Tips and Tools to Improve Public Cloud Security

Public cloud environment cyberattacks don’t discriminate – any business of any size can fall victim to ransomware, malware, or another type of data breach. Complex cloud environments are the most targeted by cybercriminals, making it more important than ever to build a strong security plan to contend with the evolving threat landscape.

Understanding Public Cloud Security

Public cloud security is the practice of protecting data and applications on infrastructure available through a public cloud provider. In a public cloud environment, multiple organizations share resources, and the customer is responsible for different levels of security based on the service model they choose:

• Infrastructure as a Service (IaaS): Customers manage the operating system, data, and applications while the cloud provider is responsible for managing the hardware, software, networking, and facilities that run cloud services.
• Platform as a Service (PaaS): The PaaS provider handles the security of the platform itself. The customer must secure the applications, data, and access controls within the platform
• Software as a Service (SaaS): The majority of security responsibilities fall on the cloud provider, while the customer focuses on securing access to the service and managing user data

If a public cloud environment is not secured properly, it can lead to significant financial losses, reputational damage, and legal repercussions. The average cost of a data breach involving only public cloud is $5.17 million. When a data breach affects storage across multiple environments, including public cloud, the average cost is $5.03 million. These figures underscore the importance of securing data in the public cloud.

Who is Responsible for Security in the Public Cloud?

In public cloud environments, businesses and cloud service providers operate based on a shared responsibility model. The level of service will dictate the security measures the business is responsible for versus the cloud provider.

Public Cloud Security and Compliance Standards

Many different industries also need to be compliant with various regulatory standards. Some of the most common include ISO 27001, SOC 2, PCI DSS, and HIPAA. These standards outline requirements for security protocols, certain standards for handling different types of information, and what organizations should have in place to mitigate risks common to their type of business. Non-compliance can result in fines, sanctions, and damaged reputations.

What Are Some Cloud Security Tools Offered by Public Cloud Providers?

Public cloud providers offer different cloud security tools that often accomplish similar goals. AWS has services such as AWS WAF (Web Application Firewall), GuardDuty (intelligent threat detection), and Inspector (automated vulnerability management). Azure has Azure Security Center, Defender for Cloud, and Sentinel (cloud-native SIEM and SOAR solution).Google Cloud has Cloud Security Command Center and Cloud Armor (network security).

Common Public Cloud Security Risks and Threats

Understanding the security risks common in the public cloud can help organizations decide which countermeasures will provide the most effective defense.

Misconfigurations

Misconfigurations can come in many forms, including insecure interfaces and APIs, weak access controls, and improper data encryption. Essentially, all of the tools and techniques we’ve shared can fall victim to misconfiguration, turning protective measures into additional points of exposure. It’s important to have dedicated team members monitoring public cloud security measures to spot misconfigurations before they are exploited. Automating certain tasks can also decrease the likelihood of these errors in the first place.

Data Breaches

Data breaches can happen in any environment, and without businesses taking responsibility for their part of cloud security, sensitive information can be exposed. According to IBM’s 2024 Cost of a Data Breach report, about 40% of data breaches occur in organizations where data is stored across environments, and 25% of data breaches occur in organizations where data is stored solely in the public cloud.

Insecure APIs

Public cloud services heavily rely on APIs for interaction. If APIs are not secured properly, they can be exploited to gain unauthorized access to cloud resources, leading to data theft or service disruption.

Insufficient Identity and Access Management (IAM)

Poorly managed IAM, such as excessive privileges, lack of multi-factor authentication (MFA), or ineffective role-based access control, can lead to unauthorized access and data compromise.

Shared Responsibility Confusion

Misunderstanding the shared responsibility model between the cloud provider and the customer can lead to gaps in security coverage, where critical security measures are either overlooked or incorrectly assigned.

Denial of Service (DoS) Attacks

The goal of denial of service (DoS) attacks is to overwhelm the system so that it can’t be accessed by legitimate users. Because cloud-based services rely so heavily on network connectivity and availability, they can be especially susceptible to DoS attacks.

Insider Threats

Sometimes, the greatest threats come from people who are already on the inside. Employees, users with privileged access, and contractors can all pose risks to public security. This is why it’s important to regularly evaluate access controls and have monitoring in place to identify anomalous behavior.

13 Tools and Techniques to Improve Public Cloud Security

Due to the shared responsibility model and the varied nature of security concerns an organization may have in a public cloud environment, it’s important to implement different tools and techniques to improve security in the public cloud. The following are some methods you may want to incorporate to make your environment more secure.

Use a Cloud-Native Application Protection Platform

A cloud-native application protection platform (CNAPP) consolidates and simplifies the management of various public cloud security tools, allowing you to view the state of security in your environment through a single pane of glass. They also provide cross-platform capabilities spanning multiple cloud platforms, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud, Kubernetes, etc.

CNAPP can integrate the following:

• Cloud Security Posture Management (CSPM): Continuously assess the security and posture of IaaS resources. This includes monitoring for misconfigurations, compliance violations, and other risks associated with IaaS environments.
• Cloud Infrastructure Entitlement Management (CIEM): A specialized area of IAM that focuses on managing and optimizing permissions and access rights within cloud infrastructure environments providing visibility and control over permissions for IaaS, PaaS, and cloud-native services.
• Identity and Access Management (IAM): A broad framework for managing digital identities and controlling access to resources within an organization.  IAM is used for managing access to a wide range of resources, including applications, databases, networks and cloud services.
• Container Security: CNAPPs support container orchestration platforms like Kubernetes ensuring security is maintained across all containerized workloads. CNAPPs scan container images for vulnerabilities, ensuring secure configurations, and providing runtime protection against threats.

CNAPPs are particularly effective in modern environments that use containers, microservices, and serverless architectures, providing a unified approach to security across various cloud environments.

Implement Cloud Security Information and Event Management

With cloud security information and event management (SIEM), the system gathers and analyzes security logs from different cloud resources. The goal of Cloud SIEM is to provide unified, real-time insights for threat detection (identify incoming threats) and incident response (recognizing suspicious activity). This helps organizations respond faster to potential security issues.

Leverage Artificial Intelligence and Machine Learning

Artificial intelligence and machine learning (AI/ML) tools can automate threat detection and response mechanisms which is a vital component in modern cloud security strategies as the complexity and scale of cloud environments increases. By learning from historical behavior or expected usage patterns, these AI/ML-powered tools can enhance security by more accurately spotting anomalies that may be precursors to data breaches, enabling IT teams to respond faster.

Utilize Firewalls

Firewalls can create an initial line of defense against traffic to and from the public cloud environment. They can be customized to allow authorized connections or block traffic from certain sources. AI-powered firewalls can even use historical data to predict future potential attacks.

Integrate DevSecOps

DevSecOps offers a more proactive approach to security, placing it at the forefront of the software development and operations lifecycle. By embedding security into the CI/CD pipeline, organizations can significantly reduce the likelihood of data breaches. Unified development and operations (DevOps) teams can implement security protocols early on, ensuring that security is a core consideration throughout the software development process. DevSecOps groups can regularly run vulnerability checks and penetration testing, while automated tools can identify vulnerabilities and misconfigurations in code, further strengthening the security posture of the application.

Create a Solid Public Cloud Data Backup and Recovery Plan

Businesses should understand what backup and recovery features are available through their public cloud provider (i.e. Azure Site Recovery, AWS Backup, Google Cloud Backup) and incorporate additional controls to protect against natural disasters, data breaches, and accidental deletion.

Depending on your organization’s level of tolerance for data loss and recovery time needs, configure backups and redundancies accordingly. Multiple locations and frequent backups can help businesses achieve strict recovery point objectives and recovery time objectives (RPO and RTO). Create data retention policies for how long sensitive data should be stored. Add immutable backups that cannot be modified or deleted. Finally, regularly test your recovery procedures to ensure they work in times of crisis.

Set Up Strong Access Controls

Strong access controls can prevent unauthorized access to sensitive data and resources. This can include MFA, a security mechanism that requires users to provide two or more verification factors—such as something they know (such as a password), something they have (a smartphone or hardware token), or something they are (like biometric data)—to gain access to a system or application, thereby enhancing security beyond just a username and password.which controls user permissions based on identities in a central location. Typically, the least privilege principle only provides users with the level of permissions needed for job functions.

Instead of establishing settings and sticking with them, administrators should periodically review and update user permissions.

Encrypt Data

Strong encryption algorithms can protect data in transit when moving between systems and at rest when stored on cloud servers. However, the effectiveness of encryption depends on the secure management of encryption keys. Key management services (KMS) provide a centralized solution for generating, storing, managing, and distributing encryption keys. By using a KMS, organizations can ensure that encryption keys are protected from unauthorized access, reducing the risk of data breaches and minimizing the impact of potential incidents.

Ensure All APIs and Endpoints Are Secure

APIs can provide powerful connections between tools and empower integrations with legacy systems and cloud environments. However, they can also be sources of vulnerability. Any access points to the cloud environment, including APIs, should be secured using authorization controls, strong authentication requirements, and regular assessments for new vulnerabilities.

Maintain Security Patching and Updates

Unpatched systems are vulnerable to known exploits, and the longer an organization goes without performing patching and updates, the more exposure they have to breaches. The Ponemon Institute has found that 60% of breaches can be attributed to known, unpatched vulnerabilities.

A high-profile breach at Equifax was the result of failing to patch a Struts vulnerability. Worse yet, the breach happened because the team did not locate Struts in their own environment. It’s important for IT teams to understand their assets so they know what might need patching and updating. 

Perform Vulnerability Assessments and Penetration Tests

Cloud environments can have weaknesses that come from nonexistent patching protocols, but other vulnerabilities can also put your systems at risk. Vulnerability assessments can help find weaknesses, and penetration tests can simulate real-world attacks to put current security controls to the test. The frequency these tests should be run depends on how high-risk the cloud environment is, but doing these at least once per year is recommended.

Establish Network Security Groups

Establishing Network Security Groups (NSGs) is a crucial step in enhancing public cloud security and controlling traffic flow within the cloud environment. NSGs act as virtual firewalls, allowing you to segment the network into smaller, isolated parts, limiting exposure and reducing the risk of unauthorized access.

By carefully configuring NSGs, you can define inbound and outbound traffic rules, specifying which protocols, ports, and source/destination IP addresses are allowed or denied. This granular control helps prevent unauthorized access, mitigate the impact of security breaches, and ensure compliance with industry regulations.

Use Monitoring and Compliance Management Tools

Continuously monitor cloud resources against compliance frameworks and automates compliance checks, generates reports to meet regulatory requirements like ISO 27001, SOC 2, and PCI DSS.

Ready to Enhance Your Public Cloud Security?

Cloud security can feel complex, but implementation doesn’t have to be a one-time, large project. Businesses can add new security measures over time, starting with vulnerabilities that would have the most urgent, wide-ranging impact, while at the same time enjoying the benefits of public cloud. If you aren’t sure what to put at the top of your list, TierPoint’s IT Security Consulting or Managed Security Services in the public cloud can point you in the right direction.