Cloud Access Security vs Cloud Application Security

September 14, 2017 | Views: 3079

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

First, we need to differentiate between the public cloud and the private cloud:

So, basically, the public cloud consists of cloud applications such as Office 365, Google Suite,, Dropbox, Salesforce, ServiceNow, etc. There are literally tens of thousands of cloud applications available. We call this Software as a Service (SaaS).

On the other hand, a private cloud is when you rent space in an Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) provider, and set up network and computing resources. Take a look at this diagram:

Every column shows the 9 layers of computing, from networking to applications. If a layer is shown in white, it means you manage it; if it shows in blue, the vendor manages it.

In the first column, “Packaged Software”, you get to manage all the layers: you need to setup the network, setup the storage devices, servers, virtualization (if any), install and manage the operating systems, middleware and runtime environment, and manage the data and applications.

The second column shows Infrastructure as a Service (IaaS). In this model, the vendor will take care of networking, storage, servers, and virtualization, and you take care from the operating system and up. An example would be Amazon Web Services.

The third column shows Platform as a Service (PaaS). In this model, the vendor takes care of networking up to runtime; you just bring the applications and data. An example would be Google App Engine.

And the fourth module shows Software as a Service, in which the vendor takes care of all the layers. An example would be Office 365.

So, what happens with security in each of the models?
In packaged software, you are responsible for all the information security; this is the traditional model of infosec: firewalls, AV, IDS/IPS, log analysis, vulnerability management, etc.

Logically, as we move into IaaS and PaaS, the vendor takes care of the security of the blue layers, and you have to worry about the white layers’ security.

OK, so we are now ready to define cloud security, cloud application security, and cloud access security.

Cloud security covers all the layers, except the application layer, in IaaS, PaaS, and SaaS:

This is, of course, a very extensive body of knowledge that includes problems from traditional information security as well as new problems specific to the cloud. If you want to learn more about this branch of information security, I recommend you take a look at the CSA Security Guidance. I also recommend John Rhoton’s book, “Cloud Computing Protected: Security Assessment Handbook”.

Cloud application security is the security of only the application layer of IaaS, PaaS, and SaaS:

This type of security consists in properly programming cloud applications to avoid vulnerabilities such as SQL injection, cross-site scripting, weak authentication and session management, cross site request forgery, etc. You can find the complete list of web application vulnerabilities in the OWASP site.

Finally, cloud access security focuses on securing the interaction between the user and the cloud application in a SaaS solution:

Cloud access security is all about controlling the organization’s information in cloud applications: who is uploading and downloading files, what documents have sensitive information, what documents are exposed to the Internet, which users have anomalous behavior, what cloud applications are inherently risky, and several other variables.

The type of software solutions that take care of this layer of security in the cloud is called Cloud Access Security Brokers, or CASB.

Gartner defines CASB as:
…on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement.

To sum it up:

• Cloud security covers the security of all the computing layers in public and private clouds.

• Cloud application security covers the security of cloud applications, making sure the application layer is safe.

• Cloud access security covers the security of the interaction between the user and the cloud application in a SaaS deployment.

Twitter: @zergecasb

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. Private cloud is provisioned for exclusive use by a single organization…typically internal (on-prem). IaaS is typically seen in public cloud offerings. Organizations rarely (unless government or military) use IaaS as private cloud because of cost.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?