Cloud security: what is it?
Cloud security is a family of security controls and access solutions purpose-built to protect both the data moving in and out of the cloud and the individuals accessing it. More specifically, cloud security is made up of the tools, technologies, policies, services, and procedures used to protect cloud environments—and the sensitive data they contain—against cyberattacks.
Why is cloud security important?
IT has become much more vulnerable with the advent of remote work and cloud adoption—both of which have accelerated transformation. Although this has turned out to be a net positive for businesses, it’s caused workforces to become remote and resources less protected. As such, organizations need to reconsider how they’re going about protecting their data.
Many businesses cite security as a primary reason they elect not to move to the cloud. But in today’s complex economy, where change agents appear out of thin air, enterprises need the flexibility and scalability of cloud services—which is bringing cloud security to the fore more than ever before.
How does cloud security work?
Effective cloud security means multiple technologies working together to protect data and applications in the cloud from the various entry vectors of cyberthreats. On the technology side, this often includes firewalls, identity and access management (IAM), segmentation, and encryption, though security needs can vary by the type of cloud deployment.
Rather than protecting a perimeter the way network security does, cloud security leverages the above methodologies to protect cloud resources and data on an individual basis. This means implementing more granular and specific security measures, such as cloud security posture management (CSPM), data protection, data security, and disaster recovery as well as a bevy of tools to meet compliance requirements.
What are the security risks of cloud computing?
The cloud helps you build, deploy, use, and maintain resources in a more flexible, scalable way. Because your organization isn’t responsible for the hardware associated with these resources, you can utilize as much of the cloud’s vast availability as you need without having to invest in additional appliances to handle the scale.
The bad news? Leveraging cloud computing moves your enterprise resources off of the network, which means using a perimeter-style defense to protect these resources is a waste of time.
When you move to the cloud, you cast aside the perimeter, forcing your organization to re-evaluate everything from how and where employees work to how best to identify security issues, mitigate vulnerabilities, block malware, and prevent data loss.
Cloud service types
Ever since the inception and eventual refinement of the cloud model, organizations have adopted SaaS offerings and cloud platform and infrastructure services in public clouds from providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
Some organizations, particularly those in heavily regulated sectors such as government and finance, adopt private cloud models to better protect their resources. All told, there are four subtypes of cloud infrastructure deployment as well as four main service models. Let's quickly look at each of these.
The four cloud deployment subtypes are:
- Private cloud: Dedicated infrastructure used by one organization but owned by a third party or the organization itself, which is responsible for all aspects of security management
- Public cloud: Infrastructure owned by a third-party provider and shared among multiple organizations, which also share security responsibilities with the provider per the shared responsibility model
- Hybrid cloud: A combination of private and public deployment where an organization uses each for its strengths, such as scalability (public cloud) or stricter controls (private cloud)
- Multicloud: Shared infrastructure, generally used by organizations that need access to the same applications and/or have the same segmentation and privacy requirements (e.g., PCI DSS)
The four cloud service models are:
- Software as a service (SaaS): Complete software solutions delivered from the cloud, which can be free or paid—Google Docs, for example
- Platform as a service (PaaS): Cloud-delivered tools developers can use to build, test, and deploy applications in a scalable environment
- Infrastructure as a service (IaaS): Virtualized infrastructure onto which an organization can install software, avoiding the need to manage their own infrastructure
- Functions as a service (FaaS): Often called serverless computing, FaaS is similar to PaaS, but suited to individual functions of apps, which can be spun up or down very quickly
Cloud security vs. traditional network security
Network security stacks were designed to protect enterprise networks, not today's cloud computing environments. They can’t provide the comprehensive cybersecurity and cloud data protection needed to safeguard today’s cloud-based applications and mobile users.
Furthermore, business-critical applications such as Microsoft 365 were designed to be accessed with direct connectivity through local internet breakouts. To support these and other bandwidth-hungry applications as well as handle the increase in network traffic without added costs or complexity, you need a multitenant security platform that scales elastically. You’ll never get that with a traditional network security architecture.
The best way to secure apps, workloads, cloud data, and users—no matter where they connect—is to move security and access controls to the cloud. Cloud-based security allows you to stay current with the latest security updates, keeping your data and users protected from ransomware and other sophisticated threats.
Plus, with cloud security, security services and cloud access controls are built directly into the platform, so they communicate with each other to give you a cohesive picture of all the traffic moving across your distributed networks (cloud and on-premises).
Through one interface, you can gain insight into every request—by user, location, server, and endpoint device around the world—in seconds. APIs with other cloud service providers, such as those in SD-WAN, cloud access security brokers (CASB), IAM, and endpoint protection further extend your security posture.
Why the cloud offers better protection than appliances
Protecting users with consistent and enforceable policies requires much more than simple URL or web filtering. That’s why thousands of organizations have already moved their IT security from appliances to security controls in the cloud. Here are some of the differences between appliance-based security and a cloud-delivered approach.
Requires security stacks at all egress points or backhauling traffic over costly MPLS links from branch offices and remote sites to DMZs. Mobile users go unprotected.
Users get the same protection, whether they’re in the HQ, branch offices, on the road, or at home.
Point appliances from different vendors work in isolation, so there’s no simple way to aggregate their data.
Integrated security controls and cloud services correlate information to give you a complete picture of your entire network.
Every appliance between your users and the internet causes latency. If users have to VPN into the data center, their experience is even worse.
Zscaler provides fast local breakouts, and our single-scan multi-action technology enables our security services to scan simultaneously for faster performance.
Deploying and maintaining appliances from multiple security vendors is expensive and difficult, requiring continuous patching, updates, and hardware upgrades.
Cloud security consolidates point products into an integrated platform; there's no hardware or software to buy or manage.
Point products generally apply a single technique to identify threats and pass the data on to the next appliance. Patches are applied as they become available.
Cloud intelligence means that any time a threat is detected anywhere in the cloud, protection is deployed everywhere. Zscaler applies more than security updates to its cloud every day.
Appliances are expensive to buy and own, and as threats increase, you're forced to buy more of them.
Zscaler moves security from capex to opex for about the price of a cup of coffee per user per month.
Types of cloud security
Rapid cloud adoption has driven the need for comprehensive cloud security. These methods aim to protect more than just the perimeter, bringing security all the way down to the data. Some of the most common measures include:
- Identity and access management (IAM) tools and paradigms help enterprises authorize identities to access resources in cloud environments. IAM also helps you protect access to the data shared across clouds—particularly cloud platforms and applications.
- Data loss prevention (DLP) is a set of technologies and processes that monitor and inspect data to prevent cyberattackers from exfiltrating it. It’s an essential element of cloud computing security that a traditional security model can’t carry out effectively.
- Encryption encodes data in transit so that a bad actor who intercepts it can’t immediately interpret it. At the same time, it helps establish trust and preserve anonymity, making it a prime choice for solving various cloud security challenges.
- Security information and event management (SIEM) takes security logs spread across your environment and analyzes them in real time. This gives security teams increased visibility over their cloud ecosystems, which is critical given the wide berth of vulnerability the cloud creates.
The four methods listed above were all classic techniques for securing the cloud as it became mainstream. But threat actors are much more savvy now, and on top of that, compliance requirements demand more from security and data protection than they did before. This leads to the question...
How is cloud security evolving?
Industry analysts recognize the change the cloud has brought to the business landscape and understand how its impact will continue to grow in the future—not only in terms of security threats, but also:
- Cloud control and the shared responsibility model
- Vulnerabilities due to misconfigurations in cloud data protection, automation, and permissions
- Regulations such as GDPR
- The move to SASE and zero trust
Top analysts project that the demand for cloud security delivered as a service, referred to as the secure access service edge (SASE), will grow significantly. This is because SASE reduces the overwhelming network complexity that comes with traditional security approaches. It provides a more dynamic path to security that matches the variety of ways users now access networks.
As your organization engages more cloud-based platforms, your security teams will see increasing variety and complexity when it comes to cloud security. Alongside adopting SASE, many leading organizations are establishing a cloud center of excellence team and investing in people and processes to master this rapidly changing environment.
Not to mention, zero trust, a key component of SASE, is also also seeing rapid adoption. Zero trust is based on the idea that no user should be inherently trusted. Instead, network, data and application access are granted based on context—meaning that authentication is granted only under the correct circumstances. What’s more, a zero trust architecture delivers enhanced user experiences.
Why zero trust, and why now?
We’ve entered the age of cloud and remote work—but you already knew that. Endpoints, resources, and data are scattered every which way, and reliance on on-premises technology is falling fast—especially with increased cloud usage.
Establishing a secure cloud environment means investing in technologies that will not only prevent data breaches from occurring, but also grant your users the experiences they deserve. This starts with zero trust security. There are a lot of cloud security solutions on the market today, but none of them can provide the security or the experience that zero trust can.
Why you should embrace zero trust
According to Cybersecurity Insiders, 72% of organizations are prioritizing zero trust adoption. This is because, as mentioned above, zero trust is an integral component of a SASE framework, which promises to reduce the attack surface and decrease reliance on legacy network and security hardware.
When it comes to protecting your cloud applications, infrastructure, platforms, and data, no framework matches zero trust. Archaic, siloed security tools simply don’t have the capacity or scalability to protect all your cloud resources, wherever they’re being accessed from.
Let the buyer beware, however—zero trust can deliver great utility to your organization, but you must make sure you partner with a company whose zero trust offering is built in the cloud, for the cloud. Many vendors are guilty of plastering a cloud platform to an old appliance and passing it off as “cloud ready,” but this approach serves as a bandage rather than a true solution.
Only one company constructs a zero trust product with cloud delivery in mind—that company is Zscaler.
How Zscaler can help
Zscaler takes the headache out of cloud workload security management. Part of the Zero Trust Exchange™, Zscaler Cloud Protection combines four natively integrated data protection solutions, enabling your organization to:
- Secure workload configurations and permissions with Zscaler Workload Posture
- Secure user access to private apps in the cloud with Zscaler Private Access
- Secure app-to-app connections with Zscaler Workload Communications
- Eliminate lateral threat movement with Zscaler Workload Segmentation
Working together, these solutions can help you eliminate up to 90% of your security policies and reduce your costs by 30% or more. Ultimately, you'll minimize your attack surface, simplify your security strategy with automation, and dramatically lower your security risk.
Zscaler Cloud Protection
Zscaler Cloud Protection secures cloud workloads without introducing operational complexity. With an innovative zero trust architecture, it automatically remediates security gaps and misconfigurations, minimizes the attack surface, secures user-to-app and app-to-app communications, and eliminates lateral threat movement, ultimately reducing business risk. Visit the Zscaler Cloud Protection page to learn more.
See the difference for yourself
Still using appliances for network security, and want to know if your company could be safer with cloud security? Take our free security preview test to find out how well you're protected against ransomware and other threats. It's a safe way to discover where you may have gaps in your security.
- Gartner report: 2022 Magic Quadrant for Security Service Edge
- Web resource: Zscaler Cloud Security
- Blog post: Put those cloud security objections to rest
- Blog post: Cloud security and the public sector: A dangerous partnership or a growing necessity?