Get a better understanding of cloud security and see how on-premises security practices apply

By IBM Services

What is cloud security?

Cloud security, or cloud-computing security, is the set of policies, procedures and tools used to protect data, applications and networks in cloud environments.

Cloud environments are highly distributed and dynamic. Unlike traditional, on-premises environments with defined perimeters, they appear more susceptible to unauthorized access, data exposure, cyber attack and other threats. Yet the same practices used to secure on-premises environments can be successfully applied to the cloud.⁽¹⁾

Identity and access management verifies and authenticates the identity and credentials of individuals looking to gain access and take actions. These individuals could be seeking access as administrators or users — or even services. Services enable communication and data sharing in the cloud to perform operations, so they need to be authenticated.

Network security isolates network resources such as servers and other connected devices to protect them from harmful traffic and associated attacks. Firewalls are used to establish a perimeter and reduce the attack surface. Segments and groups assign access to cloud resources and add instance-level management of incoming and outgoing traffic. Virtual private networks (VPN) provide secure connections from the cloud back to on-premises resources. Edge-of-network devices such as routers and switches can be protected through digital certificates and by encrypting data that moves from edge devices to centralized resources.⁽²⁾

Application security or web application security augments perimeter-based approaches models like network security. More applications and workloads are being developed in and deployed to the cloud. Accordingly, developers build protections into applications through application-level firewalls and vulnerability testing and scanning. Cloud-native application development can create vulnerabilities when accessing and exchanging resources across the cloud. These resources also need to be scanned and checked.⁽³⁾

Data protection is always critical. Data associated with cloud-based applications and workloads can be spread across storage, data services and clouds, increasing the possibility of unauthorized access, damage or theft. Further, data in the cloud is frequently in motion — traveling from one cloud resource to another — making it a moving target. Data protection is typically achieved through encryption and encryption keys where data is encoded and can only be decoded with the key. ⁽⁴⁾

Monitoring provides greater visibility through access trails and audit logs that track activity and incidents. The information includes services accessed by administrators, users and services. Logs can be integrated with on-premises security systems for further analysis, intelligence and reporting. Some cloud service providers offer security monitoring with incident management and reporting, real-time analysis of security alerts and an integrated view across hybrid cloud deployments.

Compliance demands are often considered part of cloud security. They can put organizations at risk of business disruption, legal intervention, prosecution, financial loss and more. They are composed of national and international laws and regulations typically focused on protecting data and privacy.

Examples include: U.S. Health Insurance Portability and Accountability Act (HIPAA),

U.S.  Gramm–Leach–Bliley Act (GLBA), SWIFT data protection policies, Payment Card Industry Data Security Standard (PCI-DSS), and Canada Personal Information Protection and Electronic Documents Act (PIPEDA) and the European Union’s (EU) General Data Protection Regulation (GDPR).⁽⁵⁾

How IBM secures the cloud

See how IBM combines access management, data protection and cloud visibility to secure the cloud. 

Watch the video



Who is responsible for cloud security?

Clients of cloud service providers can often assume that the service provider will be responsible for security associated with a cloud deployment. Unless otherwise stipulated, this is not the case.

Cloud security is a shared responsibility.

In a general sense, cloud service providers are responsible for the cloud infrastructure and clients are responsible for the applications, data and services that operate within the infrastructure.⁽⁶⁾

IBM technical security architect, Sonja Gresser, offers more detail based on cloud reference models: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS).

“With IaaS, the cloud vendor provides only the physical or virtual infrastructure. From this level, the user is the administrator of the network and system infrastructure, applications and data. With PaaS, the cloud provider manages the entire infrastructure, including middleware components such as databases. The application and data content come from the cloud consumer. SaaS means that a cloud provider provides everything from the infrastructure to the application — the cloud consumer only adds the data and accesses it.”

Who is responsible for blog security?

An IBM expert gets into the details about the collaborative effort of cloud security.

Read the blog



Why is cloud security important?

With cloud computing, IT departments can reduce costs and improve performance by distributing and operating resources (including business-critical data, applications and workloads) across external private, public and hybrid networks. At the same time, they are concerned about the security vulnerabilities that may accompany use of those networks.

IBM reports that IT architects are asking ““How do I mitigate security risks while still moving ahead with our ambitious public cloud plans?”

Cloud security is important because it enables cloud computing initiatives to move forward without doing more harm than good.

Public clouds make a compelling case. Hybrid clouds enable non-critical and less sensitive resources to be moved to public clouds, while keeping essential resources under lock and key. Private deployments are dedicated to a single client and can be secured by private network settings and management. Public clouds are just that — public — with multiple clients (or tenants) sharing common access, albeit with specified privileges.

Despite possible exposure with public clouds, a McKinsey study of 90 enterprises found that 80 percent plan on having 10 percent or more of their critical workloads in the public cloud by 2020 or double their current public cloud use. And as such, must “evolve their cybersecurity practices dramatically to consume public cloud services.” ⁽⁷⁾

Top five considerations for securing the public cloud

See what IT teams, CTOs and other business stakeholders should address when choosing among public cloud security solutions.

Read the white paper



Five guidelines for effective cloud security

IBM has identified five guidelines or “takeaways” for effective cloud security. They align with fundamental IT security practices and address the specialized needs of cloud platforms and offerings of cloud providers.


1. A cloud provider should be able to integrate with a company’s identity management system. At the same time, the provider’s own identity and access management should be comprehensive. Additionally, application programming interfaces (API) should be incorporated. Cloud environments use APIs to call services that enable applications to communicate and share data. Cloud providers should have a consistent way to authenticate the identity of a user or a service that needs to access an API or service.


2. Verify that a cloud platform offers well-integrated firewalls, security groups, and options for micro-segmentation as part of their approach to network security. Microservices are common for cloud-native software development. These are services or mini-applications that run inside of containers or packages of software.8 Microservices are advantageous to cloud security because they can be isolated and protected through micro-segmentation.


3. For data security, expect cloud providers to offer bring your own key (BYOK) solutions that allow client organizations to manage keys across all data storage and services. BYOK enables management of encryption keys in a central place, provides assurance that root keys never leave the boundaries of the key management system and supports auditing of all key management lifecycle activities.


4. A key application security practice for the cloud is to scan containers for vulnerabilities before deployment and while they are running. Containers are packages of software or microservices.⁽⁸⁾ A platform vendor should permit the implementation of client-defined policies and alerts as part of the application vulnerability and container scanning process.


5. A chief concern with cloud security is loss of visibility. Client-run monitoring and security intelligence and event management (SIEM) systems offer robust visibility and machine learning capabilities that train on threat patterns to develop a predictive security immune system. Look for cloud providers to integrate with client-side SIEM solutions to maintain visibility and high levels of security intelligence.


A guide to securing cloud platforms

Evaluate cloud providers based on five aspects of security and how they relate to specific client-side needs.

Register for the guide



More resources

Video – How it works: Cloud security

Look at one scenario that illustrates the importance of security on the cloud.

Watch the video


Ebook -- Cloud Identity for Dummies

Understand what Identity as a Service (IDaaS provides) is and how to implement it. 

Register for your copy


Blog – IBM Security Intelligence

Get the latest insights, news, events, resources and more. All tuned to protecting the cloud.

Visit the blog




Security in the IBM Cloud

IBM Cloud Security Managed Services

IBM Security Connect




1. What is different about cloud security, Red Hat


2. Application security, Margaret Rouse, TechTarget


3. Encryption, Margaret Rouse, TechTarget


4. Cloud Security & Compliance for Dummies. Lawrence Miller, Palo Alto Networks, 2019


5. Cloud Security: Who’s Responsible for What? Stephanie Johnson, Palo Alto Networks, December 19, 2016


6. Security to the core: Top five considerations for securing the public cloud, White Paper, IBM Corporation, 2018


7. What is a container, Docker