First Steps in Developing a Cloud Security Architecture

21 Oct, 2021
Xebia Background Header Wave

Security issues are among the biggest concerns when migrating to the Cloud. And that’s a reasonable approach – cybersafety shouldn’t be sidelined. After all, even Cloud-native companies check up on their security setup regularly. Luckily, as a whole, the Cloud is safe. For example, in 2019, around 90% of all Cloud-based security issues resulted not from Cloud faults themselves, but from misconfiguration. That’s why it’s so important to develop a proficient strategy for your cloud security architecture and, as a result, avoid unwanted risks.

Big platform leaders like Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure make great efforts to stay secure and meet various levels of certification. As a result, the problem rarely lies in the technology itself – but in the components and solutions built within.

So, to help make your Cloud endeavours smooth and secure, in this article we’re going to take you through the key elements and fundaments of cloud security architecture.

What is Cloud Security Architecture?

In a broad understanding, Cloud security is about protecting information, data, applications, platforms, and the infrastructure that operate or exist within the Cloud.

Cloud security architecture is where cloud security starts. Cloud security architecture defines the security layers, design, and structure of the platforms, infrastructure, software, tools, and best practices that exist to make the Cloud solution secure.

A Secure Cloud Starts with Cloud Security Architecture

To prevent and mitigate threats, an organization should first understand its current cloud security posture, and plan which controls and security solutions will be the most useful to use.

Creating a strategy for cloud security architecture should start early in the design process. It should be an integral part of the solution to maximize efficiency. Unfortunately, it happens regularly that cloud architects will concentrate mainly on the performance and add security later. Don’t make the same mistake. Treat cloud security as a priority – and start by working on your cloud security architecture.

Key Indicators of Developing a Secure Cloud Storage and System

Developing a successful cloud security architecture enables you to strengthen (or even set up in the first place) 3 pillars of cloud security. Understanding each of these pillars will help you to plan your cloud security architecture with a more strategic overview in mind.

These pillars, as defined by Intel, are:

  • Confidentiality. One of the key capabilities of cloud security is to keep your data secret and unreadable to those who shouldn’t have access to it. This may both be people from outside your organization – like attackers – as well as people from inside of your organization who don’t have clearance to view specific information.
  • Integrity. To maximize security, your systems and applications should function exactly as you expect them to. This means that they shouldn’t produce any unexpected or misleading outputs.
  • Availability. Often overlooked, availability addresses denial-of-service (DoS) attacks. Even if attackers won’t be able to see or change your data, they could still make it unavailable to you or your customers – which can create huge losses.

Principles of Cloud Security Architecture

To create a Cloud system with solid confidentiality, integrity, and availability, you need to set up different tools that will safeguard your systems and data. Moreover, you should also follow certain principles to make sure your architecture is well-designed.

This includes:


  • Security controls. Defined both by technologies and processes, they include parameters and policies implemented across users, data, and infrastructure to manage the general security posture.
  • Trust boundaries. They define the trust between the different services and components deployed on the Cloud.
  • Token management. It enables a safe authentication of users.
  • Encryption methods. These include algorithms like 128-bit AES, Triple DES, RSA, or Blowfish. They ensure data at rest and travelling between internal and external Cloud connection points is safe.
  • Security event logging. With it, all important security events are captured, prioritized, and delivered to security teams.
  • Standard interfaces and security protocols. This includes SSL, SFTP, SSH, OAuth, IPSEC, and more.

How to Know Which Cloud Security Tools and Technologies are the Right Choices?

To pick the right tools and technologies, you should be able to clearly define their purpose and specifics. If you do, it will be easier to judge if the given solution is efficient and if it’s planned correctly.

Right from the start, you should be able to tell:

  1. What a given service’s role is.
  2. Where it will be located (public cloud, on-premise, or third-party service).
  3. What protocols will be used to access the service.
  4. What the service receives and what it will be expected to deliver.
  5. Who operates the service.
  6. What types of control the service achieves.

Defining all the above will help you to determine if it’s useful. As a result, you’ll eliminate flops that are easy to avoid and end up with a better cloud security architecture.

Example – Cloud Security in AWS: The Most Common Issues

In one of our previous articles, Michał Brygidyn – Cloud expert and White-Hat Hacker – talked in detail about the most common security issues in the AWS cloud.

And although the text focuses AWS security issues, this overview may apply to any Cloud platform – be it Azure or Google Cloud Platform. The technologies and individual solutions may change, but the overall principles do not.

Additionally, make sure to watch this bonus video about the general principles of making your IT projects secure:

Different Cloud Security Architecture for Different Purposes – Saas, PaaS, and IaaS

Finally, as you know, there are 3 main types of cloud computing services. These models are Infrastructure-as-a-Service (IaaS), Platforms-as-a-Service (Paas), and Software-as-a-Service (SaaS). From an IT perspective, setting up the optimal security will differ for each of these models.

IaaS Cloud Security Architecture

IaaS providers have to focus on runtime encryption and orchestration capabilities empowering clients to manage key encryption for any application they use in the cloud.

Such a cloud security architecture should/may include endpoint protection (EPP), a cloud access security broker (CASB), a vulnerability management solution, access management, and data and network encryption.

PaaS Cloud Security Architecture

PaaS providers should pay attention to multiparty usage and create trust in moving data from and to the platform.
Such an architecture usually requires both standard cloud security architecture solutions, and common solutions, like a Cloud Workload Protection Platform (CWPP).

SaaS Cloud Security Architecture

This model includes productivity software suites and is popular for both business and individual purposes. It must be secured at the CSP level. Since users have limited control over SaaS offerings, their security activity means adhering to best practices. For example, using strong passwords, being careful, and avoiding scams.
SaaS security components should include identity and access management, cloud access security broker (CASB), and data protection with APIs, proxies, or gateways.


As mentioned in the intro, some of the biggest security breaches result from misconfiguration and improper access practices. What might seem like a simple change can leave you open to much larger exploits and consequences.
That’s why it’s so important to develop a proper Cloud Security Architecture that addresses all the basic issues and misconfigurations. Because remember – if set up well, the Cloud is unarguably very safe.



Get in touch with us to learn more about the subject and related solutions

Explore related posts