Virtualization Technology News and Information
Three Generations of Cloud Security


By Jonathan Villa

Cloud computing and in turn, cloud security, is continuously evolving. Years ago, it was about moving to the cloud, whereas now it's more about Cloud 2.0 with a focus on cloud observability, integrating multiple layers, and the security strategies employed by organizations. This article will look at the three generations of cloud security technology adopters, technologies and environments.

The Early Adopters: 2010-2015

In this phase of cloud security evolution, the early cloud security adopters were just figuring things out as they build environments. Cloud computing, being an API-driven infrastructure, enabled anyone with programming or application development experience to write code that requests information (metadata) and processes the responses. It was incumbent on teams leveraging the cloud during this time to use APIs to build tools for themselves in order to understand the overall security posture of the cloud footprint.

These "in-house" cloud security tools were useful, but they were fairly basic. While these solutions improved over time, they ultimately provided continuous compliance and visibility of a public cloud environment's current state. Throughout this first generation, cloud security adopters were focused on network security and configuration best practices.

The introduction of virtual private clouds improved the secure usage of native cloud compute services available at the time as security teams could now create private zones with centralized ingress and egress points. However, egress traffic would leverage NAT Gateways with limited functionality to centralize outbound response traffic or initiate new outbound traffic. While that design pattern was functional, there weren't many options available to create a centralized point of egress traffic that provided the inspection and analysis needed from a security perspective. The Cloud Service Provider made some network traffic information available, but not the deep packet inspection required for threat analysis. It was simple, high-level visibility into the traffic flow between hosts with basic insight into traffic traveling north to south.

During this time, a new perimeter formed that many did not recognize as being a perimeter - the highly-privileged role of the cloud identity.  Although not widely implemented, one positive capability provided by the Cloud Service Providers was a means to control and centralize access by supporting federated identities. However, there remained a wide gap between authorization security and the security fundamental of least privilege. And so this leads us into the next generation of cloud security evolution.

The Informed: 2015-2018

Some enterprises understood that despite the strength of network security in the cloud and deploying secure configurations at the cloud management layer, more analysis was needed at the cloud provider API layer. While API logs were being captured to monitor and report on cloud activity, the analysis was not in-depth. Platforms that leveraged machine learning began to surface, informing cloud customers of anomalies within environments. This allowed cloud customers to recognize that they also needed to emphasize securing their cloud platforms in addition to workloads and network.

Additionally, new serverless architectures were introduced, causing a significant shift for those accustomed to checking off the boxes for anti-virus, IDS, IPS, and standard server hardening. This generation of cloud security platforms arose because even in a serverless environment, the API logs were being recorded and analyzed. This meant that in settings where only cloud PaaS offerings were used, capturing and analyzing the activity of a cloud customer's environment was possible.

Cloud Everywhere: 2018-Present

In this current phase of cloud evolution, it's impressive to see where we are today in the architecture and operations of cloud environments-both from a business solution and security perspective. Now we have containers, server-less, infrastructure-as-code, platform-as-a-service, deployment and management of third-party infrastructure solutions and more becoming available at a rapid pace. DevSecOps patterns have matured to automate and secure the complete lifecycle from development to infrastructure and include operations pipeline with security at its core. 

For example:

  • Developers have the tools to build and deploy secure cloud infrastructure across multiple cloud providers.
  • Site Reliability Engineers provide the building blocks to leverage infrastructure-as-code to build massively scalable architectures.
  • Firewall administrators are deploying and managing cloud-native appliances within the CI/CD process (a nod to "shift-right" in moving more automation to the traditional security solutions).


Despite the growing maturity of cloud security as a dedicated discipline, enterprises are often left asking which is more effective: cloud-native services or third party solutions. There are now third-party cloud security platforms with new features and capabilities, mature and cost-effective native cloud security services, and the traditional security platforms that have introduced new capabilities and first-class support for the public cloud.

While all of these tools are great and the trajectory shows constant maturity, do we understand what we're looking at? For example, we can get Terabytes of data into a SIEM, but we need to know what we are looking for - what are the indicators of compromise within an API-driven-infrastructure?

Cloud security continues to evolve, and it has required a different way of thinking. Not only from a cloud customer's perspective but also from vendors and the cloud service providers.  Those that have been the most successful have retrained their problem-solving approach during each of these generations.  As cloud continues to evolve, the pattern of being able to quickly adapt to the changing landscape will ensure success for enterprises.




Jonathan Villa 

Jonathan Villa has worked as a technology consultant since 2000 and has worked in the information security field since 2003. For more than 10 years, Jonathan worked with a large municipality as a senior consultant in several competencies including PCI compliance and training, web application architecture and security, vulnerability assessments and developer training, and web application firewall administration. Jonathan also co-architected and managed an automated continuous integration environment that included static and dynamic code analysis for over 150 applications deployed to several distinct environments and platforms.

Jonathan has worked with virtualization and cloud technologies since 2005, and since 2010 has focused primarily on cloud security. Jonathan has worked with clients in various verticals across North America, South America and Asia to design and implement secured public and hybrid cloud environments, integrate security into continuous integration and delivery methodologies and develop custom application and security solutions using the AWS SDK. He has also provided guidance to customers in understanding how to manage their environments under the Shared Responsibility Model.

In addition to providing PCI training, Jonathan also has presented to law enforcement on cybersecurity and was a speaker at the Cloud Security Alliance New York City Summit. Jonathan holds the following certifications: CISSP, CCSP, C|EH, PCIP, AWS Certified Solutions Architect - Professional, AWS Certified SysOps Administrator, AWS Certified Developer, AWS Certified DevOps Professional and Security+ certifications including the CSA Certificate of Cloud Security Knowledge.

Published Friday, February 26, 2021 7:36 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2021>