Cloud security is not too different

Publish date:

Take a closer look at your current security options before investing in new ones.

Difference in degrees, not kinds

There is always someone in the room who makes a buzz about cloud security and who is even more surprised when I state that cloud security is not so different. Don’t get me wrong, cloud security is important, but it is not too different from non-cloud/on-premises security.

To elaborate, security can physically only be implemented “on” the infrastructure, endpoint, application, and data layers. Hence, cloud is none of them. Or put differently, cloud is just another computing resource. And just as with non-cloud/on-premises computing, security solutions can be implemented on all these physical layers.

Of course, this discussion can easily be settled by distinguishing between physical and logical types of security layers. So, taking just identity and access management and a cloud security as an example, these concern a logical layer and not a physical one. But considering cloud from a physical point of view helps in two regards:

  1. It gets rid of the conviction that every business process you move to the cloud is insecure and that you are out of security options.
  2. It enables a critical evaluation of your currently-owned set of security services and products. These may not yet be fully implemented/deployed, and/or not optimally combined with the other (security) services and products you already have but could provide added security value when fully optimized. And this inherent added value may be equivalent or even beyond the state-of-the-art, new security services and products that are being offered to you by your vendors.

Coming to the first point, it’s important to realize that you will still have the same physical layers for building your security solutions as in a non-cloud/on-premises computing scenario: infrastructure, endpoint, application, and data layer. The main difference is that cloud computing shifts the focus from you being in control of the technology yourself to being in control through several processes built on a basic level of trust in your service provider. These processes are: risk management, security assurance (align security controls and requirements with the cloud provider) and security compliance (check on compliance with your security requirements through instruments such as audit, pen-testing, and KPI monitoring and reporting). The degree of shift is, of course, influenced by the cloud service model (IAAS, PAAS, SAAS) and cloud deployment model/type (private, public, hybrid, community) in a specific situation.

Turning to the second point, let us consider, for example, Cloud Access Security Broker (CASB), which is often positioned as a complete new security solution. Yet, in essence, it’s an access management type of security solution that enables security solutions, such as data loss/leakage protection (DLP), to become effective again following de-perimeterization, as a consequence of adapting cloud computing and BYOD. So, logically, CASB can be seen as a Policy Enforcement Point (PEP), which requests (and enforces) decisions from a Policy Decision Point (PDP), such as DLP, data encryption, tokenization, PKI, cloud activity monitoring, malware filtering, and access and authentication management security solutions. It is possible the integrated DLP solution that comes with the CASB solution is needless, since you already have a DLP solution. It is also worthwhile investigating if you can achieve the same results based on your current access management solution and DLP solution. So, my point here is that you don’t always need to invest in the latest all-singing, all dancing product to stay secure because you may already have elements of it that just require integration.

Think out of the box

To sum up, don’t be too rigid when it comes to assessing the risks of business cloud services. A lot of security options are available for cloud if you are willing to think out of the box. In a business highly dependent on interorganizational collaboration, cloud can even be a security enabler. Consider, for example, federated identity management, which enables organizations to retain control over their identity, authorization, access, and authentication key-security processes while providing efficiency regarding operations. In other words, focus on enabling your business with security and prevent being perceived as a business disabler, which in the end simply won’t provide the required level of cloud security.

Look before you leap!

More importantly, try to understand what the new security service or product provides to you beyond the face value. You may come to interesting conclusions about your current (security) solutions and discover interesting avenues for cost savings!


Related Posts


Is your Operational Technology (OT) environment insider safe?

Dan Leyman
Date icon September 8, 2020

Organizations need to exercise due diligence and care to ensure their vendors, contractors,...


Unlocking the power of AI and SOAR for end-to-end cybersecurity

Geert van der Linden
Date icon September 3, 2020

For AI to work effectively, organizations need to build a roadmap that addresses...


Identity access management (IAM) – the new normal

Dino Karanikas
Date icon August 27, 2020

Having an upgraded IAM plan in place will not only let you sleep better at night; it will...