More about Cloud Security Solutions
- The Complete Guide to Cloud Storage Security
- Cloud Ransomware: Solving 3 Key Challenges
- Cloud Malware: 5 Types of Attacks and 3 Security Measures
- Top Cloud Security Breaches and How to Protect Your Organization
- Cloud Security Best Practices: 7 Tips and Tricks
- Cloud Security Solutions Compared: 6 Solutions to Consider
- Understanding Cloud Security Challenges
- Cloud Security Architecture for IaaS, PaaS and SaaS
December 1, 2020
Topics: Cloud Insights Data ProtectionBackup and ArchiveElementary6 minute read
What is Cloud Security Architecture?
Cloud security starts with a cloud security architecture. An organization should first understand its current cloud security posture, and then plan the controls and cloud security solutions it will use to prevent and mitigate threats. This planning is critical to secure hyper-complex environments, which may include multiple public clouds, SaaS and PaaS services, on-premise resources, all of which are accessed from both corporate and unsecured personal devices.
In this article, you will learn:
- Why Do You Need a Cloud Security Architecture?
- Cloud Security Architecture Patterns
- Cloud Computing Security Architecture Per Cloud Service Model
- Adding Visibility to Your Cloud Security Architecture with NetApp Cloud Insights
Why Do You Need a Cloud Security Architecture?
As organizations become more dependent on the cloud, they must also place a bigger focus on security. Most off-network data flows through cloud-based services, yet many of these cloud services are used without any security planning.
The use of cloud service providers and multiple personal devices makes it difficult for companies to view and control data flows. Cloud collaboration bypasses ordinary network control measures. Access to sensitive data on unmanaged personal devices presents a major risk.
Related content: read our guide to cloud security threats.
Security and risk management experts find it difficult to gain visibility over a complex mix of devices, networks and clouds. These network security mosaics, fraught with hidden vulnerabilities, are an invitation for attackers to attempt breaches.
Many cloud service providers do not provide detailed information about their internal environment, and many common internal security controls cannot be directly converted to a public cloud.
For all these reasons, organizations need to think about cloud security as a new challenge, and build a cloud security architecture that will help them adequately secure this complex environment.
Cloud Security Architecture Patterns
The right pattern can help you implement security across your organization. For example, it can help you protect the CIA (confidentiality, integrity, and availability) of your cloud data assets, as well as respond to security threats. You can implement security controls directly, or use security controls as a service offered by your cloud provider or third-party vendors.
The cloud security architecture model is usually expressed in terms of:
- Security controls—which can include technologies and processes. Controls should take into account the location of each service—company, cloud provider, or third party.
- Trust boundaries—between the different services and components deployed on the cloud
- Standard interfaces and security protocols—such as SSL, IPSEC, SFTP, LDAPS, SSH, SCP, SAML, OAuth, etc.)
- Techniques used for token management—authentication, and authorization
- Encryption methods including algorithms like 128-bit AES, Triple DES, RSA, Blowfish.
- Security event logging—ensuring all relevant security events are captured, prioritized, and delivered to security teams.
Each security control should be clearly defined using the following attributes:
- Service function—what is the service’s role? For example, encryption, authorization, event data collection.
- Logical location—public cloud service, third party service, or on-premises. Location affects performance, availability, firewall policies, and service management.
- Protocol—what protocol is used to access the service? For example, REST, HTTPS, SSH.
- Input/Output – what does the service receive and what is it expected to deliver? For example, input is a JSON feed and output is the same feed with encrypted payload data.
- Control mechanisms—what types of control does the service achieve? For example, data at rest protection, user authentication, application authentication.
- Users and operators—who operates or benefits from the service? For example, endpoint devices, end users, business managers, security analysts.
Cloud Computing Security Architecture Per Cloud Service Model
The cloud security architecture model differs depending on the type of cloud service: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software as a Service). Below we explain different security considerations for each model.
IaaS Cloud Computing Security Architecture
IaaS provides storage and network resources in the cloud. It relies heavily on APIs to help manage and operate the cloud. However, cloud APIs are often not secure, because they are open and easily accessible from the web.
The cloud service provider (CSP) is responsible for securing the infrastructure and abstraction layer used to access the resources. Your organization's security obligations cover the rest of the layers, mainly containing the business applications.
To better visualize cloud network security issues, deploy a Network Packet Broker (NPB) in an IaaS environment. The NPB sends traffic and data to a Network Performance Management (NPM) system, and to the relevant security tools. In addition, establish logging of events occurring on network endpoints.
IaaS cloud deployments require the following additional security features:
- Network segmentation
- Intrusion Detection System and Intrusion Prevention System (IDS/IPS)
- Virtual firewalls placed in front of web applications to protect against malicious code, and at the edge of the cloud network
- Virtual routers
SaaS Cloud Computing Security Architecture
SaaS services provide access to software applications and data through a browser. The specific terms of security responsibility may vary between services, and are sometimes up for negotiation with the service provider.
Cloud Access Security Brokers (CASB) offers logging, auditing, access control and encryption capabilities that can be critical when investigating security issues in a SaaS product. In addition, make sure your SaaS environment has:
- Logging and alerting
- IP whitelists and/or blacklists
- API gateways, in case the service is accessed via API
PaaS Cloud Computing Security Architecture
PaaS platforms enable organizations to build applications without the overhead and complexity associated with managing hardware and back-end software. In a PaaS model, the CSP protects most of the environment. However, the company is still responsible for the security of the applications it is developing.
Therefore, a PaaS security architecture is similar to a SaaS model. Ensure you have CASP, logging and alerting, IP restrictions and an API gateway to ensure secure internal and external access to your application’s APIs.
Adding Visibility to Your Cloud Security Architecture with NetApp Cloud Insights
NetApp Cloud Insights is an infrastructure monitoring tool that gives you visibility into your complete infrastructure. With Cloud Insights, you can monitor, troubleshoot and optimize all your resources including your public clouds and your private data centers.
Cloud Insights helps you find problems fast before they impact your business. Optimize usage so you can defer spend, do more with your limited budgets, improve security and detect ransomware attacks through better visibility, and easily report on data access for security compliance auditing.
In particular, NetApp Cloud Insights helps you discover your entire hybrid infrastructure, from the public cloud to the data center.
Schedule time to speak with a specialist about how NetApp Cloud Insights can help your organization. Learn how you can better optimize your IT Infrastructure with NetApp Cloud Insights here.Read next: