• United States




5 cloud security basics and best practices

Oct 24, 20194 mins
Cloud ComputingCloud SecuritySecurity

Companies that move to the cloud have to assume new responsibilities, develop new skill sets and implement new processes. The first step to better cloud security is to assume you have no security.

CSO > cloud computing / backups / data center / server racks / data transfer
Credit: gorodenkoff / Getty Images

Cloud computing has transformed the way businesses work and continues to disrupt traditional business models. IDC predicts that by 2023 public cloud spending will more than double, growing from $229 billion this year to nearly $500 billion.

It’s no secret that migrating to the cloud can deliver significant cost and efficiency gains. You can spin up cloud instances in minutes and can scale up or scale down resources as needed. At the same time, you only pay for what you use while avoiding high upfront hardware costs and maintenance.

Opportunities multiply, but so do risks

Let’s not forget. You’re storing corporate data on someone else’s computer — that you control, but it’s still owned by a third party. Even though your cloud service provider environment is highly secure, what’s inside your cloud (applications and data) is your own responsibility.

Cloud computing security is on boardroom agendas as its impact can have serious consequences on corporate reputation and shareholder value. Data moving to the cloud beyond the traditional perimeter has led to the expansion of the attack surface. As more and more sensitive information gets stored on the cloud, cloud resources will be increasingly targeted by cyber criminals. 

Getting ready for the new threat landscape

As organizations move to the cloud, they will have to assume new responsibilities and develop and adapt processes to combat a multitude of unknown threats.

The secret to better cloud security is assuming that there is no security at all while taking stock of your entire security posture.

There are several elements to public cloud security and it can be difficult to figure out where to start. If you’re already on the cloud or are planning on moving on to one, here are five best practices you can follow to safeguard your public cloud adoption.

1. Know your responsibility

Security in cloud computing is based on a shared responsibility model. While the service provider has a responsibility to safeguard the physical network and ensure the security of the infrastructure, it’s the customer’s responsibility to secure data, applications, and content, including elements such as user access and identity. Remember that you’re responsible for managing and securing anything you place on the cloud.

2. Integrate compliance

Regulations are one of the major drivers for demand of next-gen cloud security services. The only way to ensure compliance with new and upcoming regulations is by integrating compliance in your daily activities. That, along with real-time snapshots of your network topology and real-time alerts to any changes in policy. Get into the shoes of auditors and think of all the items they would ask for when auditing your network and actively incorporate those reports in your routine.

3. Automate your defenses

Automation is a critical component of cloud security. Security audits, controls, patching and configuration management — all of these can be automated and can help reduce the risk significantly. Provided the right tools and processes are in place, automation greatly reduces the risk of human error, is critical to managing change at scale and can also prevent the next security breach. A secure, automated cloud platform can help monitor the network in real time and provide you the ability to rapidly respond to threats.

4. Secure environments early

It’s important for organizations to maintain rigorous security controls even in development and QA environments. Early adopters are introducing security early in the lifecycle by embedding appropriate controls into application development. New security approaches promote the secure-by-design philosophy, where source code is checked for vulnerabilities even while it is developed. Whatever your security posture, make sure you follow a similar approach on your internal environments as well.

5. Implement on-prem learnings

While cloud is a major change in technology and may seem like a totally different environment, the fundamentals of security remain the same. It’s important to apply the same approach to your cloud that you would to a traditional on-premises network. It’s critical for organizations to secure networks, servers and endpoints with firewalls, server and endpoint protection solutions. These solutions monitor your traffic, prevent unauthorized access and protect your cloud assets against breaches, infections, or data loss. Endpoint and email security keep your devices up to date while preventing unauthorized access to cloud accounts. When you’re moving to the public cloud, you have to maintain your on-prem experience.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author