Wiz
Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

All articles

Cloud Security Architecture

Cloud security architecture is a broad set of principles designed to guide the implementation of security controls, practices, and solutions within a cloud computing environment.

Wiz Experts Team
7 min read

What is cloud security architecture?

Cloud security architecture is a broad set of principles designed to guide the implementation of security controls, practices, and solutions within a cloud computing environment.

Cloud security architecture encompasses the strategic planning and deployment of security measures to protect cloud-based resources from vulnerabilities, threats, and unauthorized access. These measures include identity access management (IAM), network security, data encryption, threat detection and prevention, and regulatory compliance.

A well-designed cloud security architecture pays off in many ways, like data and app confidentiality, integrity, and availability—not to mention a boost in customer trust. Beyond these benefits however, there are several other reasons why you need to put time into you cloud security architecture. Let us examine some of these reasons.

Security Leaders Handbook: The Strategic Guide to Cloud Security

Learn the new cloud security operating model and steps towards cloud security maturity. This practical guide helps transform security teams and processes to remove risks and support secure cloud development.

Download Handbook

What are cloud security threats?

Cloud security threats are risks and vulnerabilities that can compromise the security of cloud environments. A well-architected environment protects enterprises from the following threats:

1. Cloud platform misconfiguration

When cloud platforms, such as storage and network systems, are misconfigured, they can result in insecure communication channels, unintended exposure of sensitive data, and open attack surfaces for cybercriminals to exploit.

Common misconfiguration examples include using default authentication credentials, unrestricted in and outbound ports, and excessively permissive access controls. CSA plans are usually automated to reduce the possibilities of human-induced misconfigurations and accelerate their detection.

2. Unauthorized access

Unauthorized access often leads to the disclosure or theft of sensitive data stored in the cloud. Phishing schemes, stolen credentials, bypassed authentication mechanisms, keystroke logging, and hacking are prime ways that malicious actors use to gain unauthorized access to cloud resources. To combat unauthorized access, organizations usually include zero-trust network access (ZTNA) and multi-factor authentication in their enviroment.

3. Insecure interfaces and APIs

APIs provide cloud customers with software interfaces for interactions between their apps and external systems (e.g., their CSP’s resources). Because APIs are used to provision and manage cloud resources, attackers can inflict considerable damage if they are left insecure. A well-architected CSA outlines clear plans for securing APIs and could contain protocols such as the adoption of non-reusable tokens and continuous API monitoring.

wiz academy

What is API security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

Read more

4. Privileged account hijacking

Since privileged accounts have elevated access and permissions into the cloud network, they inflict serious damage on cloud resource security when hacked. In an optimized cloud security architecture, privileged accounts are carefully curated and monitored, and only trusted employees are allowed role-based access to them.

5. Insider threats

Insider threats are malicious or accidental actions carried out by people who have legitimate access to a cloud environment (e.g., current or former employees or third-party partners). As we will come to understand later in the article, a well-architected environment also contains protocols that prevent the possibilities of these insider attacks—whether intentional or unintentional.

Cloud security architecture’s challenges and considerations

Consider the different approaches you can take to deploy and manage cloud environments when designing a cloud security architecture for your organization, and refer to CISA’s cloud security reference architecture. Your chosen approach has important implications for your cloud security architecture and your implementation of cloud security. Here are some key approaches and their corresponding considerations:

1. Lift and shift

Lift and shift enables the movement of on-premises applications to the cloud without changing their architecture. However, in the long run, lift and shift may present integration challenges that have far-reaching consequences for data security and performance efficiency. Without cloud-native deployment, leveraging automation and cloud-native security platforms may be cumbersome.

When adopting lift and shift, your cloud security architecture should include a plan for preventing vulnerabilities that could be introduced during installation. It’s also a good idea to plan to upgrade the migrated workload to a cloud-native platform that supports automation and maximum cloud security.

2. The shared responsibility model

The shared responsibility model comprises the division of security responsibilities between the cloud service provider (CSP) and the customer. Though this model comes with significant benefits, there are also inherent challenges. Organizations may face poor cloud visibility, and they might not fully understand their role in securing the cloud services based on the service model employed, whether it’s IaaS, PaaS, or SaaS.

Each model has different levels of responsibility, and businesses must both understand what security controls they need to implement and make sure that they are not assuming more or less responsibility than they should. Let’s look at the division of responsibilities in IaaS, PaaS, and SaaS:

  • Infrastructure as a service (IaaS): In IaaS, the cloud provider is responsible for the security of the underlying infrastructure, such as networking, storage, and virtual machines. You are responsible for securing your apps, data, operating systems, and network configurations running on top of the cloud infrastructure. Your CSA must focus on the security of the data within virtual machines and your endpoints (configuring network security groups is a great example).

  • Platform as a service (PaaS): In PaaS, the cloud provider takes on more security responsibilities, securing the underlying infrastructure and platform, including the runtime environment, development tools, and databases. Your responsibility lies in securing your cloud-based applications and data. Your CSA should include protocols to protect data within the platform such as secure coding practices.

  • Software as a service (SaaS): In SaaS, the CSP secures the software application and infrastructure while you manage user access and ensure data privacy within the app. Your CSA must therefore focus on user authentication, access controls, data protection, secure data transfer, and compliance.

3. CI/CD

Although continuous integration/continuous deployment (CI/CD) speeds up software release, the frequency of release cycles can pose security challenges. That’s why your architecture should embed and automate security testing as part of the CI/CD pipeline—in fact, at each stage of the software delivery pipeline in order to identify and remediate vulnerabilities in the codebase.

wiz academy

CI/CD Pipeline Security Best Practices

Continuous integration and continuous delivery (CI/CD) have become the backbone of modern software development, enabling rapid, reliable, and consistent delivery of software products. To bolster your CI/CD pipeline, ensuring resilience against ever-evolving threats, follow the best practices in this guide.

Read more

4. Regulatory compliance

Compliance requirements differ across geographic location, industry, and data type. Some industry-specific regulations—such as GDPR, HIPAA, and PCI DSS—can be challenging because they have specific requirements for privacy and data protection.

To ensure compliance, include regular in-house compliance audits in your architecture. It’s also important to evaluate your CSP's regulatory adherence and review their compliance certifications, data handling practices, privacy controls, and contractual obligations to ensure alignment with industry requirements and legal obligations. A thorough evaluation is particularly important when the customer and the CSP operate in different countries or continents and are governed by different regulatory requirements as a result.

The layers of cloud security architecture

Building a secure cloud environment requires a comprehensive, layered approach. Each layer plays a critical role in protecting your data, applications, and infrastructure from cyber threats. Let's dive into each layer and explore how they work together to create a robust security posture:

1. On-premises Infrastructure:

This layer represents the physical foundation of your IT system, including servers, storage devices, networking equipment, and data centers. Securing this layer involves:

  • Physical security: Implementing access controls, security cameras, and intrusion detection systems to protect your physical hardware.

  • Data security: Encrypting sensitive data at rest and in transit, regularly backing up data, and implementing data loss prevention (DLP) solutions.

  • Network security: Configuring firewalls, intrusion detection and prevention systems (IDS/IPS), and virtual private networks (VPNs) to secure your network perimeter.

2. Cloud Resources:

This layer encompasses all the resources you host in the cloud, such as virtual machines, storage services, databases, container orchestration platforms, and SaaS applications. Securing this layer involves:

  • Identity and Access Management (IAM): Implementing strong authentication methods (e.g., multi-factor authentication), role-based access control (RBAC), and continuous monitoring of user activities.

  • Data security: Encrypting data at rest and in transit, adhering to data classification and labeling practices, and leveraging cloud-based data security solutions.

  • Application Security: Using container image scanning tools to identify vulnerabilities in containerized cloud applications before deployment.

3. Perimeter:

The perimeter layer acts as the gateway between your on-premises infrastructure, cloud resources, and the external world. Securing this layer involves:

  • Secure network topology: Designing your network architecture to minimize attack surfaces and control access to sensitive resources.

  • Perimeter security controls: Deploying firewalls, intrusion detection and prevention systems (IDS/IPS), and virtual private networks (VPNs) to monitor and filter traffic entering and leaving your environment.

  • DDoS protection: Implementing solutions to mitigate distributed denial-of-service (DDoS) attacks that target your cloud resources.

4. Operations:

This layer focuses on the management and performance aspects of your cloud environment. Securing this layer involves:

  • Security monitoring and logging: Continuously monitoring your cloud resources for suspicious activity and logging all events for audit purposes.

  • Security incident response: Having a well-defined incident response plan to effectively respond to and mitigate security breaches.

  • Compliance and governance: Establishing and enforcing security policies and procedures to ensure compliance with regulatory requirements and industry standards.

5. Interface:

This layer represents the devices and systems used by end users and employees to access the cloud environment. Securing this layer involves:

  • Endpoint security: Implementing antivirus software, endpoint detection and response (EDR) tools, and device management solutions to protect laptops, mobile devices, and IoT devices.

  • Secure access control: Enforcing strong authentication methods and access controls to prevent unauthorized access to your cloud resources from any device.

  • Security awareness training: Educating employees about cybersecurity best practices and the importance of protecting sensitive data.

By understanding and implementing the different layers of cloud security architecture, you can build a robust and unified defense against cyber threats. Remember, security is not a one-time event but an ongoing process. Continuously monitor your environment, update your security posture, and adapt to the evolving threat landscape to ensure the long-term security of your cloud environment.

How Wiz helps implement secure cloud architecture

As a cloud-native application protection platform, Wiz offers extensive visibility into your cloud environment, highlighting misconfigurations, vulnerabilities, and compliance issues. This allows architects to identify potential security weaknesses and make informed decisions about architecture design and configuration.

Wiz further aids in implementing secure cloud architectures in a number of ways across all stages of the journey:

Pre-deployment Planning:

  • Visibility and Inventory: Wiz offers a complete picture of your cloud resources, including VMs, serverless functions, containers, and Kubernetes clusters. This comprehensive view allows architects to understand the landscape and identify potential security gaps before deploying applications.

  • Compliance Mapping: Wiz assesses your environment against various security frameworks and regulations. This helps ensure your architecture aligns with compliance requirements from the get-go.

Deployment and Configuration:

  • Least Privilege Principle: Wiz analyzes cloud entitlements and generates least privilege policies, ensuring users and services only have access to the resources they need. This minimizes the attack surface and reduces the risk of unauthorized access.

  • Infrastructure as Code (IaC) Security: Wiz integrates with CI/CD pipelines and scans IaC templates for vulnerabilities and misconfigurations. This proactive approach prevents insecure configurations from being deployed into production.

Continuous Monitoring and Improvement:

  • Vulnerability Management: Wiz continuously scans your cloud resources for vulnerabilities and prioritizes them based on exploitability and severity. This prioritization helps architects focus on patching the most critical vulnerabilities first.

  • Security Posture Management: Wiz provides a real-time overview of your cloud security posture, highlighting areas of concern and recommending remediation actions. This continuous monitoring helps architects maintain a secure environment over time.

  • Incident Response: Wiz assists in incident response by providing detailed information about security incidents and suggesting containment and recovery strategies. This rapid response capabilities can minimize the impact of security breaches.

Take Control of Your Cloud Misconfigurations

See how Wiz reduces alert fatigue by contextualizing your misconfigurations to focus on risks that actually matter.

Get a demo

Continue reading

Credential Stuffing Explained

Wiz Experts Team

Credential stuffing is a type of cyberattack where automated tools are used to repeatedly inject stolen username/password combinations into various services to gain access to legitimate users’ accounts in addition to those that were originally breached.

Container Orchestration

Nicolas Ehrman

Container orchestration involves organizing groups of containers that make up an application, managing their deployment, scaling, networking, and their availability to ensure they're running optimally.

Native Azure Security Tools

Wiz Experts Team

This blog explores the significance of security in Azure environments and provides an overview of native as well as third-party security tools available to improve an organization’s Azure security stance.

Cross-site scripting

Wiz Experts Team

Cross-site scripting (XSS) is a vulnerability where hackers insert malicious scripts inside web applications with the aim of executing them in a user’s browser.