DataDome

What is cloud security and what are the biggest cloud security challenges and risks in 2024?

Table of contents
Bot management DDoS
Paige Tester, Director of Content Marketing
1 Oct, 2021
|
min

Cloud computing is the delivery of services through the Internet, whether that’s storage, networking, servers, applications, databases, or more. Companies small and large are moving to the cloud because it saves them money, increases their productivity, and allows them to respond faster to rapidly changing market environments. A 2020 O’Reilly survey of 1,283 engineers and C-level execs showed that 88% of respondents use the cloud in one form or another. 25% of respondents indicated that their companies want to move all their applications to the cloud in 2021.

The cloud’s popularity is also evident in the success of companies that provide cloud services. Amazon Web Services (AWS) revenue totaled $11.60 billion in Q3 2020 and has become one of Amazon’s most important services. Cloud software company Slack was valued at $20 billion when it went public in April 2019. The popular cloud CRM Salesforce has a market cap of over $215 billion. There are many more examples of cloud companies worth billions of dollars that have both built their software on cloud technology and deliver a cloud service to their customers.

But everything that’s built in the cloud needs to be properly secured. Cloud security is the set of policies, controls, procedures, and technologies that protect everything involved with cloud computing. Cloud security never falls entirely on the shoulders of cloud providers. It is a shared responsibility between the companies providing the service and the companies using the service.

This article will explain:

How cloud security differs from traditional IT security

Cloud computing is usually more secure than on-premise computing. Cloud providers are incentivized to provide the best security possible, as any type of breach, disruption, or leak will hurt their bottom line. It’s in their best interest to devote a significant amount of their resources to keep the data, infrastructure, or applications of their customers secure. However, cloud providers cannot fully control how customers use their services, which users customers add, what data customers upload, etc.

In addition, cloud environments are highly interconnected. This is their biggest difference from a traditional IT environment. Whereas traditional environments have a fairly obvious perimeter that can be secured by limiting who or what can gain access, cloud environments do not have such easily definable boundaries. Consider the employee accessing important company data stored on the cloud from an unrecognized device. How secure is the device? Is it really the employee accessing the data? How secure is the network he’s accessing the data from?

For one, a good cloud security strategy will secure the areas that are vulnerable to external threats, such as websites, public applications, and APIs. The most significant external threats are various types of cyberattacks, especially botnet attacks, and it’s what bot management software protects against. But a good cloud security strategy will also secure the areas vulnerable to inside threats, with techniques and technologies such as identity and access management (IAM), encryption, data retention policies, etc. More on those later.

What are the different cloud security architecture models?

How much of the security burden falls on you versus on the cloud provider will depend on your cloud security architecture. There are four main cloud architecture models that companies follow:

  • Public clouds. A company rents computing power or storage space on a cloud server that’s shared with other tenants. This is called multi-tenant storage. Cost-effective, but not a fully private architecture model. All tenants sign a Service-Level-Agreement (SLA) promising not to corrupt the integrity of the server they’re on.

  • Private third-party clouds. A company rents a private server from their cloud provider. They have exclusive use of the server. A more expensive architecture model, but fewer privacy concerns.

  • Private in-house clouds. A company has its own data centers that are composed of single-tenant cloud servers

  • Hybrid clouds. A company uses a blend of both private and public clouds, often from multiple cloud providers.

In addition to your cloud security architecture model, you need to understand which responsibilities are always the provider’s, which responsibilities are always yours, and which responsibilities vary according to the type of cloud service you’re using. We’ll examine the three most common types of cloud services and your security responsibility in each of them

IaaS

Infrastructure-as-a-Service (IaaS) cloud services provide you with infrastructure such as servers, networking, operating systems, and storage. They’re similar to traditional data centers, except that you don’t have to physically operate any of them. Cloud providers are responsible for the security of this infrastructure, but that’s where their responsibility ends. You need to secure everything that is stacked on top of the infrastructure: applications, data, runtimes, middleware, user access, network traffic, operating systems, etc.

Examples of IaaS cloud services are AWS, Microsoft Azure, and DigitalOcean.

PaaS

Platform-as-a-Service (PaaS) cloud services provide you with a sandboxed space to develop applications. It’s where your developers can create software. Here, cloud providers are responsible for runtime, middleware, and the operating system. You’re responsible for the security of the applications you build, user access, and network traffic.

Examples of PaaS cloud services are AWS Elastic Beanstalk, Heroku, and Google App Engine.

SaaS

Software-as-a-Service (SaaS) is the most common and best-known of all three types of cloud services. SaaS delivers entire applications that you can mostly access via your web browser. Most security responsibilities fall on the cloud provider here, as they manage the application itself, data, runtime, middleware, and operating systems. Your security responsibility will depend on the contract you negotiated with the provider.

Examples of SaaS cloud services are Slack, Box, and Zoom.

What are the biggest cloud security risks?

As mentioned above, the biggest cloud security risk is the lack of an obvious perimeter in a cloud environment. Depending on your cloud security architecture, threats can come from human errors, such as a misconfigured server, from malicious external actors, such as a sophisticated Layer 7 DDoS bot attack targeting vulnerable points in your web application, from poor user control, such as a disgruntled employee with too much access exposing company data, or from any other angle.

In addition, there’s also the risk that cloud providers don’t adequately secure themselves. Although rare, every time AWS goes down in a part of the world, it causes many of the websites built on it to go down as well. There’s also the risk of sharing a server with other businesses, what we previously called multi-tenant storage. If one of the businesses on your shared cloud server does something that puts the server at risk, it might drag you down too. That’s why large enterprises often insist on having private cloud servers.

None of this means that it’s impossible to adequately secure your cloud environment. As we said, cloud environments are generally more secure than traditional environments. But they require a shift of focus, from the perimeter of your environment to what’s inside it.

How to protect yourself from cloud security challenges

Secure your data

Data security means the tools and technologies you use to block or limit the visibility of data stored in the cloud. Mostly, this means encryption, which generally falls under the security remit of cloud providers. Your data is most secure when it’s encrypted both in transit and at rest. Whenever a bot or hacker intercepts or gains access to your data, it will seem like an incomprehensible jumble of letters and symbols if they don’t have your encryption keys.

As a general rule, cloud providers store your encryption keys, although large enterprises often prefer to store the encryption keys to their data themselves. In the latter scenario, it’s best practice not to store those keys in the cloud (whether private or not) and to have a few backups of those keys.

Restrict user access

Identity and Access Management (IAM) means the rules and protocols around user accessibility, authentication, and authorization. Not all users need equal access to the cloud, and you should modify permissions accordingly. This is particularly true if users can access your data from whichever device in Bring Your Own Device (BYOD)-type setups. The right IAM strategy will give the appropriate amount of access to your data as it is required.

Cloud user roles tend to be configured quite loosely by default. From a security perspective, it’s better to severely restrict user access at first and gradually loosen it until you find the sweet spot between security and convenience.

Back up your data

You need a data retention and business continuity strategy in case one of your cloud providers goes down or, worse, loses your data. While it might not happen often, you don’t want to be caught off guard when a major storm takes down your cloud provider’s data centers. This means you need to regularly back up your data in local data servers. While all major cloud providers have redundancy built into their systems, it’s better to be safe than sorry.

Protect your outer attack layers

Cloud environments don’t have an obvious attack layer, but they still have islands that are visible and accessible to the outside world. Think web applications, public APIs, websites, mobile apps, etc. You need to protect these islands against external threats. Increasingly, such external threats come in the form of malicious bots that probe your islands for vulnerabilities.

Because these bots have become highly sophisticated, common defenses such as Web Application Firewalls (WAFs) are no longer adequate. WAFs require significant maintenance and don’t protect against advanced bots that are designed to bypass security systems. Instead, you need dedicated bot management software to filter out bad bot traffic while letting good bot traffic through.

To summarize

The vast majority of businesses rely on cloud services to function properly. In order to adequately secure your cloud environment, you need to understand your cloud security architecture model, what type of cloud service you’re using (IaaS, PaaS, or SaaS), and what the biggest cloud security risks and challenges are. Cloud environments are generally more secure than traditional IT environments, but you still need to:

  • Secure your data

  • Restrict user access

  • Back up your data

  • Protect your outer attack layers

DataDome is a bot management solution that protects your outer attack layers from the most sophisticated bot attacks. It has a 30-day trial that takes only a few minutes to install on any cloud infrastructure. Try it out today.

DataDome
Paige Tester
Director of Content Marketing
Paige is the Director of Content Marketing for DataDome. With over a decade of expertise in content creation, she leads the development of in-depth, strategic content that highlights advanced bot detection and online fraud prevention techniques. Her work empowers cybersecurity professionals with actionable insights and cutting-edge knowledge, ensuring they stay ahead of emerging threats.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo