Glossary

What Is Public Cloud Security?

Public cloud security is the tools and processes that an organization uses to protect workloads and configurations within a public cloud – meaning a cloud platform that is used by multiple groups. It includes practices such as mitigating security risks in cloud Identity and Access Management (IAM) configurations, securing cloud networks, and remediating vulnerabilities in applications deployed to the cloud.

Public cloud is everywhere, with 96 percent of organizations now using public cloud platforms. This means that the ability to secure public cloud environments and workloads is critical for virtually every modern business. However, because of the scale and complexity of public cloud environments, guaranteeing public cloud security can be a challenging task. Often, the tools and strategies that suffice for traditional, on-premises security aren’t enough in the public cloud.

What is the public cloud?

The public cloud is a type of cloud model where a cloud service provider (CSP) manages underlying cloud infrastructure and makes it available for use to any organization – hence why it’s called public cloud. The public cloud model is distinct from private cloud (where a cloud platform is dedicated for use by just one organization) and hybrid cloud (where an organization combines public cloud and on-premises resources into a unified platform).

At present, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure are the three largest public clouds. A variety of smaller public cloud platforms – sometimes called alternative clouds – also exist from vendors like Oracle and IBM.

What is public cloud security?

Public cloud security ensures that the cloud environments and workloads a business deploys in the public cloud are secure.

This is important because, although cloud service providers manage the underlying cloud infrastructure as part of what’s known as the shared responsibility model, they don’t manage or secure the applications and data that their customers deploy on their platforms. Thus, while AWS (to cite the example of one major cloud CSP) is responsible for ensuring that the bare-metal servers that host cloud workloads are free of vulnerabilities, it expects AWS users to take responsibility for protecting any workloads that they deploy on the AWS platform. The same is true of other CSPs and their cloud platforms.

This means that it falls to cloud users to detect and mitigate security risks or vulnerabilities that arise within the workloads they deploy to the cloud, as well as the configurations they create for cloud services.

Public cloud security challenges

Ensuring public cloud security can be challenging for several reasons:

  • Complexity: The major public clouds include dozens of individual cloud services that organizations can use simultaneously. With so many different services (and integrations between services) within a single cloud environment, it’s easy to make configuration mistakes that lead to security risks.
  • Scale: A business might deploy dozens or hundreds of individual workloads within a public cloud, and it could have just as many individual employees (if not more) sharing access to its cloud environment. At this scale, managing security risks can become particularly challenging.
  • Continuous change: Cloud environments are often highly dynamic; after all, part of the appeal of the cloud is that you can quickly modify your infrastructure and environment, in ways that would be challenging if you were dealing with physical on-prem infrastructure. But rapid change also creates the conditions for security risks due to oversights.
  • Attack surface: Virtually by definition, public clouds are connected to the Internet. This means that they have an attack surface that is continuously exposed to remote threat actors. You can’t simply rely on a firewall or air-gapping strategy (which entails disconnecting workloads from the network entirely) to protect public cloud workloads.
  • Share responsibility: As noted above, public clouds operate based on a shared responsibility model in which the CSP secures the underlying cloud infrastructure and customers secure whatever they choose to deploy. This model can complicate public cloud security in cases where cloud customers misunderstand exactly which security responsibilities fall to them – especially in the case of complex cloud service types where the line between underlying cloud infrastructure and the customer environment is not always abundantly clear.

[Download]The Ultimate Code to Cloud Checklist

Start protecting your applications from code to cloud with the only checklist you need to navigate the dynamic nature of application security!

How does public cloud security work?

Given the complexity of public clouds and the multi-faceted security risks they face, public cloud security requires multiple capabilities. Key aspects of securing a public cloud environment include:

  • Scanning cloud service configurations to detect risks (like IaC policies that give users excessive privileges) that could lead to security breaches.
  • Deploying multiple types of application security tests – SAST, DAST, and SCA – to detect security risks within applications that a business deploys to the cloud.
  • Deploying container security tools to protect applications that the organization deploys to the cloud using containers and related technology (like Kubernetes).
  • Using data discovery tools to identify sensitive cloud-based data assets that may not be properly secured.
  • Continuously monitoring cloud environments using runtime security tools to detect anomalies that may reflect a security breach or attempted breach.

Best practices for securing the public cloud

To make public cloud environments and workloads as secure as possible, consider the following best practices.

Minimize the attack surface

While you can’t unplug cloud workloads from the network, you can minimize your potential for attack by shutting down unused cloud resources and accounts. Where appropriate, you can also use virtual private clouds (VPCs) to isolate workloads from the Internet. VPCs don’t disconnect workloads entirely, but they provide a barrier at the network level between the VPC environment and the rest of your cloud environment.

Centralize security

When you need to secure cloud workloads that rely on a wide array of cloud services, it’s challenging to secure and monitor each one separately. Instead, centralize security operations across cloud services, workloads, and (if you use multiple public clouds) across cloud platforms so that you can view and manage risks from a central portal.

Enable encryption by default

While cloud services sometimes encrypt data by default, this is not always the case. To optimize security, ensure that you enable encryption automatically for data at rest and in transit, wherever possible.

Implement least privilege

Restrict each cloud user account to the minimum levels of access necessary to achieve the account’s intended purpose. For instance, if an employee only needs to be able to view data stored in the cloud and has no reason to modify it, create an account that has read-only access, not read-write access.

Continuously scan cloud environments and workloads

To ensure public cloud security, it’s not enough to perform periodic security scans, or to scan an application for vulnerabilities only during the development process. Instead, scanning and monitoring should be continuous – meaning that you scan your application at all relevant stages of the SDLC, and that you continue monitoring for security risks after deployment as part of a shift-right security strategy.

Securing the public cloud with Checkmarx

As a code-to-cloud security solution, Checkmarx delivers the comprehensive set of capabilities you need to keep cloud environments and workloads safe. Checkmarx can detect security risks in your applications across all stages of the SDLC, while also delivering features like IaC scanning to help secure cloud configurations.

Learn more by scheduling a demo.