Cloud security is the practice of protecting data, applications, and infrastructure in the cloud. It encompasses a wide range of security controls, including access control, data encryption, network security, and incident response.
Wiz Experts Team
8 min read
Cloud security defined
Cloud security is the practice of protecting your data, applications, and infrastructure in the cloud from the evolving threat landscape, while also enabling the agility and innovation that cloud computing offers.
To learn about cloud security, you must first understand cloud computing. This includes understanding the different cloud service models and deployment models.
Cloud service models define the level of control and management that a cloud customer has over their resources. The three main cloud service models are:
Software as a Service (SaaS)
SaaS applications are hosted and managed by the cloud provider, and customers access them over the internet. Customers do not have any control over the underlying infrastructure or platform.
Google Workspace, Microsoft Office 365, Salesforce, Dropbox.
Platform as a Service (PaaS)
PaaS provides customers with a platform for developing, deploying, and managing their own applications. Customers have some control over the underlying infrastructure, but they do not have to manage it directly.
Google App Engine, Microsoft Azure App Service, Heroku, Red Hat OpenShift.
Infrastructure as a Service (IaaS)
IaaS provides customers with access to computing, storage, and networking resources that they can use to build and manage their own infrastructure. Customers have full control over the underlying infrastructure and platform.
Amazon EC2, Microsoft Azure VMs, Google Compute Engine, DigitalOcean Droplets.
Cloud deployment models describe where and how cloud environments are hosted and who has access to them. The common deployment models are:
Public cloud: Public clouds are owned and operated by third-party providers, and they are accessible to the public. Examples of public cloud providers include AWS, GCP, and Azure.
Private cloud:Private clouds are owned and operated by individual businesses, and they are not accessible to the public. Private clouds can be hosted on-premises or in a colocation facility.
Community cloud: Community clouds are shared by multiple organizations, typically within a specific industry or geographic region. Community clouds offer the benefits of a private cloud, but they can be more cost-effective for organizations with smaller IT budgets.
Hybrid cloud: Hybrid clouds combine public and private clouds. This allows businesses to take advantage of the benefits of both public and private clouds. For example, a business might use a public cloud for its development environment and a private cloud for its production environment.
Organizations can choose the cloud deployment type and service model that best meets their needs. Some factors to consider include the size and complexity of the organization's IT environment, the budget, and the specific requirements of the organization's applications.
Cloud security risks and threats can be broadly categorized into intrinsic and extrinsic. These categories help organizations identify whether the risks arise from the nature of the cloud computing technology itself or from external factors like users and other systems.
Intrinsic cloud security risks and threats are those that are inherent to the cloud computing model itself. They include:
Insecure interfaces and APIs: Cloud providers offer a variety of interfaces and APIs that allow customers to manage their cloud resources. If these interfaces and APIs are not properly secured, they can be exploited by attackers.
Lack of visibility: It can be difficult for cloud customers to have complete visibility into their cloud environment. This can make it difficult to identify and respond to security threats.
Multi-tenancy: Since cloud platforms often serve multiple clients on shared resources, there's a risk that one tenant's activities might negatively affect others.
Shared responsibility model confusion: Cloud providers are responsible for the security of the underlying cloud infrastructure, but cloud customers are responsible for the security of their own data and applications. This shared responsibility model can create confusion and lead to gaps in security.
Extrinsic cloud security risks and threats are those that originate outside of the cloud computing environment. They include:
Misconfigurations: Misconfigurations primarily occur due to human error, oversight, or lack of knowledge. This means that the external actions of users or administrators—whether from a lack of understanding, rushed deployments, or simple oversight—result in improper settings.
Phishing attacks: Phishing attacks are a common way for attackers to gain access to cloud accounts and steal sensitive data.
Account Hijacking: If an attacker gains access to a user's cloud service credentials, they can potentially misuse the account.
Malware attacks: Malware attacks can be used to compromise cloud servers and steal data or disrupt operations.
Zero-day attacks: Zero-day attacks exploit vulnerabilities that are unknown to the cloud provider and the customer. These attacks can be very difficult to defend against.
Insider threats: Insider threats can occur when malicious employees or contractors intentionally misuse their access to cloud resources.
Supply chain attacks: Supply chain attacks target the third-party vendors that cloud providers use to provide their services. If a vendor is compromised, attackers could gain access to cloud customer data.
Cloud security works by implementing a variety of security controls and configurations across the following four main categories:
Identity and access management (IAM): This pillar ensures that only authenticated and authorized users can access cloud resources. It involves user identity verification, role-based access control, multi-factor authentication, and management of user permissions.
Infrastructure protection: This involves securing the cloud service infrastructure itself. It covers network security (like firewalls, intrusion detection/prevention systems), securing servers and endpoints, and hardening virtual machines or containers.
Data protection: At the heart of cloud security is the protection of data, both at rest and in transit. This includes encryption, tokenization, data masking, and other techniques to safeguard data against unauthorized access and breaches.
Detection controls: This pillar involves implementing security controls that can detect suspicious activity in your cloud environment. Tools that provide real-time insights and alerts are crucial.
Incident response: This pillar covers the process of responding to and recovering from security incidents in your cloud environment. This includes having a plan in place for identifying, containing, eradicating, and recovering from incidents.
Cloud security frameworks provide structured approaches and best practices to secure cloud environments. Several frameworks are widely recognized and employed across industries to ensure consistent cloud security. Some of the most used cloud security frameworks and standards include:
The CSA provides a series of best practices to secure cloud computing and improve understanding of cloud security challenges. The Cloud Controls Matrix offers a controls framework that gives a detailed understanding of security concepts and principles aligned with the CSA guidance.
Center for Internet Security (CIS) Critical Security Controls:
While CIS controls are broader than just cloud, many organizations apply these critical security controls to their cloud environments. CIS also has benchmarks specifically tailored for cloud providers like AWS and Azure.
ISO/IEC 27017 provides guidelines on the security aspects of cloud computing, recommending cloud-specific information security controls supplementing the guidance of the ISO/IEC 27002.
ISO/IEC 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII) in the public cloud.
NIST Special Publication 800-144, 800-145, and 800-146:
NIST SP 800-144 offers guidelines on security and privacy in public cloud computing.
NIST SP 800-145 provides a definition of cloud computing.
NIST SP 800-146 explains cloud computing technology in detail.
NIST Cybersecurity Framework (CSF):
Though not exclusively for cloud, the NIST CSF provides a policy framework of computer security guidance for private sector organizations in the U.S. It's often applied to cloud environments.
Payment Card Industry Data Security Standard (PCI DSS):
For organizations that store, process, or transmit cardholder data, PCI DSS compliance is critical, even in the cloud. Cloud providers often offer PCI-compliant infrastructure, but businesses are responsible for ensuring their specific implementation meets all requirements.
As organizations increasingly adopt cloud services, various security solutions have emerged to address the unique challenges of cloud environments. Here's a breakdown of these solutions:
Cloud Security Posture Management (CSPM): Provides insight into the configuration of cloud resources and continuous monitoring of these resources. It assesses cloud resources against rules for proper configuration, identifying any instances of misconfiguration. The system ensures compliance through built-in and customized standards and frameworks, automatically remediating non-compliant resources.
Cloud Workload Protection Platform (CWPP): Ensures visibility into cloud workloads and risk mitigation across VMs, containers, and serverless functions without relying on agents. It conducts scans for vulnerabilities, secrets, malware, and secure configurations within workloads. Additionally, CWPP supports the identification of workload misconfigurations and vulnerabilities during CI/CD pipelines. As the final line of defense, CWPP employs a lightweight agent for real-time threat detection.
Kubernetes Security Posture Management (KSPM): Automates security and compliance for Kubernetes components, providing comprehensive visibility into containers, hosts, and clusters. The system assesses risks related to vulnerabilities, misconfigurations, permissions, secrets, and networking, correlating these risks to offer contextual insights and prioritization. KSPM also facilitates a shift left approach, identifying and preventing Kubernetes security issues during the development phase.
Data Security Posture Management (DSPM): Safeguards sensitive data within the cloud environment. It identifies sensitive data and provides visibility into its location across buckets, data volumes, OS and non-OS environments, and managed and hosted databases. DSPM correlates sensitive data with underlying cloud context and other risk factors to comprehend data asset configuration, usage, and movement. A fully integrated DSPM can even pinpoint potential paths of attack on sensitive data, allowing proactive issue prioritization to prevent breaches.
Cloud Detection and Response (CDR): Enables the detection, investigation, and response to cloud-based threats by monitoring activity within the cloud environment and identifying suspicious events. CDR identifies threats and suspicious activities in real time, including remote code execution, malware, crypto-mining, lateral movement, privilege escalation, and container escape. The system offers comprehensive visibility, automatically correlating threats across real-time signals, cloud activity, and audit logs to track attacker movements. This enables rapid response and limits the impact of potential incidents.
Introducing CNAPP, a unified cloud security solution
The continuous evolution of cloud environments, combined with the complexity of managing multiple specialized security tools, has driven the industry toward consolidating cloud security solutions. The industry is moving towards a unified cloud security solution, called a CNAPP (Cloud-Native Application Protection Platform), that combines all of the above solutions into a single platform.
CNAPP integrates both runtime and posture management for cloud-native applications. Instead of treating security measures as separate concerns, CNAPP provides a holistic view that encompasses both preventive measures and active threat detection.
This means that CNAPPs can be used to protect cloud-native applications throughout their entire lifecycle, from development to production. CNAPPs can help organizations to identify and remediate security misconfigurations, detect and respond to threats, and ensure that their cloud-native applications are secure and compliant.
Wiz's CNAPP solution is a unified security platform that protects cloud-native applications across development and production. Wiz provides a complete view of your cloud security posture, identifies and prioritizes risks, and helps you to remediate them quickly and efficiently.
Here are some of the benefits of using Wiz CNAPP:
Complete visibility: Wiz CNAPP provides a complete view of your cloud security posture, including visibility into your cloud infrastructure, applications, and data. This helps you to identify and understand all of the risks to your cloud environment.
Ruthless risk prioritization: Wiz CNAPP uses a unified risk engine to prioritize risks across all of your cloud resources. This helps you to focus on the most critical risks first, and it makes it easier to allocate your security resources efficiently.
Time to value: Wiz CNAPP is easy to deploy and use, and it provides immediate value. You can start using Wiz CNAPP to protect your cloud-native applications in minutes.
Whether you're just starting your cloud journey, or looking to mature your cloud security program, a unified platform is a must. To see firsthand how a CNAPP could work in your organization, schedule a demo with the Wiz engineering team.
A single platform for everything cloud security
Learn why CISOs at the fastest growing organizations choose Wiz to secure their cloud environments.
In this guide, we'll look at a variety of Docker alternatives that provide different benefits for your workloads—such as daemonless operation, a simplified management experience, improved container security, and enhanced scalability and orchestration for production environments.
DevSecOps, which stands for Development, Security, and Operations, is a software development practice that emphasizes integrating security considerations throughout the entire development lifecycle, from initial design to deployment and ongoing maintenance.
This blog post explores the world of container orchestration tools beyond Kubernetes, highlighting cloud provider tools and open-source alternatives that promise to redefine how we deploy and manage applications.
Microservices security is the practice of protecting individual microservices and their communication channels from unauthorized access, data breaches, and other threats, ensuring a secure overall architecture despite its distributed nature.