Cloud Security Architecture

What is Cloud Security Architecture?

A cloud security architecture (also sometimes called a “cloud computing security architecture”) is defined by the security layers, design, and structure of the platform, tools, software, infrastructure, and best practices that exist within a cloud security solution. A cloud security architecture provides the written and visual model to define how to configure and secure activities and operations within the cloud, including such things as identity and access management; methods and controls to protect applications and data; approaches to gain and maintain visibility into compliance, threat posture, and overall security; processes for instilling security principles into cloud services development and operations; policies and governance to meet compliance standards; and physical infrastructure security components.

Cloud security, in general, refers to the protection of information, applications, data, platforms, and infrastructure that operate or exist within the cloud. Cloud security applies to all types of cloud computing infrastructures, including public clouds, private clouds, and hybrid clouds. Cloud security is a type of cybersecurity.

The Importance of Cloud Computing Security Architecture

Cloud technologies provide businesses and individual users with scalable solutions that address a range of user needs; cloud services offer attractive options for storage, computing power, and application hosting that traditional IT infrastructures have been unable to deliver. Cloud services are highly flexible and give organizations the storage space they're looking for without demanding upfront investments for extra storage space that may never be used.

Whereas traditional IT infrastructures are often rigid and demand large capital investments before they can be upgraded, cloud technologies provide on-demand access to resources and allow businesses to rapidly scale up or down depending on their computing needs and budgetary restrictions. Additionally, with the expertise of cloud security architects like ours who can pinpoint security gaps and weaknesses with cloud security architecture diagrams, organizations can confidently scale their cybersecurity posture with the robustness of their cloud security architecture as it continues to evolve.

Key Elements of a Cloud Security Architecture

When developing a cloud security architecture several critical elements should be included:

• Security at Each Layer
• Centralized Management of Components
• Redundant & Resilient Design
• Elasticity & Scalability
• Appropriate Storage for Deployments
• Alerts & Notifications
• Centralization, Standardization, & Automation

Shared Responsibility within Cloud Security Architectures

The types of service models in use by a business define the types of cloud security architectures that are most applicable. The cloud security models are: Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS).

Organizations that offer cloud services typically adhere to a shared responsibility model—that is, the cloud service provider is responsible for the security of the components necessary to operate the cloud service (software, computing, storage, database, networking, hardware, infrastructure, etc.). The customer is responsible for protecting the data and information that is stored in the cloud, as well as how they may access that data (identity and access management). Responsibilities vary slightly depending on the type of service (IaaS, SaaS, or PaaS).

Infrastructure as a Service (IaaS) Shared Responsibility

With an IaaS, a business purchases the infrastructure from a cloud provider, and the business typically installs its own operating systems, applications, and middleware. An example of an IaaS is Azure (Microsoft). In an IaaS, the customer is usually responsible for the security associated with anything they own or install on the infrastructure.

Software as a Service (SaaS) Shared Responsibility

With SaaS, an organization purchases the use of a cloud-based application from a provider. Examples of SaaS include Office 365 or Salesforce. In a SaaS, the customer is typically only responsible for the security components associated with accessing the software, such as identity management, customer network security, etc. The software provider manages the security backend.

Platform as a Service (PaaS) Shared Responsibility

With PaaS, a business purchases a platform from a cloud provider to develop, run, and manage applications without developing or managing the underlying platform infrastructure required for the applications. An example of a PaaS would be Amazon Web Services (AWS). In a PaaS, the customer is responsible for the security associated with application implementation, configurations, and permissions.

Cloud Security Architectures by Service Model

IaaS Cloud Security Architecture Components

Components of secure cloud computing architecture in an IaaS cloud environment may include endpoint protection (EPP), a cloud access security broker (CASB), a vulnerability management solution, access management, and data and network encryption.

SaaS Cloud Security Architecture Components

SaaS security architecture components should include application security, identity and access management as well as a cloud access security broker (CASB) to facilitate visibility, access controls, and data protection using APIs, proxies, or gateways.

PaaS Cloud Security Architecture Components

A PaaS security architecture may require both standard cloud security architecture solutions, as well as less common solutions, such as a Cloud Workload Protection Platform (CWPP).

Types of Cloud Security Architectures

A cloud security architecture typically includes components and best practices relevant to the types of cloud security services the business wishes to secure. Examples include an AWS cloud security architecture, Google infrastructure security, or an Azure security architecture. Additional key components of a cloud security architecture include the cloud “shared responsibility model” and the principles of “zero trust architecture.”

---

Principles of Cloud Security Architecture

A well-designed cloud security architecture should be based on the following key principles:

• Identification — Knowledge of the users, assets, business environment, policies, vulnerabilities and threats, and risk management strategies (business and supply chain) that exist within your cloud environment.
• Security Controls — Defines parameters and policies implemented across users, data, and infrastructure to help manage the overall security posture.
• Security by Design — Defines the control responsibilities, security configurations, and security baseline automation. Usually standardized and repeatable for deployment across common use cases, with security standards, and in audit requirements.
• Compliance — Integrates industry standards and regulatory components into the architecture and ensures standards and regulatory responsibilities are met.
• Perimeter Security — Protects and secures traffic in and out of the organization’s cloud-based resources, including connection points between a corporate cloud network and public internet.
• Segmentation — Partitions the architecture into isolated component sections to prevent lateral movement in the case of a breach. Often includes principles of ‘least privilege’.
• User Identity and Access Management — Ensures understanding, visibility, and control of all cloud users (people, devices, and systems) that access corporate assets. Enables enforcement of access, permissions, and protocols.
• Data encryption — Ensures data at rest and traveling between internal and external cloud connection points is encrypted to minimize breach impact.
• Automation — Facilitates rapid security and configuration provisioning and updates as well as quick threat detection.
• Logging and Monitoring — Captures activities and constant observation (often automated) of all activity on connected systems and cloud-based services to ensure compliance, visibility into operations, and awareness of threats.
• Visibility — Incorporates tools and processes to maintain visibility across an organization’s multiple cloud deployments.
• Flexible Design — Ensuring architecture design is sufficiently agile to develop and incorporate new components and solutions without sacrificing inherent security.

Cloud Security Architecture Threats

Cloud services are affected by the most common types of concerns and threats, including data breaches, malware injections, regulatory non-compliance, insider threats, advanced persistent threats (APTs), credential stuffing attacks, insecure application programming interfaces (APIs), zero-day attacks, account hijacking through stolen or compromised credentials, phishing, and service disruptions due to denial-of-service attacks or misconfigurations. If a breach occurs, liability for the breach is based on the shared responsibility model.

Some threats and issues may also be more specific to the type of cloud service:

IaaS Cloud Security Threats

PaaS Cloud Security Threats

SaaS Cloud Security Threats

---

Next Steps

As you move into the process of developing a robust cloud security architecture, it is important to spend some time understanding the shared responsibility model, the various cloud security best practices, and how best to approach cloud security within the context of your business’ needs, obligations, and risks. Depending on the types of cloud services your organization uses, cloud security architectures can be complex. It is important to not underestimate the time and skills necessary to develop a robust and effective security architecture. Consider working with a cloud security provider rather than attempting to undertake the creation of a customized cloud security architecture yourself. Schedule a customized security consultation with one of the GuidePoint Security experts to help you evaluate and build a secure architecture for your cloud services.