Cloud security architecture is a strategy designed to secure and view an enterprise’s data and collaboration applications in the cloud through the lens of shared responsibility with cloud providers.

Cloud-enabled innovation is becoming a competitive requirement. As more enterprises seek to accelerate their business by shifting data and infrastructure to the cloud, security has become a higher priority. Operations and development teams are finding new uses for cloud services, and companies are searching for strategies to gain speed and agility. Enterprises must remain competitive by adding new collaborative capabilities and increasing operational efficiency in the cloud – while also saving money and resources.

Understanding the importance of Cloud Security Architecture

An organization’s growing reliance on the cloud comes with added security concerns. While most data outside of the network resides in cloud services sanctioned by IT, countless other cloud services are used without a vetting process. This data movement to cloud service providers and various devices challenges an enterprise’s visibility and control. Collaboration within the cloud bypasses any remaining network controls. Sensitive data accessed by unmanaged personal devices can disappear indefinitely.

Security and risk management professionals are left with a patchwork of controls at the device, network, and cloud – with significant gaps in visibility to their data. Living with these gaps and the patchwork of security born out of the network is an open invitation to breach attempts and noncompliance.

Many cloud providers do not provide detailed control information about their internal environments, and quite a few common security controls used internally may not translate directly to the public cloud.

Cloud Security Architecture is a shared responsibility

Cloud security is based on a shared cloud responsibility model in which both the provider and the customer possess responsibility in securing the cloud. Shared responsibility does not mean less responsibility. Cloud providers will cover many aspects of physical, infrastructure, and application security while cloud customers remain responsible for certain areas of security and control, depending on the cloud environment.

Shared Responsibility Model for Security in the Cloud

Infrastructure-as-a-Service (IaaS) – IaaS is a cloud computing model that provides virtualized computing resources including networking, storage, and machines accessible through the internet. In IaaS, the Cloud Service Provider (CSP) is responsible for the controls that protect their underlying servers and data including security of servers, storage and networking hardware, virtualization, and the hypervisor. The enterprise’s security responsibilities include user access, data, applications, operating systems, and network traffic. According to Gartner, by 2021, 50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications, or APIs directly to the public internet, up from 25% at YE18.

IaaS cloud security models also require these security features:

  • Audit and monitor resources for misconfiguration
  • Automate policy corrections
  • Prevent data loss with DLP
  • Capture custom app activity and enforce controls
  • Detect malicious user activity and behavior
  • Detect and remove malware
  • Discover rouge IaaS services and accounts
  • Identify provisioned user risk
  • Enrich native cloud platform forensics
  • Manage multiple IaaS providers

According to Gartner, through 2023, at least 99% of cloud security failures will be the customer’s fault. Through 2024, workloads that leverage the programmability of cloud infrastructure to improve security protection will demonstrate improved compliance and at least 60% fewer security incidents than those in traditional data centers. As with on-premises data centers, the majority of successful cloud attacks are caused by mistakes, such as misconfiguration, missing patches, or mismanaged credentials. To achieve more secure cloud-based infrastructure and platform services, Gartner recommends a systematic and risk-based approach for IaaS/PaaS security using a set of layered capabilities.

Platform-as-a-Service (PaaS) – The CSP secures a majority of a PaaS cloud service model, however, the enterprise is responsible for the security of its applications. PaaS builds upon IaaS deploying applications without taking on the cost and resources required to buy and manage hardware, software, and hosting capabilities. These features can include:

  • Cloud Access Security Brokers (CASB)
  • Cloud workload protection platforms (CWPP)
  • Cloud security posture management (CSPM)
  • Business analytics/intelligence
  • Logs
  • IP restrictions
  • API gateways
  • Internet of Things (IoT)

Software-as-a-Service (SaaS) – Terms of security ownership within SaaS are negotiated with the CSP as part of their service contract. SaaS often hosts an enterprise’s physical, infrastructure, hypervisor, network traffic, and operating system. SaaS apps and infrastructure controls can include:

  • Enforce data loss prevention (DLP)
  • Prevent unauthorized sharing of sensitive data to wrong people
  • Block sync/download of corporate data to personal devices
  • Detect compromised account, insider threats, and malware
  • Gain visibility into unsanctioned applications
  • Audit for misconfiguration

New architectural elements of enterprise security in the cloud

  1. CASB-Anchored Multi-Cloud Safety Net
    Central shared security for:
    • • Cloud Edge
      • • Cloud-related traffic monitoring and preventative controls
      • • Data, user behavior, and activity monitoring within and across authorized and unauthorized SaaS CSPs
      • • Malware protection across CSPs
      • • Shadow cloud use protection
    • • Cloud Infrastructure
      • • Configuration management for IaaS/PaaS
      • • Container security, data protection, and other shared aspects application security
      • • Traffic within/to/from IaaS/PaaS
      • • Threat management

  2. Cross-CSP Identity, Authorization and Authentication
    • • Must be implemented across all cloud providers in use and authorization/authentication security

  3. CSP and Application Project Security Basics
    • • Implementation, configuration, and audit of security design and configurations necessarily within each SaaS or IaaS/PaaS CSP, like CSP-end IAM configuration or network configuration. Often implemented initially through individual projects, then centrally for application projects within a specific CSP

Cloud Security Architecture customer challenges and outcomes

Advanced Shadow IT
Web + CASB

  • Problem: Not all applications provide API’s for CASB data protection.
  • Solution: Seamless DLP Inspection for API & non API supported applications.
  • Outcome: Complete cloud application control of data exfiltration.

Unified Policies
CASB + DLP

  • Problem: Complexity of different engines, policies, and incidents – manual correlation.
  • Solution: Unified policies and workflow management with consistent classifications and a single pane of glass.
  • Outcome: Administrative simplicity. Efficiency & accuracy gains by not managing multiple disparate systems.

Unified Incident Management
DLP + Web + CASB

  • Problem: Loss of data protection due to cloud transformation. No clear path to secure all data.
  • Solution: Unified data & threat protection – from device to cloud.
  • Outcome: A unified management platform creating minimal impact to existing DP processes. Increased speed helps meet compliance initiatives. Complete control point coverage is gained for exfiltration.

Customer malware challenges and outcomes with convergence

Realtime Malware Protection
Web + CASB

  • Problem: Detection Latency in Cloud Apps. Includes IaaS & SaaS applications store benign and malicious files, even send links into inboxes from trusted sources.
  • Solution: In-line, Proactive Advanced Malware Detection. Policy based controls to trigger in-line anti-malware via SWG.
  • Outcome: Risk Reduction while enabling appropriate cloud application use.

Control Application Processes
Web + CASB

  • Problem: Identifying and Blocking Malicious Processes or Scripts accessing cloud services.
  • Solution: Application Process Access Control. Set access policies based upon process name within the CASB registry. Block, limit and/or monitor untrusted processes via SWG. Dropbox.exe always goes to Dropbox – nowhere else.
  • Outcome: Additional Control Point Coverage with advanced anti-malware. Ensure trusted processes only access trusted URLs.

An example of enterprise Cloud Security Architecture

High-level layers of enterprise cloud security architecture should include the following. And it’s likely at least two teams – one supporting but independent from cloud deployment projects – that should be driving design and implementation.

Let’s examine enterprise Cloud Security Architecture using McAfee Unified Cloud Edge as an example:

  1. Cross-CSP Safety Net
    Example: McAfee Cloud Edge
    • • This includes CASB, including configuration audit, shadow cloud use protection, controls for movement of data to other cloud providers or mobile devices, user behavior, and activity management across cloud providers, DLP, and malware protection.
    • • Offers Web Protection proxy to implement preventative controls based on CASB data.
    • • Provides DLP across the enterprise’s cloud providers.
  2. Cross-CSP Identity, authorization, and authentication
    • • Must be implemented across all cloud providers in user and authorization/authentication security.
  3. CSP and application project security basics
    • • This includes implementation, configuration, and audit of tools provided by the CSP. It is often implemented initially through individual projects, and then centrally for application projects within a specific CSP.

    An example of enterprise Cloud Security Architecture
    Click to See Large Version

    To make cloud security actionable, data must be shared with the SOC in an actionable way, hence the SOC toolset aspects of architecture on the right.

  4. Per-CSP app and infrastructure controls. The green layer in this diagram represents the individual cloud deployments and native cloud controls necessary to architecture in each deployment. (This is a suggestion. Most organizations have more than four cloud providers. The point is that these sorts of controls must be included in design for each deployment.)
  5. Unsanctioned cloud controls. The peach box to the right of the green layer represents unsanctioned uses of cloud, which can be reported on and actively governed by a safety-net layer anchored by a CASB.
  6. CASB-anchored safety net controls. The salmon layer, labeled CASB, represents a multi-cloud safety net layer, providing value for all deployments, and anchored by a CASB. This layer would also include DLP and Web Proxy tools.
  7. IAM. The yellow layer represents IAM, a foundational layer of cloud security architecture–even if not the “new perimeter” completely.
  8. SOC / central enterprise security toolset. This layer represents the SOC toolsets which must be informed to make security information actionable. To build a secure cloud architecture, implementation of the InfoSec-controlled “safety net” layer represented by McAfee’s Unified Cloud Edge is recommended.

How does the McAfee architectural strategy accelerate business?

Cloud projects are driving innovation. But the biggest slow-down for cloud projects is security. Slowing down the most critical innovation-driving or competitive-feature-matching projects in your enterprise represents serious risk.

With a multi-cloud security architecture in place, your organization can focus on per-project security work and depend upon pre-existing, cross-CSP security services managed centrally from the InfoSec team. It’s similar to how it could depend upon the network-based security safety net it had around both custom and packaged application deployments within your own data center.

This positions your enterprise to leverage cloud innovation faster, with less risk due to consistent, complete, security protection across each platform and application-focused project.

McAfee Unified Cloud Edge covers all critical cloud security use cases for Cloud Security Architecture:

  • All Cloud Services: Shadow, sanctioned, permitted, and home-built
  • All Users: Remote, on-premises, and third party
  • All Devices: Managed and unmanaged
  • Visibility: Consistent visibility to where your data and users are going.
  • Control: Control over data from device to cloud, plus UBA-powered threat protection, Data Loss Prevention (DLP), and Collaboration Controls
  • Threat Prevention: The convergence of CASB and SWG presents zero-day malware, provides remote browser isolation, and cloud application control features.

MVISION Cloud's Unique Approach

MVISION Cloud's Unique Approach

MVISION Cloud-Native Data Security Framework

MVISION Cloud-Native Data Security Framework

McAfee highly recommends security leaders work to budget, fund, and drive implementation of the InfoSec-controlled “safety net” layer represented by McAfee’s Unified Cloud Edge solution, in coordination with cloud implementations. When control for IaaS, PaaS, and SaaS is delegated to users outside IT and InfoSec, misconfigurations and unnecessary design variations can occur. It’s critical to give InfoSec teams another layer across cloud services to maintain the benefits of business acceleration from the cloud.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC, or its subsidiaries in the U.S. and other countries. Any other product names, logos, or trademarks appearing above are the property of their respective owners. McAfee is not affiliated with or sponsored by those owners.