Main takeaways from this article:
Cloud security is the policies, controls, procedures, and technologies that protect cloud-based systems, data, and infrastructure from internal and external threats.
Two key model types in cloud computing are the cloud service and deployment models. The different services you choose depend on the level of control you prefer between the cloud provider and the organization.
There’s a gap in cloud security where there aren’t enough specialized services built for its unique cloud challenges, which are different and nuanced from traditional cybersecurity threats.
You can adopt best practices like aligning your goals and tools to solve the cloud security gap.
Cloud-native application protection platforms (CNAPP) offer a unified solution to native, modern cloud challenges.
Cloud security encompasses the policies, controls, procedures, and technologies that protect cloud-based systems, data, and infrastructure.
Effective, high-quality security is the key to protecting your company and customers from both internal and external threats. That kind of cloud security starts with two things: understanding foundational principles and asking what they will look like in the face of future challenges.
Without understanding today's unique cloud threats, risk increases. Recently, for example, cybercriminals scanned millions of sites to find vulnerable endpoints they could profit from. Due to the complexity of cloud computing, they exploited vulnerabilities across multiple websites and stole thousands of Amazon Web Services (AWS) cloud credentials.
You can steer clear of these types of issues by learning the pillars of cloud security, where it’s headed, what solutions are available, and how a cloud security platform can help you protect your infrastructure and customers. Plus, grabbing Wiz’s free workflow handbook can help you implement an improved cloud security workflow for your organization.
The three pillars of cloud security
Three pillars form the basis for cloud security policies and other protective measures: confidentiality, integrity, and availability. But cloud security only works when the client and cloud provider share responsibilities within the environment.
One step toward sharing responsibilities for proactive cloud security is deciding on your infrastructure, such as service and deployment models.
How cloud security works across service and deployment models
Understanding cloud computing starts with getting a grasp of two key model types:
Cloud service model: Your control and management level over your cloud resources
Cloud deployment model: Where and how you host cloud environments and who can access them
Below, you’ll see how these models work.
Cloud services and use cases:
| Service Model | Description | Examples |
|---|---|---|
| Software as a Service (SaaS) | SaaS applications are hosted and managed by the cloud provider, and customers access them over the internet. Customers do not have any control over the underlying infrastructure or platform. | Google Workspace, Microsoft Office 365, Salesforce, Dropbox. |
| Platform as a Service (PaaS) | PaaS provides customers with a platform for developing, deploying, and managing their own applications. Customers have some control over the underlying infrastructure, but they do not have to manage it directly. | Google App Engine, Microsoft Azure App Service, Heroku, Red Hat OpenShift. |
| Infrastructure as a Service (IaaS) | IaaS provides customers with access to computing, storage, and networking resources that they can use to build and manage their own infrastructure. Customers have full control over the underlying infrastructure and platform. | Amazon EC2, Microsoft Azure VMs, Google Compute Engine, DigitalOcean Droplets. |
Cloud deployments and use cases:
| Cloud Deployment Model | Description | Examples |
|---|---|---|
| Public | A third party provides customers with a shared cloud computing environment with resources like servers, storage, and applications to multiple organizations online. | AWS, Google Cloud, Azure |
| Private | Customers have a cloud computing environment that’s dedicated solely to their organization. The customers host the infrastructure on-site or with a third-party provider. | On-premise data center or a third-party provider |
| Hybrid | Customers use both public and private models to save costs, increase autonomy, scalability, and operational agility, and optimize performance. | Combining private clouds with public providers such as Google Cloud, AWS, VMware, OCI, Azure, and Alibaba |
When thinking about the cloud deployment type and service model that best meets your needs, there are several factors to consider. These include the size and complexity of your IT environment, your budget, specific requirements of your applications, and the shared responsibilities you prefer.
For example, consider the following scenarios:
Organization one may choose a hybrid deployment model. It hosts its public cloud through a SaaS, such as Google Workspace, and its private cloud, which has an on-premise infrastructure. This allows the organization to quickly keep the information it needs on a public model while protecting critical information, such as sensitive data, based on location.
Organization two might choose a public deployment model with a PaaS. The team creates applications using Google App Engine without managing servers. This allows them to build functions quickly and scale with growing traffic as the software becomes popular.
Which deployment model you choose depends on how much control you want over your data security, how and where you want to host the environment, and who you want to access it.
Free Cloud Security Risk Assessment
Connect with a Wiz expert for a personal walkthrough of the critical risks in each layer of your environment.
Request My Assessment
Present and future: Why is cloud security important?
According to Gartner, “the fastest-growing IT market has become anything related to cloud computing.” The article continues, “In a few years, any business that expects to compete will require cloud computing. Business outcomes will hinge on an organization’s ability to execute its cloud computing strategy.”
The need for cloud computing continues to rise, but that doesn’t mean the supply of specialized cloud services will follow. That’s a gap that cloud professionals need to fill. In the chart below, you can see how the technology core remains high for barriers to entry and low in the number of vendors. This is because of the need for expertise, resources, and innovation to offer full-scale cloud solutions.
The gap in cloud security
This need for specialized cloud solutions is pivotal for the future of cloud security. Especially since many traditional cybersecurity companies have only tried to adapt their current tools to a new environment—even though they’re moving to an entirely different ecosystem with unique risks.
In the Future of Tech podcast episode Cyber Threats and Cloud Security, Wiz co-founder and CTO Ami Luttwak paints a picture of the current state of cloud security, using Tesla as an example.
At first glance, a Tesla looks like a car. But when you look at the different components like the front trunk, computer, and design, you realize it’s not a car—not how we know a car to be. It’s an entirely different product, with an intentional design for every component.
Luttwak compares the concept to cloud security. “When we looked at cloud security, we saw that all of the tools used a few years ago were basically the traditional tools [...] but just adapted to the cloud,” he says. “The cloud is so vastly different than anything we’ve seen before. So how should security look for the cloud? [...] First, we have to understand the complexities of the cloud, understand why it’s different, and then reimagine how security solutions for the cloud should look.
This deconstruction of cybersecurity, in the context of the cloud, calls for adaptations to people, process, and technology:
People: There’s a knowledge gap between traditional cybersecurity developers and cloud security teams. You can address this by recruiting specialized cloud professionals and providing continuous cloud training.
Process: Your organization should collaborate with developers, solutions providers, and their internal teams to understand the risks unique to the cloud environment, such as the transient nature of locations and devices.
Technology: The cloud environment includes hundreds of services and multiple computing methods. The technology moves fast, too. Legacy tools focus on specific parts of the cloud, such as container security solutions or cloud security posture management (CSPM), but nothing as a whole. Instead, adopt innovative tech explicitly designed for the cloud.
What’s the value of tech built just for the cloud? Luttwak brings the point home: “The cloud is so complex, you need a [platform] that understands all [its pillars].” Platforms like Wiz integrate visibility, real-time threat detection, and automation to manage the full scope of cloud security.
Security Leaders Handbook: The Strategic Guide to Cloud Security
Learn the new cloud security operating model and steps towards cloud security maturity. This practical guide helps transform security teams and processes to remove risks and support secure cloud development.
Download Handbook
Cloud security risks and threats
You can broadly categorize cloud security threats into intrinsic and extrinsic risks. These categories help organizations identify whether the risks arise from the nature of the cloud computing technology or external factors like users and other systems.
Intrinsic cloud security risks and threats are inherent to the cloud computing model.
Extrinsic cloud security risks and threats originate outside of the cloud computing environment.
| Intrinsic threats | Extrinsic threats |
|---|---|
| Insecure interfaces and APIs: Cloud providers offer various interfaces and APIs that allow customers to manage their cloud resources. Attackers can exploit APIs if they aren’t secure. | Misconfigurations: These primarily occur due to human error, lack of understanding, rushed deployments, or simple oversight. I.e., users’ or administrators’ external actions result in improper settings. |
| Lack of visibility: It can be challenging for cloud customers to have complete visibility into their cloud environment. This can make it difficult to identify and respond to security threats. | Phishing attacks and account hijacking: Phishing attacks, which use methods like credential harvesting and business email compromise, are common ways attackers to access cloud accounts. Attackers can also gain access to a user's cloud service credentials and misuse the account. This is known as account hijacking |
| Multi-tenancy: Since cloud platforms often serve multiple clients on shared resources, there's a risk that one tenant's activities might negatively affect others. | Malware attacks: These attacks, which infect servers, virtual machines, and cloud systems, can result in severe compromises. Attackers can steal data, disrupt operations, or exploit resources for malicious purposes. |
| System vulnerabilities: If your team or provider doesn’t patch risks regularly, cloud infrastructure components may have security vulnerabilities that attackers can exploit. | Zero-day attacks and supply chain attacks: Zero-day events are complicated to defend against since they exploit unknown vulnerabilities before your devs have a chance to create and distribute a patch.Supply chain attacks target third-party vendors' cloud providers. If the vendor is compromised, attackers can access cloud customer data. |
| Confusing shared responsibility model: Cloud providers are responsible for the security of the infrastructure, but cloud customers are responsible for protecting their data and applications. This can create confusion and may lead to security gaps. | Insider threats: These threats can occur when malicious employees or contractors intentionally misuse their access to cloud resources. |
Cloud Threat Report 2023
The Wiz Threat Research team looks back on the past year to highlight trends and the state of multi cloud usage based on visibility across our customer base.
Download PDF
3 best practices for developing a robust cloud security strategy
To defend against the threats above, CloudSec, AppSec, and SecOps teams can implement the following strategies for cloud security:
1. Align security objectives with business goals
In some orgs, it can be tough to get buy-in for security initiatives—particularly if it’s unclear how much they would contribute to long-term business goals.
To promote productive development, you have to establish a connection between security measures and business priorities. Encourage buy-in and education by consistently communicating how security investments drive long-term business value, whether in terms of customer trust, regulatory compliance, operational downtime, or innovation.
For instance, your team can start aligning security objectives by shifting security focus left and embracing DevSecOps. This kind of model, which puts security at the start of development, requires a unified platform. Jeremy Smith, VP of information security at Avery Dennison, knows this very well. Explaining his motivation to choose a holistic platform, he said: "Security cannot be a blocker. Our cloud journey is revolutionizing the company, so we must be able to secure it.” And secure it they did with the help of Wiz.
If you were to shift left within your organization, you’d enjoy similar benefits to what Avery Dennison did. You’d enhance your security posture, improve compliance, minimize downtime from threats and events, and strengthen the shared responsibility for security across your organization. So, instead of cloud security initiatives slowing down business progress, aligning security as part of the developmental process early on would lead to stronger security and overall business growth.
2. Incorporate security into the DevOps pipeline
Effective cloud security should start from the ground up. Managers can practice cloud best practices throughout the development lifecycle to find vulnerabilities in code and configurations before deployment. DevOps teams can also automate tasks to provide secure applications without slowing the innovation process.
DevOps and security teams can work together to hit the following goals and metrics:
Reducing open security tickets: Your team can leverage solutions within the CI/CD pipeline, allowing DevOps to address vulnerabilities through development and testing quickly.
Minimizing time-to-deploy: Your DevOps team may already focus on deployment time, but your security team may sometimes be able to resolve issues faster with new updates before deployment.
Shifting left: By spotting vulnerabilities before software releases, both teams can minimize security risks that may arise after deployment.
Improving time-to-remediate: Both teams can track their remediation and how long it takes to collaborate to improve their total time in the future.
Decreasing security test and audit failures: Your management can foster collective ownership for tests and security so that the team doesn’t compete or blame each other but instead works to prevent vulnerabilities as early as possible.
3. Train and empower teams for security awareness
Cloud security requires the commitment and safe practices of both the client and the cloud provider. Proactive leaders invest in continuous training for CloudSec, AppSec, and SecOps teams so that they’re all aware of the latest security measures. Additionally, they make it a priority to train all employees on best practices to avoid risks such as phishing threats and similar risks to the cloud infrastructure.
While organizations should hold regular training and education sessions, they shouldn’t be a bore or a chore to attend.
Try creating self-sustaining security programs where each team has a sense of ownership. You can even gamify sessions with real-world simulations like testing how third-party AI tools can affect your security. This more intentional approach will help you promote a culture that empowers your teams.
Trends for improved cloud security
The future calls for more adaptations to cloud security as the landscape of threats, internal needs, and innovation evolves. The RSAConference lays out key emerging trends that cloud security experts should address:
1. Adoption of quantum-resistant encryption
With quantum computing’s powerful technology, the cloud industry seeks to create long-term security within cloud environments using post-quantum algorithms. These cryptographic algorithms secure against the computational power of quantum computers.
Governments have already noticed the risk of not having this type of encryption—and many, like the US and its 2035 deadline, call for companies to equip themselves with quantum-resistant encryption methods.
Many organizations and providers have already started making changes with the latest post-quantum cryptographic tech. For example, major cloud providers like AWS and Google Cloud are integrating post-quantum cryptography protocols into their systems to address future security challenges.
2. Emphasis on zero-trust architecture
With the rise of remote and hybrid work and the nature of cloud computing, companies can’t safely rely on familiar devices or locations when users access data. This is especially true since staff errors and negligence lead to 80% of data breaches.
Zero trust requires users to verify their identity continuously. Tactics include:
Using multi-factor authentication to prove identities with passwords and biometric verification
Restricting access to pre-approved and secure devices
Implementing zero-trust networking to provide safe access to applications without exposing the whole network.
3. Move to cloud security automation
The cloud environment changes fast, and manual security processes can’t keep up with the flow of information and continuous security threats. The industry continues to look for ways to use AI and machine learning to speed up security tasks.
4. Increase in generative AI (and prepping for risks)
One study found that 97% of organizations use or plan to include generative AI in the development process, sparking concern about its usage.
Your security team can harness generative AI to enhance threat detection and analysis. But AI also presents threats that you’ll need to mitigate, such as automated attack exploitation or data leakage from unvetted AI tools. You can emphasize governance and embed security into the AI pipeline to secure adoption while enabling innovation.
Security teams should work together by providing boundaries and opening a line of communication on how and what data to share and which AI tools they can use—both internally and externally.
5. Necessity of cloud-native security solutions and unity
As more organizations and users adopt cloud technology, they need solutions specifically for the cloud infrastructure to ensure adequate security.
The cloud environment includes hundreds of services and applications and is becoming increasingly complex. The more tools organizations and security teams have to manage, the more likely they are to miss gaps and serious vulnerabilities. Because of this, finding a platform to unify cloud security needs can create a safer, more secure environment.
Many of these emerging trends within the cloud security industry point to the importance of cloud-specific technologies. In other words, organizations need security that doesn’t happen to protect the cloud, but that’s explicitly designed for the cloud environment.
The cloud infrastructure should have different security controls and configurations across all five pillars of cybersecurity, such as:
Identity and access management (IAM): Only authenticated and authorized users can access cloud resources through user identity verification, role-based access control, multi-factor authentication, and user permissions management.
Infrastructure protection: This involves adding network security (firewalls and intrusion detection and prevention systems), securing servers and endpoints, and hardening virtual machines or containers.
Data protection: Your team can implement security controls to protect data at rest and in transit. This includes encryption, tokenization, data masking, and other techniques to safeguard data against unauthorized access and breaches.
Detection controls: Tools that provide real-time insights and alerts are crucial. This pillar involves implementing security controls to detect suspicious activity in your cloud environment.
Incident response: This process covers responding to and recovering from security incidents in your cloud environment. It includes a plan for identifying, containing, eradicating, and recovering from incidents.
Your team can start looking for a cloud-native security solution by understanding the risks and how to tackle them.
Types of cloud security solutions
As organizations increasingly adopt cloud services, various security solutions have emerged to address the unique challenges of cloud environments. Here's a breakdown of some of these solutions and why a modern holistic solution considers each one.
The Ultimate Cloud Security Buyer's Guide
Everything you need to know when evaluating cloud security solutions
Download Guide
| Solution | What it does |
|---|---|
| Cloud security posture management (CSPM) | CSPM provides insight into the configuration and continuous monitoring of cloud resources for customized security standards. It assesses cloud resources against the rules for proper configuration. |
| Cloud workload protection platform (CWPP) | CWPP scans for vulnerabilities, secrets, malware, and secure configurations within workloads across VMs, containers, and serverless functions without relying on agents.. |
| Cloud infrastructure entitlement management (CIEM) | CIEM oversees entitlements within cloud setups. It guides the implementation of least privilege permissions while optimizing access and entitlements across the environment. |
| Kubernetes security posture management (KSPM) | KSPM provides comprehensive visibility into containers, hosts, and clusters. The system assesses vulnerabilities, misconfigurations, permissions, secrets, and networking risks to offer contextual insights and prioritization. |
| Data security posture management (DSPM) | DSPM safeguards sensitive data within the cloud environment. It identifies sensitive data and provides visibility into its location across buckets, data volumes, OS and non-OS environments, and managed and hosted databases. |
| Cloud detection and response (CDR) | CDR offers comprehensive visibility and automatically correlates threats across real-time signals, cloud activity, and audit logs to track attacker movements. This allows for rapid response and limits the impact of potential incidents. |
While these individual tools are valuable, they can work much better as a unified system. That’s where CNAPP comes in.
The modern solution: Cloud-native application protection platform (CNAPP)
The continuous evolution of cloud environments and the complexity of managing multiple specialized security tools have driven the industry toward unifying cloud security solutions. CNAPP combines all of the above solutions into a single platform.
CNAPP integrates runtime and posture management for cloud-native applications. Instead of treating security measures as separate concerns, it provides a holistic view that encompasses preventive measures and active threat detection.
Effective CNAPPs can protect cloud-native applications throughout their entire lifecycle, from development to production. The solution can also help organizations identify and remediate security misconfigurations, detect and respond to threats, and ensure that their cloud-native applications are secure and compliant.
The continuous evolution of cloud environments and the complexity of managing multiple specialized security tools have driven the industry toward unifying cloud security solutions. CNAPP combines all of the above solutions into a single platform.
CNAPP integrates runtime and posture management for cloud-native applications. Instead of treating security measures as separate concerns, it provides a holistic view that encompasses preventive measures and active threat detection.
Effective CNAPPs can protect cloud-native applications throughout their entire lifecycle, from development to production. The solution can also help organizations identify and remediate security misconfigurations, detect and respond to threats, and ensure that their cloud-native applications are secure and compliant.
With tools like Wiz Code, developers can get code-to-cloud and cloud-to-code context for a holistic, thorough, and productive security process. Your team can fix security issues directly into your IDE, pull requests, or CI/CD to prevent risks from affecting your cloud.
This unification equips CloudSec, AppSec, and SecOps managers to provide adequate security for the modern and future cloud environment.
2024 Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP)
In this report, Gartner offers insights and recommendations to analyze and evaluate emerging CNAPP offerings.
Download Report
Is your cloud security workflow working for you?
Instead of choosing individual tools from legacy security providers, you can leverage a platform that provides all the resources to protect your business, customers, and employees. This starts with identifying the right solution and workflow to create a holistic cloud security strategy.
If you want to improve your cloud security posture, focus on CNAPP solutions to streamline operations, reduce vulnerabilities, and ensure comprehensive protection.
Get Wiz’s practical guide to transform your security team, process, and tools for supporting cloud development. You’ll learn the four phases of the new cloud security model to keep your information secure, accurate, and accessible to the right people.
A single platform for everything cloud security
Learn why CISOs at the fastest growing organizations choose Wiz to secure their cloud environments.
