Definition

cloud security architecture

Tom Nolle

By

Tom Nolle, Andover Intel

What is cloud security architecture?

Cloud security architecture is a security strategy designed around securing an organization's data and applications in the cloud. It is a critical extension of enterprise security, and it requires an architecture to connect it with an overall security approach. As more organizations shift and share their data in the cloud, the more important it becomes to have a security architecture in place.

The cloud can be delivered in multiple formats. As such, cloud security architectures are designed to work in a combination of SaaS, PaaS and IaaS environments, as well as the public and private cloud.

Cloud security architecture works on the basis of shared responsibility between an organization and a cloud service provider (CSP). This doesn't mean an organization has less responsibility, though. In general, a cloud security architecture should follow cloud security best practices. The responsibilities each party has may depend on what the CSP offers and how it delivers its services.

Why is a cloud security architecture important?

The difference between "cloud security" and "cloud security architecture" is that the former tends to be built up from problem-specific measures while the latter is built down from threats. A cloud security architecture can reduce or eliminate holes in security that point-solution approaches almost certainly leave. It does this by building down -- defining the threats starting with the users, moving to the cloud environment and CSP and then to the applications. Cloud security architecture can also reduce redundancy in security measures -- things that won't contribute to threat reduction but increase both Capex and Opex.

A cloud security architecture also organizes security measures to make them more consistent and easier to sustain over time, in particular during cloud deployment and redeployment. Security often erodes because it's illogical or complex. A proper cloud security architecture can identify these defects.

Elements of a cloud security architecture

The best way to approach a cloud security architecture is to start with a statement of goals. The architecture has to address three things: an attack surface presented by external access interfaces, a protected asset set that represents the information being protected, and attack vectors and mechanisms designed to inflict indirect attacks somewhere along the path.

The goal of a cloud security architecture is met through a series of functional elements. These elements are often considered separately rather than as part of a coordinated architectural plan. This includes access security or access control, network security, application security and contractual security as well as monitoring, sometimes called service security. Finally, there's data protection, which is the measures that are applied at the protected-asset level.

A complete cloud security architecture addresses the goals by uniting the functional elements.

Cloud security architecture and the shared responsibility model

Security and security architectures for the cloud aren't single-player processes. Most enterprises will retain a large chunk of their IT workflow within their data center, local networks and VPN. The cloud adds additional players to this, so it's critical that a cloud security architecture be a part of a broader shared responsibility model.

A shared responsibility model is both an architecture diagram and a contract form. It exists in a formal sense between a cloud user and each CSP, as well as providers of a network service if they're contracted separately. Each typically divides the components of a cloud application into layers, with the top layer being the responsibility of the customer and the bottom layer being the responsibility of the CSP. Each separate function or component of the application is mapped into the appropriate layer depending on who provides it. The contract then describes what each party is responsible for doing, how the boundary points are recognized and how problems are isolated and assigned to a party.

A master model can be constructed to combine the individual responsibility models for all the service providers used. If done carefully, this is a critical tool in assigning fault and coordinating remediation when something goes wrong.

Cloud security architecture design patterns

There are two levels of design pattern used in cloud security architectures. The general, high-level patterns describe the following:

Security controls, which define the overall interplay of the functional elements in a security architecture.
Trust boundaries that define the relative level of security and the scope of any identity or permission rights.
Standard interface points and API models.
Encryption algorithms and key management.
Token management for identity and permission exchanges.
Security event logging.

Those developing their own cloud applications can use design patterns to create a secure application access framework. Note that this option is not likely available for third-party software, but it may be possible to audit the design patterns used by the vendor as part of the selection process. Design patterns also typically address access security but won't eliminate the need for other functional elements of a good security architecture.

The three dominant cloud security architecture design patterns are the federated identity pattern, the gatekeeper pattern and the valet key or token that conveys specific rights to access a resource. The first is a means of establishing user identity and sharing identity credentials. The second defines a "firewall" element that sits between user and resource and validates credentials and rights. The third is a token or mechanism to allow a user or module to access a resource or service for a specific, limited purpose.

Variations on the theme for IaaS, PaaS and SaaS

Cloud services vary from IaaS, where a virtual host is provided, through PaaS, which incorporates platform tools and middleware, to SaaS, where CSPs offer the entire application. The shared responsibility model looks different for each type of cloud service.

With IaaS, the CSPs offer only a hosting resource. The majority of application-related security responsibilities lie with the customer or a contracted agent. The relationship between the network, application and the IaaS is defined by network middleware. IaaS places greater network security requirements on the user.

PaaS typically includes middleware and other software elements. These elements are presented as "services" to the application. This means the cloud security model must focus more on the securing of services and the creation of trust zones -- which include the service elements, such as microservices, that make up an application. The user is responsible for maintaining overall application security.

With SaaS, the CSP is responsible for security within the application, meaning internal component workflows. The network relationship between the SaaS and the user is typically defined as a set of RESTful APIs. Both the user and network provider share responsibility for the security of access to those APIs.

Where there are multiple cloud service types in use, users often employ the concept of cloud security postures and use cloud security posture management to automate security responses across the full collection of cloud services.

Cloud security architecture planning and best practices

The best way to plan and execute a proper cloud security architecture is to work outward from the key resources. This means an organization should identify any APIs used to connect workflows within the cloud between applications, as well as those that connect the cloud with the data center or other clouds and databases. These define the protected assets.

Each of these assets is referenced by users, applications or components. Each of these references must be validated, meaning the elements certified to use them have to be identified and their scope of use established. This creates a chain of reference that ultimately reaches the users themselves.

The functional elements of a cloud security architecture -- access security, network security, application security, contractual security and monitoring and data protection -- are then applied within this structure. At any point where a protected asset or reference chain is exposed, it creates an entry point for a security threat. Most cloud security architectures impose layers of protection based on those five functional elements -- a defense-in-depth model.

This was last updated in July 2023

Continue Reading About cloud security architecture

Cloud-native security architecture principles and controls

101 guide on cloud security architecture for enterprises

Secure multi-cloud with architecture and governance focus

Implement Kubernetes for multi-cloud architecture security

Cloud security top risk to enterprises in 2023, says study

Dig Deeper on Compliance

Is network automation adoption necessary?
Automation is not a one-size-fits-all strategy for every network problem. Enterprises must examine their network's needs to ...
How SD-WAN for home offices supports remote work
The market maturation of SD-WAN is leading companies to consider extending the technology to remote workers. Companies should ask...
The role of generative AI in networking
As networks grow more complex, generative AI emerges as a tool that can help network teams with a wide range of tasks, such as ...

CIO

Ally's generative AI strategy eyes multiple LLMs, AI agents
The digital bank plans to privately host multiple LLMs on its GenAI platform, explore autonomous agent technology and evaluate ...
States act on privacy laws as Congress considers new bill
The American Privacy Rights Act introduced this week aims to establish a national privacy standard that would preempt state ...
CHIPS and Science Act funds TSMC, Intel projects
The Biden administration has awarded billions through the CHIPS and Science Act to five companies to invest in building and ...

Enterprise Desktop

How to remove a device from Intune enrollment
When a device reaches its end of life, IT needs to remove that device from any management software, such as Microsoft Intune. But...
Windows XP EOL anniversary: 10 years of endpoint evolution
Windows XP EOL meant upgrading to Windows 7, but times have changed. IT pros can use the next upgrade cycle as an opportunity to ...
Guide to Linux patch management
While patching desktops has some universal aspects across systems, there are specific Linux best practices that Linux ...

Cloud Computing

10 cloud vulnerabilities that can cripple your environment
Enterprises can be devastated by security-related weaknesses or flaws in their cloud environments. Find out where you are most ...
Learn the basics of industry cloud platforms
Healthcare, finance and other specialized industries can ask a lot of cloud services. Find out more about industry cloud ...
Compare ESG tools from AWS, Azure and Google Cloud
ESG standards are beginning to influence how large enterprises procure and consume cloud services. Take a closer look at the ...

ComputerWeekly.com

VMware’s APAC customers weigh in on licensing changes
VMware customers in the region are concerned about higher costs even as they see the benefits of subscription-based pricing and ...
Mandiant formally pins Sandworm cyber attacks on APT44 group
Mandiant has formally attributed a long-running campaign of cyber attacks by a Russian state actor known as Sandworm to a newly ...
Wireless Logic enters Starlink orbit for IoT deployments
Global internet of things connectivity platform provider joins forces with satellite broadband constellation to offer fully ...

Close