Understanding
public cloud
security

Newly remote workforces have put an emphasis on cloud computing, but its use was already on the rise across organizations. Now, Gartner predicts that global end-user spending on public cloud services will grow 18% this year.¹

Just as cloud computing became a crucial tool for worker productivity, questions surrounding public cloud security were necessitated due to high-profile breaches involving some popular cloud options. For example, one of the biggest data breaches in 2019— the theft of neatly 100 million records from a credit card issuer -- involved the Amazon Web Services (AWS) public cloud, while early in 2021, a cyber incident was announced by security firm Malwarebytes that likely occurred through Microsoft's Azure cloud.

Even if your company has made the leap to cloud computing, understanding how to secure your data and applications—and how that security aligns with business goals and operations—is a continuous process.

A public cloud is a shared service available to anyone, either for free or through a paid service subscription. While only you and your organization have access to your cloud, your cloud is one of hundreds of thousands hosted by the same provider. It is private to you, but it differs from a private cloud, which is a service not shared with anyone else and is often housed in an on-premises server. A hybrid cloud is an environment that uses both public and private cloud options, orchestrating between platforms.

Many organizations turn to private clouds to hold and process the most sensitive data and applications but rely on public clouds for the bulk of their computing services. Smaller companies will often use the public cloud for all of their IT needs. Public clouds are ideal for companies that are growing, as clouds can scale to operations without the need to purchase new hardware. And they are cost-effective, as companies only pay for what they need.

Public cloud computing's initial launch into the mainstream was delayed largely because of the concerns surrounding its security. Today, public cloud security may be stronger than any other part of your network infrastructure, including the private cloud. It just takes the right information and understanding of your role to keep the public cloud secure.

While the private cloud offers more direct security coverage—your IT and/or security team is directly responsible for all security or it is outsourced to a single managed security service provider—public cloud security requires a shared-responsibility approach. The cloud service provider is responsible for securing the cloud infrastructure; the cloud user handles the security for everything in the cloud, including all data and applications. So rather than needing to worry about securing the entire infrastructure, users have to focus primarily on what's in their cloud and how their cloud is used.

The biggest risk to the public cloud is user behavior. When a breach occurs, too often blame lands on the cloud provider, but in truth, it is most commonly caused by something the cloud user did. Misconfiguration during the DevOps process is usually the culprit. This can involve poor encryption, particularly in data buckets; lack of strong authentication controls; or unrestricted access.

Other risks to public cloud security include:

• Poor visibility into the cloud. Many cloud service providers limit how much visibility is allowed into the public cloud in order to protect the privacy of other tenants. So visibility is often just at a surface level, hiding problems with the network and/or applications. If a cyber threat lingers deep into the cloud infrastructure, that, too, is hidden from the user until it might be too late.
• Growing in scale without ensuring security tools are flexible enough to keep up. The great thing about the public cloud is that it is scalable, growing (or shrinking) as your business needs require without the need for extra hardware. That often means running new applications or having different data protection needs. However, traditional security tools are designed to meet specific issues; they aren't always agile enough to meet the needs of the new environment. If you don't recognize that and rethink your security, you could be leaving data and infrastructure unprotected.
• An increasing attack surface. The public cloud offers a large playground for cyber criminals. Hundreds of endpoints offer potential entry into the cloud environment, and the multi-tenant public cloud opens the risk of malware and other threats to infiltrate the cloud architecture.

If your organization decides on public cloud adoption, security measures must be a key part of the migration plan. Security measures to deploy include:

• Tools that will identify misconfigured S3 buckets, the prime target for hackers.
• Identity and access management tools and other authentication processes to prevent credential theft and stuffing.
• Next-gen web-application firewalls to control traffic.
• Data-centric security systems to provide high levels of protection and governance for sensitive data.
• Security awareness training for anyone accessing the public cloud.

The public cloud is a secure option for any organization that wants to expand its cloud environment or for those that don't have the capabilities for an on-premises cloud. But how secure your public cloud is depends on the levels of security you decide to deploy and your user behavior, as well as a secure infrastructure from your cloud service provider. 

Learn more about what information to store on public clouds vs. private clouds.