Staying Safe in Times of Cyber Uncertainty

Cloud Security Architecture

Organizations moving to the cloud need to ensure they are planning for cloud security as part of their migration and mature cloud deployments instead of adding security after the fact. Designing and building a cloud security architecture is an essential part of planning for security in the cloud.

Security Blueprint Security Architecture Guide

Vital Concepts for Developing a Cloud Security Architecture

A cloud security architecture should be based upon cloud security best practices, and understanding and implementing these best practices requires a fundamental knowledge of cloud security concepts. Two of the most important concepts to master before developing a cloud security architecture are the cloud shared responsibility model and the principles of zero trust security.


  • Cloud Shared Responsibility Model

When leasing cloud infrastructure on a platform like AWS or Azure, the cloud provider is not wholly responsible for securing the customer’s cloud deployment. Depending on the service being used, the cloud customer is responsible for certain components of its security. Understanding the cloud shared responsibility model and a cloud customer’s security responsibilities under it is essential to developing a cloud security architecture that adequately addresses these responsibilities.


  • Zero Trust Security

Traditionally, organizations have adopted a perimeter-focused model for network security. Based on the assumption that all threats originate from outside of the network and that everyone inside the network is “trusted”, this model attempts to protect the organization’s resources by monitoring and filtering all traffic flowing through the network boundary.


In the cloud, where an organization’s infrastructure is outside the traditional perimeter, this model has a number of shortcomings. The zero trust security model takes a much more granular approach to access management, limiting a user’s access to only those resources that are required to do their job. In this respect, a zero-trust security model is the best choice. An organization’s cloud security architecture should be designed to not only support but to enforce the role-based access controls mandated by zero trust.

Core Principles of a Cloud Security Architecture

A cloud security architecture should contain all of the tools, policies, and processes required to effectively protect cloud-based resources against cyber threats.


Cloud providers, like AWS, often provide recommendations specific to their particular platform.


However, recent reports show that most organizations will use two or more cloud providers. Thus these multi-cloud organizations need to develop a cloud security architecture capable of protecting all of their cloud-based resources.


A Cloud security architecture needs to incorporate certain core principles:

  • Security by Design: Security by design involves designing a cloud architecture to implement protections that cannot be bypassed by misconfigured security policies. For example, if a particular resource (like a database) should not be accessible from the public Internet, then no network link should exist between it and the public Internet.
  • Network Perimeter Security: Under the shared responsibility model, customers are responsible for securing traffic flows in and out of their cloud-based resources. This requires securing the points of connection between the customer’s corporate network, the cloud-based deployment/s , and the public Internet.
  • Segmentation: After gaining access to a network, cybercriminals commonly move laterally to attack other machines. Segmentation breaks the network into isolated chunks, limiting the potential for lateral movement and thus reducing the impact of a security breach.
  • Agility: One of the primary benefits of the cloud is that it enables organizations to rapidly develop and deploy new solutions. A cloud security architecture should ensure that security does not inhibit agility or get lost in the race to meet release deadlines. An important component of this is leveraging cloud-native security solutions.
  • Automation: Automation enables rapid provisioning and updates to security controls and configurations and the ability to quickly detect and respond to potential threats to the cloud-based infrastructure.
  • Cloud Compliance: Most organizations are subject to a rapidly-expanding regulatory landscape as new laws – such as the GDPR, CCPA, CMMC, and others – are passed and go into effect. With data and processes, protected under these laws and hosted on cloud-based infrastructure, organizations need solutions that enable them to effectively manage compliance responsibilities in the cloud.
  • Visibility: Cloud visibility is complicated by the fact that most organizations have multi-cloud deployments and that traditional security solutions are often ineffective in cloud environments. A cloud security architecture strategy should include tools and processes for maintaining visibility across an organization’s entire cloud-based infrastructure.
  • Borderless: 93% of enterprises have a multi-cloud strategy, and security solutions and configuration settings integrated into a cloud offering vary from one cloud provider to another. A cloud security architecture must account for the various cloud environments that an organization is operating.
  • Unified Management: Organizations’ security teams are chronically understaffed and the growing complexity of the cyber threat landscape and enterprise attack surfaces makes it difficult for them to keep up with the cyber threats that their organizations face. To maximize the effectiveness of a corporate security team, cloud security solutions should offer a unified management solution that enables them to centrally manage the multiple cloud security solutions required to protect their cloud-based infrastructure.

Developing a Cloud Security Architecture

To maximize the impact of your cloud security architecture, it is vital to develop it as early in the process as possible. A good starting point is reviewing Check Point’s Cloud Security Blueprint and the associated solutions whitepaper to see examples of a cloud security architecture and how cloud security solutions can be deployed to support one.


After you have the fundamentals in place, the next step is to schedule a customized demo or a cloud transformation security consultation with Check Point experts, who can identify current gaps in your cloud strategy and cloud security solutions that can help you to remediate them.

Recommended Resources

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice