What is cloud security?
Learn more about the technologies, procedures, policies, and controls that help you protect your cloud-based systems and data.
Cloud security defined
Cloud security is a shared responsibility between cloud service providers and their customers. Accountability varies depending on the type of services offered:
Public cloud environments
Are run by cloud service providers. In this environment servers are shared by multiple tenants.
Private cloud environments
Can be in a customer-owned data center or run by a public cloud service provider. In both instances, servers are single tenant, and organizations don’t have to share space with other companies.
Hybrid cloud environments
Are a combination of on-premises data centers and third-party clouds.
Multicloud environments
Include two or more cloud services operated by different cloud service providers.
No matter which type of environment or combination of environments an organization uses, cloud security is intended to protect physical networks, including routers and electrical systems, data, data storage, data servers, applications, software, operating systems, and hardware.
Why is cloud security important?
The cloud has become an integral part of online life. It makes digital communication and work more convenient and has spurred rapid innovation for organizations. But when friends share photographs, coworkers collaborate on a new product, or governments deliver online services, it’s not always clear where the data itself is being stored. People may inadvertently move data to a less secure location, and with everything internet accessible, assets are at greater risk of unauthorized access.
Data privacy is also increasingly important to people and governments. Regulations like the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) require organizations that collect information to do so transparently and put in place policies that help prevent data from being stolen or misused. Failure to comply can result in expensive fines and reputational harm.
To remain competitive, organizations must continue to use the cloud to iterate rapidly and make it easy for employees and customers to access services, while protecting data and systems from the following threats:
- Compromised accounts: Attackers often use phishing campaigns to steal employee passwords and gain access to systems and valuable corporate assets.
- Hardware and software vulnerabilities: Whether an organization uses a public or private cloud, it’s critical that the hardware and software is patched and up to date.
- Internal threats: Human error is a big driver of security breaches. Misconfigurations can create openings for bad actors, and employees often click on bad links or inadvertently move data to locations with less security.
- Lack of visibility of cloud resources: This cloud risk makes it challenging to detect and respond to security vulnerabilities and threats, which can lead to breaches and data loss.
- Lack of risk prioritization: Once security admins gain visibility into cloud resources, the number of recommendations to improve the security posture might be overwhelming. It’s important to prioritize risk so admins know where to focus to make the greatest impact on security.
- High-risk cloud permissions: The proliferation of cloud services and identities has increased the number of high-risk cloud permissions, which expands the possible attack surfaces. The permission creep index (PCI) metric measures how much damage identities can cause based on their permissions.
- Emerging threat landscape: Cloud security risk is constantly evolving. To protect against security breaches and data loss, it’s important to stay up to date as new threats emerge.
- Lack of integration between cloud-native development and security: It’s critical for the security and development teams to work together to identify and fix code issues before the app is deployed to the cloud.
How does cloud security work?
Cloud security is a shared responsibility between cloud service providers and their customers. Accountability varies depending on the type of services offered:
Infrastructure as a service
In this model, cloud service providers offer computing, network, and storage resources on demand. The provider is responsible for securing the core computing services. Customers must secure everything on top of the operating system including applications, data, runtimes, middleware, and the operating system itself.
Platform as a service
Many providers also offer a complete development and deployment environment in the cloud. They take responsibility for protecting the runtime, middleware, and operating system in addition to the core computing services. Customers must safeguard their applications, data, user access, end-user devices, and end-user networks.
Software as a service
Organizations can also access software on a pay-as-you-go model, such as Microsoft Office 365 or Google Drive. In this model, customers still need to provide security for their data, users, and devices.
No matter who’s responsible, there are four primary aspects to cloud security:
- Limiting access: Because the cloud makes everything internet-accessible, it’s incredibly important to ensure that only the right people have access to the right tools for the right amount of time.
- Protecting data: Organizations need to understand where their data is located and put the appropriate controls in place to safeguard both the data itself and the infrastructure where the data is hosted.
- Data recovery: A good backup solution and data recovery plan is critical in case there’s a breach.
- Response plan: When an organization is attacked, they need a plan to reduce the impact and prevent other systems from becoming compromised.
- Shifting security left: Security and development teams work together to embed security into the code itself, so cloud-native applications start secure and stay secure.
- Unifying visibility of DevOps security posture: Minimize blind spots by using a single pane of glass to surface DevOps security posture insights across DevOps platforms.
- Keeping security teams focused on emerging threats: Strengthen cloud resource configurations in code to reduce security issues reaching production environments.
Types of cloud security tools
Cloud security tools address vulnerabilities from both employees and external threats. They also help mitigate errors that occur during development and reduce the risk that unauthorized people will gain access to sensitive data.
-
Cloud security posture management
Cloud misconfigurations happen frequently and create opportunities for compromise. Many of these errors occur because people don’t understand that the customer is responsible for configuring the cloud and securing applications. It’s also easy to make a mistake in big corporations with complex environments.
A cloud security posture management solution helps reduce risk by continuously looking for configuration errors that could lead to a breach. By automating the process, these solutions reduce the risk of mistakes in manual processes and increase visibility into environments with thousands of services and accounts. Once vulnerabilities are detected, developers can correct the issue with guided recommendations. Cloud security posture management continuously monitors the environment for malicious activity or unauthorized access.
-
Cloud workload protection platform
As organizations have instituted processes that help developers build and deploy features faster, there’s a greater risk that security checks will be missed during development. A cloud workload protection platform helps secure the computing, storage, and networking capabilities needed by applications in the cloud. It works by identifying workloads in public, private, and hybrid cloud environments and scanning them for vulnerabilities. If vulnerabilities are discovered, the solution will suggest controls to fix them.
-
Cloud access security broker
Because it’s so easy to find and access cloud services, it can be difficult for IT teams to stay on top of all the software used in the organization.
Cloud access security brokers (CASB) help IT gain visibility into cloud app usage and provide a risk assessment of each app. These solutions also help protect data and meet compliance goals with tools that show how data is moving through the cloud. Organizations also use these tools to detect unusual user behavior and remediate threats.
-
Identity and access
Controlling who has access to resources is critical to protecting data in the cloud. Organizations must be able to ensure that employees, contractors, and business partners all have the right access whether they are onsite or working remotely.
Organizations use identity and access solutions to verify identities, limit access to sensitive resources, and enforce multifactor authentication and least-privilege policies.
-
Cloud infrastructure entitlement management
Identity and access management gets even more complicated when people access data across multiple clouds. A cloud infrastructure entitlement management solution helps a company gain visibility into which identities are accessing which resources across their cloud platforms. IT teams also use these products to apply least privilege access and other security policies.
-
Cloud-native application protection platform
A comprehensive cloud-native application protection platform (CNAPP) helps security teams embed security from code to cloud. CNAPP unifies compliance and security capabilities to prevent, detect, and respond to cloud security threats in multicloud and hybrid environments—from development to runtime.
-
Unified DevOps security management
Unify security management for DevOps to help keep cloud applications secure from the start. Security teams are empowered to unify, strengthen, and manage multiple-pipeline security, shift security left to embed security into the code itself, and support code-to-cloud protections in a single console.
What are the challenges of cloud security?
The interconnectedness of the cloud makes working and interacting online easy, but it also creates security risks. Security teams need solutions that help them address the following key challenges in the cloud:
Lack of visibility into data
To keep organizations productive, IT needs to give employees, business partners, and contractors access to company assets and information. Many of these people work remotely or outside the company network, and in large enterprises the list of authorized users is in constant flux. With so many people using multiple devices to access company resources across a variety of public and private clouds, it can be difficult to monitor which services are being used and how data is moving through the cloud. Tech teams need to ensure that data doesn’t get moved to storage solutions that are less secure, and they need to prevent the wrong people from getting access to sensitive information.
Complex environments
The cloud has made deploying infrastructure and apps much easier. With so many different providers and services, IT teams can choose the environment that is the best fit for the requirements of each product and service. This has led to a complex environment across on-premises, public, and private cloud. A hybrid, multicloud environment requires security solutions that work across the entire ecosystem and protect people who access different assets from different locations. Configuration errors are more likely, and it can be challenging to monitor threats that move laterally across these complex environments.
Rapid innovation
A combination of factors has enabled organizations to quickly innovate and deploy new products. AI, machine learning, and internet of things technology have empowered businesses to collect and use data more effectively. Cloud service providers offer low-code and no-code services to make it easier for companies to use advanced technologies. DevOps processes have shortened the development cycle. And with more of their infrastructure hosted in the cloud, many organizations have reallocated resources to research and development. The downside to rapid innovation is that technology is changing so fast that security standards often get skipped or overlooked.
Compliance and governance
Although most major cloud service providers comply with several well-known compliance accreditation programs, it is still the responsibility of cloud customers to ensure their workloads are compliant with government and internal standards.
Insider threats
It’s critical for IT and security teams to defend their organization from employees who might use their authorized access to cause harm—either intentionally or unintentionally. Insider threats include human error that might lead to potential security incidents, for example when an employee accidentally installs malware after responding to an email phishing campaign. Other types of threats are caused by malicious insiders who intend to cause harm, such as theft or fraud, either by acting alone or by collaborating with a cybercriminal organization. Insider risks are more difficult to detect than external threats because insiders already have access to the organization’s assets and are familiar with the company’s security measures.
Implementing cloud security
Reducing the risk of a cyberattack against your cloud environment is possible with the right combination of processes, controls, and technology.
A cloud-native application platform that includes a cloud workload protection platform, cloud infrastructure entitlement management and cloud security posture management will help you reduce errors, strengthen security and effectively manage access.
To support your technology investment, conduct regular training to help employees recognize phishing campaigns and other social engineering techniques. Make sure it’s easy for people to notify IT if they suspect they’ve received a malicious email. Run phishing simulations to monitor the effectiveness of your program.
Develop processes that help you prevent, detect, and respond to an attack. Regularly patch software and hardware to reduce vulnerabilities. Encrypt sensitive data and develop strong password policies to reduce your risk of a compromised account. Multifactor authentication makes it much hard for unauthorized users to gain access, and passwordless technologies are simpler to use and more secure than a traditional password.
With hybrid work models that give employees the flexibility to work in the office and remotely, organizations need a new security model that protects people, devices, apps, and data no matter where they’re located. A Zero Trust framework starts with the principle that you can no longer trust an access request, even if it comes from inside the network. To mitigate your risk, assume you’ve been breached and explicitly verify all access requests. Employ least privilege access to give people access only to the resources they need and nothing more.
Cloud security solutions
Although the cloud introduces new security risks, the right cloud security solutions, processes, and policies can help you significantly reduce your risk. Start with the following steps:
- Identify all the cloud service providers in use in the organization and familiarize yourself with their responsibilities regarding security and privacy.
- Invest in tools like a cloud access security broker to gain visibility into the apps and data that your organization uses.
- Deploy a cloud security posture management to help you identify and fix configuration errors.
- Implement a cloud workload protection platform to build security into the development process.
- Regularly patch software and institute policies to keep employee devices up to date.
- Institute a training program to ensure employees are aware of the latest threats and phishing tactics.
- Implement a Zero Trust security strategy and use identity and access management to manage and protect access.
- In the DevOps pipeline, shift security left to embed security into the code itself, so cloud-native applications start secure and stay secure.
Learn more about Microsoft Security
Microsoft Defender for Cloud
Monitor and help protect workloads across your multicloud and hybrid environments.
Microsoft Defender for Cloud Apps
Get deep visibility and control of cloud apps with a leading CASB.
Microsoft Defender for DevOps
Get unified DevOps security management across multicloud and multiple-pipeline environments.
Microsoft Entra Permissions Management
Discover, remediate, and monitor permission risks in your multicloud infrastructure.
Microsoft Defender External Attack Surface Management
Understand your security posture inside and outside the firewall.
Frequently asked questions
-
Cloud security is a shared responsibility between cloud service providers and their customers. Accountability varies depending on the type of services offered:
Infrastructure as a service. In this model, cloud service providers offer computing, network, and storage resources on demand. The provider is responsible for security for the core computing services. Customers must secure the operating system and everything on top of it, including applications, data, runtimes, and middleware.
Platform as a service. Many providers also offer a complete development and deployment environment in the cloud. They take responsibility for protecting the runtime, middleware, and operating system in addition to the core computing services. Customers must safeguard their applications, data, user access, end-user devices, and end-user networks.
Software as a service. Organizations can also access software on a pay-as-you-go model, such as Microsoft Office 365 or Google Drive. In this model, customers still need to provide security for their data, users, and devices.
-
Four tools help companies protect their resources in the cloud:
- A cloud workload protection platform helps secure the computing, storage, and networking capabilities needed by applications in the cloud. It works by identifying workloads in public, private, and hybrid cloud environments and scanning them for vulnerabilities. If vulnerabilities are discovered the solution will suggest controls to fix the issues.
- Cloud app security brokers help IT teams gain visibility into cloud app usage and provide a risk assessment of each app. These solutions also help protect data and meet compliance goals with tools that show how data is moving through the cloud. Organizations also use cloud app security brokers to detect unusual user behavior and remediate threats.
- A cloud security posture management solution helps reduce risk by continuously looking for configuration errors that could lead to a breach. By automating the process these solutions reduce the risk of mistakes in manual processes and increase visibility into environments with thousands of services and accounts. Once vulnerabilities are detected, these solutions provide guided recommendations to help developers correct the issue.
- Identity and access management solutions provide tools to manage identities and apply access policies. Organizations use these solutions to limit access to sensitive resources and to enforce multifactor authentication and least-privilege access.
- A cloud-native application protection platform (CNAPP) helps security teams embed security from code to cloud. CNAPP unifies compliance and security capabilities to prevent, detect, and respond to cloud security threats from development to runtime.
- Unified DevOps security management empowers security teams to unify, strengthen, and manage multiple-pipeline security, shift security left to embed security into the code itself, and support code-to-cloud protections in a single console.
-
There are four areas that organizations need to consider when putting in place procedures and policies to protect their clouds:
- Limiting access: Because the cloud makes everything internet accessible, it’s incredibly important to make sure that only the right people have access to the right tools for the right amount of time.
- Protecting data: Organizations need to understand where their data is located and put the appropriate controls in place to safeguard both the infrastructure where the data is hosted and stored and the data itself.
- Data recovery: A good backup solution and data recovery plan is critical in case there’s a breach.
- Response plan: When an organization is breached, they need a plan to reduce the impact and prevent other systems from becoming compromised.
- Shifting security left: Security and development teams work together to embed security into the code itself, so cloud-native applications start secure and stay secure.
- Unifying visibility of DevOps security posture: Minimize blind spots by using a single pane of glass to surface DevOps security posture insights across DevOps platforms.
- Keeping security teams focused on emerging threats: Strengthen cloud resource configurations in code to reduce security issues reaching production environments.
-
Organizations need to watch out for the following cloud risks:
- Compromised accounts: Attackers often use phishing campaigns to steal employee passwords and gain access to systems and valuable corporate assets.
- Hardware and software vulnerabilities: Whether an organization uses a public or private cloud, it’s critical that the hardware and software is patched and up to date.
- Internal threats: Human error is a big driver of security breaches. Misconfigurations can create openings for bad actors. Employees often click on bad links or inadvertently move data to locations with less security.
- Lack of visibility of cloud resources: This cloud risk makes it challenging to detect and respond to security vulnerabilities and threats, which can lead to breaches and data loss.
- Lack of risk prioritization: Once security admins gain visibility into cloud resources, the number of recommendations to improve the security posture might be overwhelming. It’s important to prioritize risk so admins know where to focus to make the greatest impact on security.
- High-risk cloud permissions: The proliferation of cloud services and identities has increased the number of high-risk cloud permissions, which expands the possible attack surfaces. The permission creep index (PCI) metric measures how much damage identities can cause based on their permissions.
- Emerging threat landscape: Cloud security risk is constantly evolving. To protect against security breaches and data loss, it’s important to stay up to date as new threats emerge.
- Lack of integration between cloud-native development and security: It’s critical for the security and development teams to work together to identify and fix code issues before the app is deployed to the cloud.
-
Cloud security refers to the technologies, procedures, policies, and controls that aim to protect cloud-based systems and data. Some examples of cloud security include:
- Tools like a cloud access security broker to gain visibility into the apps and data that an organization uses.
- Cloud security posture management to help identify and fix configuration errors.
- Tools to help security and development teams work together to embed security into the code itself.
- A cloud workload protection platform to build security into the development process.
- Implementing policies to keep employee devices up to date, including regularly patching software.
- Establishing a training program to ensure employees are aware of the latest threats and phishing tactics.
-
By protecting cloud systems and data from internal and external threats, cloud security reduces the risk of a cyberattack. Cloud security also supports hybrid work models by controlling who has access to resources—whether employees, contractors, and business partners are working onsite or remotely. Another benefit is that cloud security enhances data privacy and helps organizations comply with regulations like GDPR and HIPAA. Failure to comply with these regulations might result in expensive fines and reputational harm.
-
Best practices for cloud security span your organization’s technology, processes, and controls, including:
- Making sure that your cloud-native application platform includes a cloud workload protection platform, cloud infrastructure entitlement management, and cloud security posture management to help you reduce errors, strengthen security, and effectively manage access.
- Conducting regular trainings to help employees recognize phishing campaigns and other social engineering techniques. Also, implementing processes that help you prevent, detect, and respond to an attack, including encrypting sensitive data, regularly patching software and hardware, and developing strong password policies.
- Adopting a Zero Trust framework that explicitly verifies all access requests. This includes employing least-privilege access to only give people access to the resources they need and nothing more.
- Shifting security left in the DevOps pipeline empowers security and development teams to work together to embed security into the code itself, so cloud-native applications start secure and stay secure.
Follow Microsoft Security