Cloud Computing Security
What Is Cloud Computing Security?
Cloud computing security is a field of information security concerned with the protection of data, applications, and infrastructure deployed in cloud environments. It addresses confidentiality, integrity, and availability of resources that are operated by third-party providers, accessed over shared networks, and often shared among multiple tenants on common physical hardware. The field draws on cryptography, access control theory, network security, and regulatory compliance to manage risks that are distinct from, though related to, those in traditional on-premises data centers. The fundamental security challenge of cloud computing is that the consumer delegates control over physical infrastructure to a provider, creating a shared-responsibility model in which some security obligations fall to the provider and others remain with the consumer.
NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, provides a widely cited framework for understanding how security responsibilities are distributed between cloud consumers and providers, and recommends specific controls organizations should apply when outsourcing data and applications to public cloud environments.
Threat Landscape and Attack Surfaces
Cloud environments introduce attack surfaces that do not exist in the same form on-premises. Multi-tenancy, in which multiple organizations share physical servers and storage, creates the risk of cross-tenant data leakage through side-channel attacks on shared hardware or misconfigured hypervisor isolation. Distributed denial-of-service attacks targeting cloud-hosted applications can exhaust provider-allocated bandwidth or consume auto-scaling resources to the point of prohibitive cost. Insecure application programming interfaces, which are the primary access path to cloud services, represent a persistent vulnerability: poorly authenticated or insufficiently rate-limited API endpoints expose both data and infrastructure controls to unauthorized parties. Insider threats apply both to cloud provider personnel with privileged access to the physical infrastructure and to consumer employees with broad permissions within their own cloud tenancy.
Identity and Access Management
Identity and access management (IAM) is the control layer through which cloud security is most directly enforced. Cloud IAM systems assign roles and permissions to human users, service accounts, and machine identities, specifying what actions each identity is authorized to perform on which resources. The principle of least privilege, which restricts each identity to the minimum permissions required for its function, is the primary operational discipline for limiting the blast radius of credential compromise. Multi-factor authentication for all privileged accounts and short-lived cryptographic credentials for service-to-service communication have become baseline requirements. Federation protocols such as SAML and OpenID Connect allow organizations to extend their existing identity infrastructure into cloud environments without maintaining separate credential stores.
Compliance and Data Privacy
Regulatory frameworks including GDPR, HIPAA, and PCI DSS impose specific requirements on how personal and sensitive data must be handled, and cloud deployments must be engineered to satisfy these obligations regardless of which party physically controls the hardware. Data residency requirements in some jurisdictions restrict where customer data may be stored, compelling cloud architects to select regions and configure replication policies explicitly. Encryption of data both in transit and at rest is a standard technical control applied across cloud deployments, with key management, including whether the consumer or provider holds encryption keys, being a significant architectural decision. The NIST Cybersecurity Framework provides a risk management structure, organized around the functions of identify, protect, detect, respond, and recover, that organizations use to assess and communicate cloud security posture. Audit logging, continuous monitoring, and automated alerting on anomalous access patterns are operational controls that bridge the gap between policy and real-time detection. NIST Special Publication 800-53 provides a catalog of security controls applicable to cloud systems, and NIST SP 800-53 is the reference document organizations use to map compliance obligations to specific technical and administrative measures.
Applications
Cloud computing security has applications in a range of fields, including:
- Financial services, through encrypted transaction processing and regulatory compliance in cloud-hosted banking systems
- Healthcare IT, protecting patient records under HIPAA and similar regulations in cloud EHR deployments
- Government and defense, applying classified and controlled-unclassified information handling requirements to cloud platforms
- Enterprise software as a service, through secure identity federation and data loss prevention for SaaS applications
- Critical infrastructure protection, securing cloud-connected operational technology and industrial control systems