A Blueprint for Building Cloud Security Architecture

Architects and engineering teams can use cloud security architecture for:

• Software as a service (SaaS). Security controls are a must when adopting third-party SaaS applications. Consider managing access and identity, data protection and compliance within these services.

• Infrastructure as a service (IaaS). Security is key for cloud deployments in IaaS environments like virtual machines, storage and networks in public cloud providers.

• Platform as a service (PaaS). Secure platforms customers use PaaS to build and deploy applications (e.g., runtime environments, databases and development tools).

• Hybrid cloud and multicloud environments. Employ consistent security policies and practices across multiple cloud providers and across on-premises, private cloud and public cloud environments.

Gartner for Technical Professionals (GTP) is a specialized service that provides in-depth technical research and insights tailored to the needs of IT professionals and architects who are tasked with implementing technical domain strategies. Talk to Gartner to learn more.

Cloud security architecture components fall into several categories:

• Native cloud provider security enforces security requirements cost-effectively, quickly and easily in DevSecOps; infrastructure security; control and management security; and monitoring and analytic security.

• Native SaaS security protects a specific provider’s environment.    

• SaaS security posture management (SSPM) continuously assesses a SaaS application’s security risk and manages its security posture.

• SaaS management platforms (SMPs) simplify SaaS management by controlling behavior from a single console. They control security functions and ensure consistent governance across providers.

• Cloud-native application protection platforms (CNAPPs) integrate security and compliance capabilities to protect cloud-native applications across development and production, reducing complexity and costs, enabling development agility and improving developer experience.

• Cloud security processes identify the activities required to create a secure cloud environment.

• Enterprise edge security limits unauthorized ingress to and controls egress from trusted secured networks in the enterprise.

• Secure access service edge (SASE) delivers converged network and security-as-a-service capabilities, including software-defined wide-area network (SD-WAN), secure web gateway (SWG), cloud access security broker (CASB), next-generation firewall (NGFW) and zero trust network access (ZTNA).

• Security service edge (SSE) is a SASE subcomponent that secures access to the web, cloud services and private applications.

Cloud security architecture must strike a balance between managing risk and fostering business operations. Use the following design principles and patterns to guide your decisions about assigning security components, tools and services.

• Automate deployment and operations to manage cloud complexity. Automation is key to scaling security measures as infrastructure expands. It frees security teams from repetitive tasks and allows them to focus on strategy.

• Use a zero-trust approach to enforce least privilege access decisions. Zero trust combines network security elements with other identity controls.

• Use defense in depth to prevent single-point security failures. Defense in depth is an architectural principle that involves selecting multiple layered controls to compensate for potential single points of failure.

• Establish redundant controls. Design additional capabilities that back up primary controls in a network security architecture.

• Apply DevSecOps. Integrate automated security and compliance testing into IT and DevOps development pipelines.

• Build zero trust into your architecture. Replace implicit trust with continuously assessed risk and trust levels based on identity and context.

Security and risk management professionals should:

• Review cloud service providers’ native controls to see if they meet your security requirements before deciding whether you need additional controls for your deployment. Providers are consistently expediting security capabilities, so you may be able to rely on native tools in some cases.

• Reduce complexity whenever possible by using one third-party tool that covers all cloud environments versus numerous native tool point solutions.

• Ensure CASB is the basis for your SaaS security. CASB is essential to protect and control access for organizations that use multiple SaaS solutions.

• Integrate security early in the development life cycle. Take advantage of tools that identify and address vulnerabilities before they become critical issues.