The Role of Cybersecurity in Cloud Computing

The shift to cloud-based computing solutions has allowed companies to store large amounts of data and extract insights. However, this digital transformation also introduces new threats and challenges, mainly due to unethical cybersecurity initiatives.

Given the unique structures of different cloud computing environments, there’s no one-size-fits-all answer to securing online data. This article explores the importance of cloud computing cybersecurity and its critical aspects for securing user data and applications against emerging threats.

Cloud computing moves the processing of datasets from offline and on-premises servers to cloud servers, which requires constant connectivity over the internet or intranet. The cloud security challenges you may face with your cloud computing environment depend primarily on its type, with multi-tenant environments being the least private and most prone to attacks due to their shared nature.

Additionally, cloud environments tend to be more complex than their static counterparts due to features like dynamic provisioning, Software-as-a-Service (SaaS), and the constant allocation of resources. This complexity is further compounded by the shared responsibility model, which divides the obligations of security and privacy between the Cloud Service Providers (CSPs) and their clients.

A cloud’s security is tightly linked to the safety of the data and applications it hosts.¹ Unlike data that can only be accessed on-premises, cloud-based data is connected to the open internet, which makes it particularly vulnerable to cyberattacks.

Malicious actors can uncover vulnerabilities and use brute force to access servers without authorization, damaging the data’s security and integrity. That’s why implementing robust security controls at every layer of the cloud architecture plays a vital role in mitigating vulnerabilities and protecting against unauthorized access.

When setting up a cloud environment, you should have a number of necessary security measures in place:

“Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it. Encrypted data is commonly referred to as ciphertext, while unencrypted data is called plaintext … The purpose of data encryption is to protect digital data confidentiality as it is stored on computer systems and transmitted using the internet or other computer networks.”² Strong cloud encryption protects data in transit and at rest.³ It maintains the privacy and integrity the data, even if it is intercepted or leaked in a data breach.

Limiting data and application access strictly to users and employees who use them greatly reduces the chances of internal attacks and exploits. You can limit your user base using access management in the cloud.

“Cloud configuration management is the practice of organizing and maintaining settings, parameters and policies that govern the setup and operation of cloud services within a cloud environment. It encompasses monitoring changes in cloud infrastructure components like virtual machines, storage resources, networks and applications. By effectively managing these configurations, organizations can ensure their cloud environments are secure and compliant with industry standards.”⁴ Strict configuration management, such as automated sign-outs and two-factor authentication (2FA), ensures that employee privileges aren’t easily exploitable.

Specialized software such as Endpoint Detection and Response (EDR), that monitors the access points to a cloud environment and is capable of taking independent action to intercept an attack and mitigate the damages, can help detect and prevent cyberattacks.

When it comes to cloud-based systems, the risk factor is never zero. That’s why risk management is an effective, essential strategy for cloud cybersecurity. It seeks to bolster cloud security by running regular scans that identify, analyze and mitigate risks.

One such strategy is incident response, which aims to manage the potential impact of a security incident. This typically includes reputation management, disaster recovery and communicating the situation promptly to data owners.

Depending on the type of data being held and processed in your cloud, there are different laws and regulations pertaining to how you’re allowed to process or store it. The same regulatory frameworks apply to cloud computing servers. Frameworks include the General Data Protection Regulation (GDPR) for data owned by EU residents and, in this country, the Health Insurance Portability and Accountability Act (HIPAA) for medical and patient information and the Payment Card Industry (PCI) Data Security Standard for financial information.

Cloud security compliance with compulsory and complementary regulations not only ensures legal and ethical adherence but also enhances the trust your clients and partners have in your cloud services.

As more companies shift operations to the cloud instead of on-premises, criminals are also devising new schemes to pinpoint and exploit weaknesses in online firewalls. That’s why emerging threats in cloud cybersecurity are becoming increasingly sophisticated, ranging from ransomware to phishing attacks, Denial of Service (DoS)/Distributed Denial of Service (DDoS) Attacks, and crypto-jacking.

Internet of Things (IoT) devices, in particular, introduce new entry points to cloud environments that are much easier to compromise.⁵ There are also growing concerns over insider threats, as more companies focus their efforts on securing the perimeter of their digital ecosystem while neglecting the interior.

Organizations are now advised to accelerate the adoption of zero-trust architecture (“a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction”⁶) and improve end-to-end encryption techniques.⁷ Other promising solutions to the high risk of cloud computing include:

• Serverless computing: “A method of providing backend services on an as-used basis. A serverless provider allows users to write and deploy code without the hassle of worrying about the underlying infrastructure”⁷
• DevSecOps (Development, Security, Operations): “An application development practice that automates the integration of security and security practices at every phase of the software development lifecycle, from initial design through integration, testing, delivery and deployment”⁸

Depending on the service-level agreement, the role of the CSP varies from only ensuring the physical security of the remote servers to implementing and managing entire cloud security solutions for their clients. This typically depends on the type of client, whether it’s an individual, a small startup renting storage and computing power, or an established organization that wants to be fully responsible for the security of its user's data.

When choosing a CSP, companies may look for specific certifications and audits that testify to the levels of security the CSP offers, such as the ISO/IEC 27001 certificate, which indicates their compliance with international industry standards and best practices.

The first step toward implementing your own cloud security measurement is to study and analyze past successful implementations. One example is The Financial Services Agency (FSA) of Japan, which partnered with Google for their cloud technology as part of the Open Policy Lab initiative.⁹

Most importantly, FSA integrated Google Cloud Armor to safeguard against internal and external threats to the agency’s cloud servers through Google’s fully managed Platform-as-a-service tools. Working with a reliable provider allowed staff more time to focus on more crucial tasks and guarantee the security of the country’s financial data.⁹

In the world of cybersecurity, needs and opportunities continue to expand. Prepare for leadership positions in this rapidly expanding field.

The online Master of Science in Cybersecurity program from Yeshiva University’s Katz School of Science and Health is ranked by Fortune magazine as this country’s #4 Most Affordable Online Master’s in Cybersecurity Degree.¹⁰ Led and taught by industry experts, the program combines a powerful cybersecurity education—the latest authoritative strategies for assessing and mitigating cyber threats, best practices for designing secure systems architecture, digital forensics methods and much more—with real-world simulations and the hands-on experience you’ll need to achieve crucial industry certifications.

Whether you're pursuing a career change or updating your current skills, the Katz School is your best next step. Contact one of our admissions outreach advisors today to learn more.