Cloud Security Defined

• Enable artificial intelligence (AI) and machine learning (ML) to automatically adapt to and address security threats
• Use autonomous capabilities to scale security responses, remediate risks, and eliminate errors
• Proactively protect data with access controls, manage user risk and visibility, and provide tools for discovery and classification
• Follow the cloud shared security responsibility model to knowingly cover the security activities between the customer and cloud service provider
• Build security into the design of the architecture for a “security first” approach

Cloud security provides organizations with an approach to address security requirements and ensure organizations adhere to regulatory compliance requirements. Effective cloud security requires multiple layers of defense throughout the cloud technology stack comprised of:

• Preventive controls designed to block authorized access to sensitive systems and data
• Detective controls designed to reveal unauthorized systems and data access and changes through auditing, monitoring, and reporting
• Automated controls designed to prevent, detect, and respond to security updates—both regular and critical
• Administrative controls designed to address security policies, standards, practices, and procedures

Machine learning and artificial intelligence extend contextual awareness technologies across a cloud security portfolio. With cloud security, businesses have protection across IaaS, PaaS, and SaaS, extending security to the network, hardware, chip, operating system, storage, and application layers.

Cloud security is a shared security responsibility between the cloud provider and the customer. The cloud shared security responsibility model is a foundational cloud security and risk management construct for conveying the division of labor between the cloud service provider and service subscriber. A clear understanding of the shared security responsibility model for all types of cloud services is critical for cloud security programs. Unfortunately, it can also be said that the shared security responsibility model is one of the least understood security concepts in the cloud. In fact, only 8 percent of CISOs fully understand their role in securing SaaS versus cloud service provider (CSP) . Simply stated, the shared security responsibility model outlines the cloud service provider’s area of responsibility regarding maintaining security and availability of the service, and the customer’s responsibility to ensure secure use of the service and where both share a specific duty.

It’s necessary for companies to understand their responsibilities. Failure to adequately protect data can lead to severe and costly consequences. Many organizations that will experience the result of a breach may not be able to absorb the cost, even large companies may see the impact to its financials. The point of a shared security responsibility model is to provide flexibility with built-in security permitting quick deployment. Therefore, organizations must comprehend their cloud security responsibilities—generally referred to as security “of” the cloud versus security “in” the cloud.

Today, enterprises are offered a wide range of cloud security tools to secure their environments when moving workloads and data to the cloud. However, some of these tools come with bespoke instructions and are offered as individual services. Cloud users and administrators are expected to know how cloud security services work, how to configure them correctly, and how to maintain their cloud deployments. While there’s no shortage of security options, they can be complicated to set up and it can be easy to make a mistake in one area. In addition, the incessant cycle of phishing, malware, increasing cyber fraud, and a range of misconfigured cloud services further stretch already challenged cybersecurity programs. This has resulted in organizations experiencing data breaches and resulting brand damage, recovery costs, and fines. Below are several important requirements for keeping cloud data secure:

• Shared security responsibility and trust: Trust is paramount in choosing a cloud partner to uphold its end of the shared security model. Organizations must have a clear understanding of roles and responsibilities and access to independent third-party security audits and attestations.
• Automation and machine learning: Cloud threats are moving at machine speed while traditional enterprise security analyzes and reacts at human speed. Modern security in cloud environments must automate threat detection and response. Advanced threats require security solutions that bring a new level of sophistication to threat prediction, prevention, detection, and response with machine learning.
• Defense-in-depth: Multiple layers of security through the entire technology stack must include preventive, detective, and administrative controls for the right people, processes, and technology to help secure the cloud providers physical data centers.
• Identity management: As mobile devices, apps, and user personas become more ubiquitous, identity has become the new perimeter. Controlling access and privileges in the cloud and on-premises based on secure credentials is critical.
• Visibility: A cloud access security broker and cloud security posture management solution extends visibility and control across an organization’s entire cloud environment.
• Continuous compliance: Regulatory compliance is not optional, and compliance and security are not the same thing. Organizations can experience compliance violations without a security breach, for example, due to configuration drift and errors. It is essential for companies to have a cloud management solution that provides comprehensive, timely, and actionable compliance-related data across its cloud environments.
• Security by default: Security controls should be enabled by the cloud provider by default, instead of requiring the business to remember to turn on security. Not everyone has a strong understanding of different security controls and how they work together to mitigate risk and implement a complete security posture. For example, data encryption should be turned on by default. Consistent data protection controls and policies need to be enforced across the clouds.
• Monitoring and migration: Security policies for cloud tenancies and compartments should be set up and enforced for administrators to help secure workloads. A unified view of cloud security posture across cloud tenants is also essential to detect misconfigured resources and insecure activity across tenants and provides security administrators with visibility to triage and resolve cloud security issues.
• Separation of duties and least privilege access: The principles of separation of duties and least privilege access are security best practices that should be implemented across cloud environments. Doing so helps ensures individuals don’t have excessive administrative rights and cannot access sensitive data without additional authorization.

As cloud adoption continues to accelerate as a result of digital transformation priorities, companies must anticipate and navigate the complexities of securing their cloud environments. It is essential to choose a cloud provider that designed security to be built-in automatically across the entire cloud stack (IaaS, PaaS, SaaS). Additional considerations in the future of cloud security include:

• Cloud infrastructure security: Protect workloads with a security-first approach across compute, network, and storage of the cloud infrastructure—starting with the architecture. Leverage essential security services to provide the required levels of security for your most business-critical workloads.
• Database cloud security: Reduce the risk of a data breach and accelerate compliance in the cloud. Adopt database security solutions that include encryption, key management, data masking, privileged user access controls, activity monitoring, and auditing.
• Cloud applications security: Securing critical applications against fraud and misuse is essential for protecting your organization’s business-critical data. Fine-grained access controls, visibility, and monitoring are critical components of today’s layered defenses.
• Corporate security and privacy: Protect the confidentiality, integrity, and availability of the data and its systems that are hosted in the cloud, no matter which cloud product is chosen.
• Advanced customer service: When transitioning to cloud or multi-cloud environments, security teams are challenged by an expanding attack surface, alert overloads, and a cybersecurity skills shortage. Adopt advanced services from your cloud service provider to help address these challenges.
• Identity and access management (IAM): Control access to who has access to your data, what type of access they have, and to which specific resources using secure credentials, regardless of whether they’re hosted in the cloud or on-premises.

1. Oracle and KPMG Cloud Threat Report (PDF)
2. Technical primer: Securing the Oracle Database (PDF)