protected against ransomware and other threats.

Suggested Resources