Cloud security architecture is daunting. Whether your company has a cloud-first mantra or not, the pressure is on to migrate to the cloud when possible — but without compromising security. That’s a tall order. Cloud security architecture helps decision makers choose what data is suitable for which type of cloud platform and how to keep it safe. At the same time, cloud security architecture needs to work in the context of the business — without getting in the way. In this first post of our cloud security architecture mini-series, we talked to TierPoint’s Cybersecurity Architect, Tyler Reese, to learn about cloud security architecture and how to protect applications and infrastructure.
Defining cloud security architecture & the components
Interviewer: Let’s dive into the topic of cloud security architecture. First, what is it?
Tyler: Sure. Cloud security architecture applies security controls to cloud resources. The purpose is to protect data, such as intellectual property (IP), personally identifiable information (PII), and payment card (PCI) data. Ultimately, the goals of cloud security architecture are compliance, risk mitigation, and protection of the company and employees.
It’s a give and take between protecting the organization and understanding what’s feasible for the business. There’s a requirement to understand the business — what data needs to be protected and what data needs to be made highly available — so that the cloud security architecture is suitable for the business and does not hinder its users.
Interviewer: What is the cloud security architecture model?
Tyler: The cloud security architecture model differs by the type of cloud. There are four common pillars:
Identity and access management for each type of data is the first. That’s a huge focus of cloud security architecture: permissions, accounts, and delegating administration so that if one admin account is compromised, it doesn’t enable access to the entire cloud environment.
Visibility across the cloud computing ecosystem is another pillar. Visibility is needed to ensure the company can identify a risk or incident when it happens.
Regulatory or compliance requirements specific to the business are the third pillar. For example, it wouldn’t be prudent to put healthcare or financial data on a cloud platform where the company lacks visibility or access management control. In addition, the business may need to comply with regulatory consent compliance frameworks, such as GDPR (General Data Protection Regulation) in Europe and CCPA (California Consumer Privacy Act) in the US.
Integration of security into the culture of the organization and all its processes is the final pillar. That’s where DevSecOps comes in. DevSecOps brings together development, security, and operations to make everyone involved accountable for security throughout the development of every application and business project, which really pays off with better security.
Interviewer: How does it work? What are the principles of cloud security architecture?
Tyler: It’s always about a particular cloud service or platform. Cloud security architecture differs greatly from on-premises security architecture and differs greatly by cloud platform because different cloud computing environments have different security threats and security controls. What security architecture has in common across different cloud platforms is an understanding of where data is stored, which could be with a third-party provider that you don’t control or on infrastructure that you do control. In either case, cloud security architecture requires visibility and control over the data.
Application security policies vs. infrastructure security policies
Interviewer: Let’s explore cloud security architecture for applications and infrastructure. Starting with application security policy, what do executives need to pay attention to ensure application security?
Tyler: Web or mobile applications are often the front door to a business. In most cases, the company meets its customers on the Internet via an application — and the app, or a database behind it, is the first target a threat actor tries to exploit. Application security policies range from secure code development, where security controls are implemented during the secure software development life cycle, to extra controls placed in front of applications — such as with an application firewall. The integration of development, quality assurance, and security engineering teams throughout the secure SDLC is a best-practice approach to application security.
At the same time, developers may miss something or the platform itself may have a vulnerability, and that’s where a security control adds value. With machine learning, the security control will learn the application — its normal behavior and functions — which enables the control to block and alert on anomalies and protect the application from threats and emerging vulnerabilities.
Interviewer: How about infrastructure security policies? What do executives need to know?
Tyler: Infrastructure security is well-established, and time tested across the IT industry, having matured over decades. Infrastructure security policies include encryption of data at rest, physical security at the data center, and security up the OSI stack such as the datalink, network and transport layers, including infrastructure firewall blocking for network traffic.
For stronger infrastructure security policy, more organizations now embrace strict filtering through firewall blocking policy, with explicit rules for inbound — and outbound — security policies. Outbound policies close a potentially large security gap.
Interviewer: How about security policy at the network edge?
Tyler: So when it comes to edge computing and putting the data closer to the consumer, consistent security policy across all ingress and egress points is paramount. Edge security can be controlled centrally via a management plane or a security fabric, such as Fortinet, so configuration changes of point devices are controlled at the core or a central office location for consistency.
More on cloud security architecture
In the next part of this cloud security Q&A series, we’ll look at public cloud security architecture and how to keep data safer in a public cloud. Interested in learning more about security? Read our Strategic Guide to IT Security.
It can be daunting to undertake a cloud security architecture with the resources in your own organization. TierPoint is a managed security services provider (MSSP) and cloud service provider (CSP). Reach out to us to discuss how we can help you.