13 Cloud Security Best Practices for 2023

eSecurityPlanet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

From the very beginning of the cloud computing era, security has been the biggest concern among enterprises considering cloud services. For many organizations, the idea of storing data or running applications on infrastructure that they do not manage directly seems inherently insecure, along with the risk of data traveling across the public internet to get to and from those services.

According to Netwrix’s 2022 Cloud Data Security report, 53% of organizations reported an attack on their cloud last year, and most of those attacks led to unplanned expenses to fix security gaps.

Enterprises that don’t want to be part of that statistic should understand and implement cybersecurity best practices and tools to protect their cloud infrastructure. Although these measures don’t prevent every attack, they do help businesses shore up their defenses, protect their data, and implement strong cloud security practices.

One key way to improve cloud security is to make sure that users and devices connecting to cloud apps are as secure as possible. Kolide — this article’s sponsor — works with Okta to ensure that only secure devices access cloud applications and resources, enabling zero trust, device trust, and patch management.

Cloud Security Best Practices

1. Understand Your Shared Responsibility Model

In a private data center, the enterprise is solely responsible for all security issues. But in the public cloud, things are much more complicated. While the ultimate obligation lies with the cloud customer, the cloud provider assumes responsibility for some aspects of IT security. Cloud and security professionals call this the shared responsibility model.

Leading infrastructure as a service (IaaS) and platform as a service (PaaS) vendors like Amazon Web Services (AWS) and Microsoft Azure provide documentation to their customers so all parties understand where specific responsibilities lie according to different types of deployments. The diagram below, for example, shows that application-level controls are Microsoft’s responsibility with software as a service (SaaS) models, but it is the customer’s responsibility in IaaS deployments. For PaaS models, Microsoft and its customers share the responsibility.

cloud security shared responsibility model
Cloud security shared responsibility model. Source: Microsoft

Enterprises that are considering a particular cloud vendor should first review its policies about shared security responsibilities and understand who is handling the various aspects of cloud security. That can help prevent miscommunication and misunderstanding. More importantly, though, clarity about responsibilities can prevent security incidents that occur as a result of a particular security need falling through the cracks.

Also read: Cloud Security: The Shared Responsibility Model

2. Ask Your Cloud Provider Detailed Security Questions

In addition to clarifying shared responsibilities, organizations should ask their public cloud vendors detailed questions about the security measures and processes they have in place. It’s easy to assume that the leading vendors have security handled, but security methods and procedures can vary significantly from one vendor to the next.

To understand how a particular cloud provider compares, organizations should ask a wide range of questions, including:

  • Where do the provider’s servers reside geographically?
  • What is the provider’s protocol for suspected security incidents?
  • What is the provider’s disaster recovery plan?
  • What measures does the provider have in place to protect various access components?
  • What level of technical support is the provider willing to provide?
  • What are the results of the provider’s most recent penetration tests?
  • Does the provider encrypt data while in transit and at rest?
  • Which roles or individuals from the provider have access to the data stored in the cloud?
  • What authentication methods does the provider support?
  • What compliance requirements does the provider support?

3. Deploy an Identity and Access Management Solution

Another major threat to public cloud security is unauthorized access. While hackers’ methods of gaining access to sensitive data are becoming more sophisticated with each new attack, a high-quality identity and access management (IAM) solution can help mitigate these threats.

Experts recommend that organizations look for an IAM solution that allows them to define and enforce access policies based on least privilege, or zero trust principles. These policies should also be based on role-based access control (RBAC) permissions. Additionally, multi-factor authentication (MFA) can further reduce the risk of malicious actors gaining access to sensitive information. Even if they manage to steal usernames and passwords, they’ll have a much harder time completing biometric scans or requests for a text code.

Organizations may also want to look for an IAM solution that works in hybrid environments that include private data centers as well as cloud deployments. This can simplify authentication for end users and make it easier for security staff to ensure that they’re enforcing consistent policies across all IT environments.

Read more: Best IAM Tools & Solutions

4. Train Your Staff

To prevent hackers from getting their hands on access credentials for cloud computing tools, organizations should train all workers on how to spot cybersecurity threats and how to respond to them. Comprehensive training should include basic security knowledge like how to create a strong password and identify possible social engineering attacks as well as more advanced topics like risk management.

Perhaps most importantly, cloud security training should help employees understand the inherent risk of shadow IT. At most organizations, it’s all too easy for staff to implement their own tools and systems without the knowledge or support of the IT department. Without top-to-bottom visibility of all systems that interact with the company’s data, there’s no way to take stock of all vulnerabilities. Enterprises need to explain this risk and emphasize the potential consequences for the organization.

Organizations also need to invest in specialized training for their security staff. The threat landscape shifts on a daily basis, and IT security professionals can only keep up if they are constantly learning about the newest threats and potential countermeasures.

Frequent conversations about good security practices establishes better accountability between peers and between managers and direct reports, too. Establishing accountability looks like:

  • Making sure every employee knows the security expectations in your organization. This might look like thorough cybersecurity training for new hires or quarterly sessions for the whole company.

  • Having frequent conversations about topics like data privacy, proper password management, and protecting the physical premises. The more you talk about it, the harder it is to ignore.

  • Asking good questions. Even questions like “does this rule make sense?” or “what’s the hardest security regulation our organization expects people to keep?” can open dialogue and reveal why some employees aren’t inclined to follow the rules.

Read more: Best Cybersecurity Awareness Training for Employees

5. Establish and Enforce Cloud Security Policies

All organizations should have written guidelines that specify who can use cloud services, how they can use them, and which data can be stored in the cloud. They also need to lay out the specific security technologies that employees must use to protect data and applications in the cloud.

Ideally, security staff should have automated solutions in place to ensure that everyone is following these policies. In some cases, the cloud vendor may have a policy enforcement feature that is sufficient to meet the organization’s needs. In others, the organization may need to purchase a third-party solution like a cloud access security broker (CASB) that offers policy enforcement capabilities. CASB is a broad cloud security tool that can prevent data loss, control access and devices, discover shadow IT and rogue app usage, and monitor IaaS configurations, a source of many cloud data breaches, and secure access service edge (SASE) tools expand those protections even further.

Zero trust tools and controls can also help by offering refined control over policy enforcement. Tools in this category work with other systems to determine how much access each user needs, what they can do with that access, and what it means for the broader organization.

See the Top Cloud Access Security Broker (CASB) Solutions

6. Secure Your Endpoints

Using a cloud service doesn’t eliminate the need for strong endpoint security—it intensifies it. After all, in many cases it’s the endpoint that’s connecting directly to the cloud service.

New cloud computing projects offer an opportunity to revisit existing strategies and ensure the protections in place are adequate to address evolving threats.

A defense-in-depth strategy that includes firewalls, anti-malware, intrusion detection, and access control has long been the standard for network and endpoint security. However, the list of endpoint security concerns has become so complex in the cloud era that automation tools are required to keep up. Endpoint detection and response (EDR) tools and endpoint protection platforms (EPP) can help in this area.

EDR and EPP solutions combine traditional endpoint security capabilities with continuous monitoring and automated response. Specifically, these tools address a number of security requirements, including patch management, endpoint encryption, VPNs, and insider threat prevention, among others.

Read more: Top Endpoint Detection & Response (EDR) Solutions

7. Encrypt Data in Motion and At Rest

Encryption is a key part of any cloud security strategy. Not only should organizations encrypt any data in a public cloud storage service, but they should also ensure that data is encrypted during transit—when it may be most vulnerable to attacks.

Some cloud computing providers offer encryption and key management services. Some third-party cloud and traditional software companies offer encryption options as well. Experts recommend finding an encryption product that works seamlessly with existing work processes, eliminating the need for end users to take any extra actions to comply with company encryption policies.

Read more: Best Encryption Software & Tools

8. Use Intrusion Detection and Prevention Technology

Intrusion detection and prevention systems (IDPS) are among the most effective tools on the market. They monitor, analyze, and respond to network traffic, either as a standalone solution or part of another tool that helps secure a network like a firewall.

Major cloud services like Amazon, Azure and Google Cloud offer their own IDPS and firewall services for an additional cost. They also sell services from cybersecurity companies through their market places. If you’re working with sensitive data in the cloud, these add-on security services are worth the cost.

Read more: Best Intrusion Detection and Prevention Systems

9. Double-Check Your Compliance Requirements

Organizations that collect personally identifiable information (PII), including those in retail, healthcare, and financial services, face strict regulations when it comes to customer privacy and data security. Some businesses in certain geographic locations—or businesses that store data in particular regions—may have special compliance requirements from local or state governments as well.

Before establishing a new cloud computing service, your organization should review its particular compliance requirements and make sure that a service provider will meet your data security needs. Staying compliant is a top priority. Governing bodies will hold your business responsible for any regulatory breaches, even if the security problem originated with the cloud provider.

Related: Best Third-Party Risk Management (TPRM) Tools

10. Consider a CASB or Cloud Security Solution

Dozens of companies offer solutions or services specifically designed to enhance cloud security. If an organization’s internal security staff doesn’t have cloud expertise or if the existing security solutions don’t support cloud environments, it may be time to bring in outside help.

Cloud access security brokers (CASBs) are tools purpose-built to enforce cloud security policies. They have become increasingly popular as more organizations have started using cloud services. Experts say that a CASB solution may make the most sense for organizations that use multiple cloud computing services from different vendors. These solutions can also monitor for unauthorized apps and access too.

CASBs cover a wide range of security services, including data loss prevention, malware detection, and assistance with regulatory compliance. CASBs have integrations with multiple SaaS and IaaS platforms, needing to work with many different cloud-based software solutions to secure an organization’s entire infrastructure. Consider CASB providers that support all your business’s cloud-based tools.

And CASB’s not the only solution for securing cloud environments. Others include cloud-native application protection (CNAPP) and cloud workload protection platforms (CWPP)

See the Top Cloud Security Companies

11. Conduct Audits, Pentesting and Vulnerability Testing

Whether an organization chooses to partner with an outside security firm or keep security functions in-house, experts say all enterprises should run penetration tests and vulnerability scans. Pentesting helps organizations determine whether existing cloud security efforts are sufficient to protect data and applications, and cloud vulnerability scanners can find misconfigurations and other flaws that could jeopardize your cloud environment.

Additionally, organizations should conduct regular security audits that include an analysis of all security vendors’ capabilities. This should confirm that they are meeting the agreed-upon security terms. Access logs should also be audited to ensure only appropriate and authorized personnel are accessing sensitive data and applications in the cloud.

Read more:

12. Enable Security Logs

In addition to conducting audits, organizations should enable logging features for their cloud solutions. Logging helps system administrators keep track of which users are making changes to the environment—something that would be nearly impossible to do manually. If an attacker gains access and makes changes, the logs will illuminate all their activities so they can be remediated.

Misconfigurations are one of the most significant challenges of cloud security, and effective logging capabilities will help connect the changes that led to a particular vulnerability so they can be corrected and avoided in the future. Logging also helps identify individual users who may have more access than they actually need to do their jobs, so administrators can adjust those permissions to the bare minimum.

Cloud services providers offer logging, and there are third-party tools available also.

13. Understand and Mitigate Misconfigurations

It’s important not just to log data on misconfigurations but also to reduce them overall. Some cloud services give read permissions or administrative capabilities to any user, including someone outside the organization who might be able to access the bucket from their web browser. This type of misconfiguration opens the door for malicious actors to not only steal from a bucket but also potentially move laterally through the storage infrastructure if they gain the right information.

Additionally, if an account’s permissions are misconfigured, an attacker that steals credentials could escalate their administrative permissions for that account. This allows further data theft and potential cloud-wide attacks.

Even if the work is tedious, your enterprise’s IT, storage, or security teams should personally configure every single bucket or groups of buckets. Receiving help from dev teams is a good idea, too — they can ensure that web cloud addresses are properly configured. No cloud bucket should have default access permissions. Determine which user levels need access — whether view-only or editing permissions — and configure each bucket accordingly.

Also read: Cloud Bucket Vulnerability Management

What are the Biggest Threats to Cloud Security?

There’s a reason so many companies are concerned about security in their public cloud environments. Having data in a provider’s data center, especially in a shared hosting environment, can make IT and security teams feel out of control. Although these concerns aren’t insurmountable, they’re valid. The following threats weaken enterprises’ cloud security posture.

Cloud misconfigurations

A misconfigured bucket could potentially give access to anyone on the internet. If a cloud resource’s settings aren’t configured to only users in your organization, authenticated cloud users from other organizations could access its data, too. API security is another important cloud connection to watch.

Unnecessary access

Some organizations may be tempted to give equal access permissions to all members of their IT, cloud, and storage teams. But this opens the door for permissions misuse: not all team members, particularly junior ones, need cloud admin privileges. Additionally, there’s always the possibility of insider threat, and to reduce the chance of an internal breach, reducing admin privileges to a few trusted team members is best. Additionally, data downloads should also have strict controls.

Cloud vendor weaknesses

Not all cloud providers have equal levels of security, and In public cloud hosting, the weaknesses of one cloud instance can affect all the others on the same host, even if the corrupted instance is from a different organization. Businesses also have less control over the security for their public cloud instances in general, since those often reside in remote data centers. DDoS attacks are another common threat that cloud services face, but they are generally prepared to maintain access as much as possible when these occur.

Employee errors

These include misconfigurations, but they also include mistakes like sending passwords in plaintext over online services or clicking a suspicious link in an email. Even downloading malware onto a computer can compromise cloud accounts if the user has file syncing set up on the device and a file is corrupted.

Bottom Line: Implementing Strong Cloud Security Practices

Although businesses consider the cloud to be one of their biggest vulnerabilities, it doesn’t have to be an open avenue for attackers. Tightening access controls, conducting regular cloud audits, and implementing strong encryption are just a few ways that your business can take ownership of cloud environment security. Understanding providers’ security procedures not only helps you choose the right vendor but also helps you better manage your own responsibilities.

The fact is that cloud service providers generally have pretty secure environments, and your biggest risks will be how you connect to the cloud and control data and access. The good news in that is it puts cloud security in your hands—all the more reason to learn cloud security best practices.

This article was originally published on May 24, 2017 and was updated by Jenna Phipps on March 21, 2023.

Read next: Top Secure Access Service Edge (SASE) Providers

Cynthia Harvey
Cynthia Harvey
Cynthia Harvey is a freelance writer and editor based in the Detroit area. She has been covering the technology industry for more than fifteen years.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles