AcademyCloud security basics and best practices

Cloud security basics and best practices

Shifting from on-prem to the cloud can open up significant possibilities for your organization. The cloud is economical, easily scalable, and can be accessible to users across your company. Along with the growth and flexibility it provides, moving to the cloud can also expose your organization to cyber security threats. It is essential that as your organization grows on the cloud, you also strive to protect your cloud-based environments, applications, and data.

Wiz Experts Team

Cloud security vs. on-prem security

The security threats businesses contend with today can affect workloads hosted both on-prem and in the cloud. A Distributed Denial of Service (DDoS) attack can take on-prem applications offline just as well as it can target a cloud-based environment. If attackers bypass your data access controls, ransomware and malware can strike data hosted on your servers or managed in cloud services like AWS S3. 

While the types of attacks aren’t fundamentally different in the cloud, workloads hosted there are subject to unique security challenges:


Compared to on-prem, where it’s likely that your tech stack is more straightforward, cloud environments typically carry more significant security risks. Cloud environments tend to be more complex. You may run virtual machines alongside containers and serverless functions, even adding an orchestration layer like Kubernetes. 

Exposure to the Internet

Since cloud environments rely on the Internet to connect workloads to users, applications and data running in the cloud generally have wider exposure to the Internet than workloads hosted on-prem. It’s possible to use resources like Virtual Private Clouds (VPCs) or network ingress filtering to isolate workloads from the Internet, but default configurations in the cloud usually leave Internet connectivity on.

Borderless cloud networks

Similarly, you can’t define network boundaries in the cloud in the way you can on-prem. Although you can create isolation between your cloud environment and the Internet, you'll still need to leave some connections open for administrators to access your cloud environment. This differs from an on-prem environment where you could completely isolate data behind a firewall and enable access only through a local intranet.

Complex and fragmented access controls

In an on-prem environment, systems like Active Directory and OpenLDAP typically manage user identities and permissions. Managing access controls in the cloud is more difficult because there is no central access control system that applies across all cloud environments.

Instead, you can define a variety of different access control policies using each vendor’s Identity and Access Management (IAM) system, which varies between clouds. Juggling multiple IAM systems increases the risk of configuration errors or oversights that open the door to attack.

Stricter compliance controls

In some cases, businesses may be subject to compliance rules that impose special security requirements over data or applications hosted in the cloud, but not those that run on-premises. For example, cloud data centers located in a different country than on-prem servers may need to comply with that country’s local data privacy laws.

Limited control and visibility

For on-prem workloads, there is no limit on how much data you can gather to detect and monitor security breaches because you have total control over your infrastructure and hosting environments. The amount of network monitoring data available in the cloud is limited to what your cloud provider offers, leaving you with less visibility. For example, in serverless compute services like AWS Lambda, you can’t view operating system logs or collect low-level kernel monitoring data using a framework like eBPF.

Best practices for optimizing cloud security

Security challenges shouldn’t prevent you from using the cloud. If you adhere to standard best practices for securing cloud workloads, you can enjoy its flexibility without compromising security.

Scan IAM configurations

To protect against the risk of access control misconfigurations, you should scan your cloud IAM policies using tools that automatically detect problems, such as controls that allow anyone to view sensitive cloud-based data.

Tag cloud resources

You can tag cloud resources like VMs and databases in most cloud environments by creating descriptive labels. From a security perspective, tagging is valuable because it helps you track which cloud workloads you have running. By extension, tags help to identify workloads that should be shut down, reducing your attack surface.

Establish strong cloud governance

You should define and enforce governance policies to minimize the risk that employees will create insecure cloud workloads that go unmonitored. Guidelines should stipulate who can create workloads and delineate a procedure for ensuring that those workloads are appropriately tagged and monitored. The goal is to avoid spinning up resources without your IT or security team’s knowledge and oversight.

Don’t settle for security defaults

Default security policies are often not secure. Typically, newly created cloud workloads are configured with default policies that define access control and networking. You can go further by allowing only specific users to interact with a virtual machine and create resources like VPCs to restrict network access to workloads that don’t require direct interfaces with the Internet.‍

Make your cloud flexible and secure

The cloud is flexible and powerful, which is why most businesses use cloud services today. If you settle for default security configurations and tools, however, your cloud isn’t necessarily secure. To ensure that you can safely take full advantage of cloud computing, invest in practices that harden your cloud environment against security risks.

Continue Reading

The Definitive Guide to CI/CD Pipelines and Tools

Continuous integration and continuous deployment, or CI/CD, is a software development methodology that sees frequent code changes released to production. Often considered a single term, CI and CD are separate concepts. Continuous integration tooling automates the build and test process, committing code to a single branch and ensuring the reliability of the code. Continuous deployment calls for the automation of code delivery via regular processes to frequently update the codebase.

Getting Started with AWS Security: Key Principals and Resource

Amazon Web Services (AWS) is a popular cloud platform, thanks to its pay-as-you-go consumption model, and its cost-effective delivery of a huge number of products and services designed for rapid solution deployment at scale. 

Why Configuration Management is Essential to Cloud Security

Cloud configuration is the term for the processes used to create a cloud environment where all infrastructure and application elements can communicate and operate efficiently. The management of configuration can be a complicated matter, more so with hybrid and multi-cloud implementations than it was in the single-location networks of times past. Keeping track of parameters, secrets, and configuration items across environments is a massive undertaking.

What is Cloud Security?

Organizations are increasingly moving their data, applications, and services to the cloud. As new technologies are adopted in pursuit of efficiency and optimization, it is important to strike the right balance between the availability, flexibility, and collaboration opportunities emphasized by the cloud operating model, with the security implications of corporate systems being hosted on shared infrastructure and accessed over the internet.

What is the OWASP Serverless Top Ten?

The Open Web Application Security Project (OWASP) is an online community of application security experts producing resources that are globally recognized as a secure foundation upon which to build modern applications. The OWASP Top 10 has become a security standard for web application development, representing the consensus of the most critical security risks to web applications.