A guide to securing Cloud services

In this blog post, author and consultant Lee Newcombe discusses the second edition of his book, Securing Cloud Services – A pragmatic guide, which provides insight into the security considerations associated with the adoption of Cloud services, alongside pragmatic ways to address these considerations.

There are a variety of books in the marketplace relating to Cloud security.

Many of these are either theoretical in nature (divorced from the reality of implementation in an enterprise context) or target only those charged with implementation of secure Cloud services (divorced from the wider processes of architecture and risk management).

After architecting secure Cloud services across numerous large enterprises (FTSE 100, Fortune 500, Government) since 2009, Lee decided to share some approaches that have been proven to work in the real world.

The Cloud model is now business as usual; it is no longer the new kid on the block.

However, many stakeholders still struggle to understand the different types of cloud services on offer – e.g. SaaS (software as a service) vs IaaS (infrastructure as a service) – and how this effects their responsibilities when it comes to securing the services and data that they host on such platforms.

To deliver Cloud security appropriately in a large enterprise, organisations must establish the correct governance structures and ensure that all parties understand their responsibilities and accountabilities.

We work in an increasingly fast-paced environment, so governance structures must be able to support IT delivery in a variety of different organisational models and be focussed on the needs of the end users as well as the wider organisation.

 A failure to get the governance structures right can lead to many negative outcomes, such as:

  • Shadow IT, where end users bypass overly strict governance controls to procure their own Cloud services;
  • Duplication of service, where every business unit does their own thing, selecting their own preferred Cloud services and each time re-inventing solutions that could be shared; and
  • Security as a blocker, where centralised security functions can act as a roadblock to agile delivery.

Many large organisations that failed to get their governance structures and strategies in place at the outset (avoid lift-n-shift wherever possible!) have ended up having to fundamentally re-visit their Cloud architectures in order to get the expected benefits.

My book can help enterprises avoid similar mistakes through an architecture-led approach covering governance, assurance, architecture, risk management, security operations, resilience, devsecops and other topics.

The book is designed to provide an overview of each topic, conceptual architectures and pointers to tooling (third party and Cloud provider native) that can be used to deliver those architectures.

Securing Cloud Services – A pragmatic guide begins with a discussion of the history and current context of Cloud security (and related issues like privacy) to establish a baseline of understanding across the audience.

It then dives into a wide range of topics, from the organisational elements through to more technical issues, such as the management of identity, security monitoring, vulnerability assessment and the use of newer technologies including:

  • Cloud Access Security Brokers;
  • Cloud Workload Protection; and
  • Runtime Application Self-Protection.

Who is the book for?

Securing Cloud Services – A pragmatic guide is aimed at anyone involved in architecting, building or operating secure Cloud services.

It is accessible in tone, making it equally valuable to business stakeholders seeking to understand the risks that they face as it is to privacy and security professionals, CIOs, CTOs, CISOs and architects of all descriptions.


Part 1 provides an extensive history and overview of Cloud security, covering the threats, risks, privacy issues and regulatory requirements that organisations face.

It also discusses the benefits of Cloud security, and explains the terminology, aligned to the NIST model of Cloud computing.

Part 2 introduces a conceptual security reference model, covering a vast range of security services – from assurance through to secrets management.

It also provides suggested approaches towards the delivery of these services across the different Cloud service models of infrastructure-, platform-, software- and function-as-a-service.

Part 3 focuses on the future of the Cloud and the technological developments we can expect over the next few years, as the security capabilities of Cloud providers catch-up to (and perhaps surpass) those of legacy security vendors.

Excerpt from Securing Cloud Services

Significantly, FaaS consumers do not have access to the underlying host, so many traditional security tools cannot be used, e.g. host-based intrusion prevention systems (IPSs) and most runtime application self-protection (RASP) products. RASP is in an interesting area as there are different deployment models available, and some may be suitable for use with FaaS whereas others will not; as ever, the nature of the application and supporting architecture will also impact upon the suitability of a specific RASP approach. An illustrative RASP architecture is shown in Figure 46.

Figure 46: RASP architecture

At a high level, RASP products can be viewed as providing WAF capabilities within the protected application, as opposed to these being abstracted out to a separate WAF capability.

RASP can protect against common vulnerabilities such as SQL injection, cookie tampering, cross-site scripting as well as more generic (i.e. not just web application) issues.

Figure 46 illustrates how and where RASP tools can provide security capability. RASPs can either be included, within the function requiring protection, through the provided RASP libraries or by instrumenting the run-time (e.g. the Java Virtual Machine), with the latter option providing more general protection to all hosted functions.

RASP products are often designed to call out to Cloud-hosted machine learning based decision engines, which require such functionality to complement the necessarily more basic controls provided locally.