Cloud security control is a set of security controls that protects cloud environments against vulnerabilities and reduces the effects of malicious attacks.
A wide-ranging term, cloud security control includes all of the best practices, procedures, and guidelines that have to be implemented to secure cloud environments. Cloud security controls help companies address, evaluate, and implement cloud security.
In cloud computing, a cloud service provider hosts a company’s applications on its servers and makes them available over the Internet, while on-premises software is deployed in-house on a company’s own servers.
Since cloud computing differs from an on-premises deployment, it’s reasonable to expect that cloud security will also be different. It’s critical that organizations understand how cloud security differs from data center security before they migrate to the cloud. It’s also important for companies to implement security controls once they’ve finished the migration.
While cloud service providers offer a range of cloud security tools and services to secure customers’ networks and applications, the organizations’ administrators have to implement the necessary security controls. In addition, when companies move their sensitive data and applications to the cloud, user access takes place remotely. Consequently, administrators also have to implement cloud-based user access controls.
To become more agile, companies are distributing their cloud-based applications and sensitive data among a variety of cloud service and deployment models.
Deployment Models
There are three main types of cloud deployment models: public, private, and hybrid.
Public clouds
In this case, public cloud providers, such as AWS (Amazon Web Services) and Microsoft Azure own the infrastructure, physical network, and hypervisor. The company owns the operating system, applications, virtual network, access to its tenant environment, and the data. Public cloud services may be free or offered through a variety of subscription or on-demand structures, including a pay-per-usage model.
The public cloud providers assume the responsibility for deploying cloud security controls for the cloud infrastructure. The organization has to implement security controls for the operating system, the applications, supporting infrastructure, and other assets running in the cloud.
However, some IT decision-makers are under the impression that public cloud providers are responsible for deploying security controls to protect their sensitive data as well as their applications in the cloud.
Private clouds
A private cloud consists of computing resources used exclusively by one business or organization. The private cloud can be physically located at an organization’s on-site datacenter, or it can be hosted by a third-party service provider. But in a private cloud, the services and infrastructure are always maintained on a private network and the hardware and software are dedicated solely to your organization. In this way, a private cloud can make it easier for an organization to customize its resources to meet specific IT requirements.
Hybrid clouds
Hybrid clouds combine on-premises infrastructure, or private clouds, with public clouds so organizations can reap the advantages of both. In a hybrid cloud, data and applications can move between private and public clouds for greater flexibility and more deployment options. For instance, you can use the public cloud for high-volume, lower-security needs such as web-based email, and the private cloud (or other on-premises infrastructure) for sensitive, business-critical operations, such as financial reporting.
In a hybrid cloud, “cloud bursting” is also an option. This is when an application or resource runs in the private cloud until there is a spike in demand (such as a seasonal event, like online shopping or tax filing), at which point the organization can “burst through” to the public cloud to tap into additional computing resources.
Service Models
Software as a service (SaaS)
SaaS vendors are mainly responsible for implementing cloud security controls for their platforms, including infrastructure and application security. However, SaaS vendors don’t own customer data and they’re not responsible for how customers use their applications. Rather, the organization is responsible for deploying cloud security controls to prevent and reduce the risk of malicious attacks.
Infrastructure as a service (IaaS)
IaaS delivers on-demand compute, network, and storage resources over the Internet on a pay-per-usage model. IaaS enables companies to run any operating system or applications on rented servers without the expense of operating and maintaining those servers. IaaS scales up and down automatically. Additionally, organizations don’t have to manually provision and manage physical servers in data centers.
Platform as a service (PaaS)
With the PaaS model, a cloud vendor provides a platform to customers to allow them to develop, run, and manage applications without having to build and maintain any infrastructure. A PaaS vendor hosts the hardware and software, including storage, network, servers, and data infrastructure on its own infrastructure. The PaaS service provider also supplies the development tools, data management, middleware, as well as the business intelligence software and services developers need to build their apps.