Timothy Liu is the CTO and co-founder of Hillstone Networks.

The rush to the cloud is on, with industry analyst firm Gartner predicting a nearly 50% growth rate in public cloud spending from 2020 to this year. The vast majority of companies now run at least some of their workloads in the cloud. It’s easy to see why—the public cloud offers the flexibility, scalability, resilience and rapid implementation that allow workloads to be deployed, decommissioned and adapted on the fly to accommodate changing business requirements.

Yet too often, cloud security has lagged behind the rapid growth in cloud adoption. For example, a recent survey by the Cloud Security Alliance (CSA) found that nearly 60% of respondents named network security as a key concern in cloud adoption. These fears are amplified by multiple headline-making cloud data breaches like those involving Kaseya, Accenture, Verizon and others.

Achieving a strong cloud security posture, however, requires a subtle transformation from traditional data security measures to methods that provide comprehensive visibility across cloud assets, with the ability to accurately identify potential threats and orchestrate defenses across multiple security resources.

Why Traditional Security Falls Short

Traditional data security architectures typically establish a perimeter, or network edge, as the leading point of defense. But in cloud architectures, the perimeter is somewhat amorphous—and even more so in the increasingly popular multicloud environments—making a perimeter-based security strategy next to impossible to achieve.

In addition, conventional security measures simply don’t adapt well to cloud environments. They lack the ability to automatically scale up and down along with workloads and may not support containers. Deployment and management are labor-intensive and difficult to achieve in the dynamic cloud environment. And, perhaps most importantly, discreet traditional security devices usually can’t communicate with each other, leaving potential security gaps.

A Roadmap To Cloud Security

Rather than relying on a perimeter, cloud security, by necessity, must adopt a data-centric approach. At the most basic level, identity and access management (IAM) must be applied and strictly enforced. Equally important is guarding against faulty configuration of the cloud infrastructure. Together, compromised credentials and cloud misconfiguration account for over 30% of malicious cloud breaches, according to research by IBM and the Ponemon Institute (pg. 9). These two factors are also prominently represented in the major cloud data breaches mentioned earlier.

Public cloud providers typically provide basic tools for IAM and configuration, but a relatively new class of products called cloud workload protection platforms, or CWPPs, can provide next-level cloud cybersecurity protections. CWPPs can scan for infrastructure misconfigurations, for example, as well as assure that compliance baselines are met. Along with threat and risk detection, CWPP services can span public and private clouds as well as VMs, containers, cloud-native applications and other resources.

A complementary strategy is ZTNA, or zero-trust network architecture, to address IAM. The core of ZTNA is a “never trust, always verify” mantra that eliminates unverified implicit trust and thereby enhances security across the entire network—including the cloud, data center, network, remote workers and other assets. Ideally, ZTNA will apply a user-to-application approach (not network-centric) to authenticate based on identity, context and resources requested—which allows much easier scaling in a fluid cloud environment.

Taking Cloud Security To The Next Level

While compromised credentials and cloud misconfiguration account for the majority of malicious breaches, adopting a layered cloud security approach can help defend against other threats and attacks. For example, micro-segmentation of east-west traffic between cloud resources can help prevent malicious lateral movements by malware. Sometimes called micro-isolation, this solution will continuously optimize itself to ensure assets are protected—and botnets and other threats can’t proliferate.

For north-south traffic, virtual next-gen firewalls and web application firewalls provide a strong defense for public-facing assets like cloud applications, web servers and APIs. These technologies can help prevent DoS and DDoS attacks, major security risks like the OWASP Top 10, and other threats like web page defacement.

Finally, extended detection and response (XDR) can span the entire security stack, including cloud, network, data center and endpoints, to provide comprehensive visibility, accurate threat identification and coordinated, automatic response. XDR solutions intake data from other security devices, standardize and correlate it, then use artificial intelligence methods to investigate and detect potential threats. Once a threat is identified, the XDR solution can orchestrate the appropriate security response across other security devices for comprehensive, coordinated protection.


To achieve a strong cloud security posture, security teams must transform from a traditional, perimeter-based security mindset to a data-oriented mentality and layered security approach. The most critical need is to protect against compromised credentials and misconfiguration of cloud infrastructure. However, the ultimate goal should be to gain comprehensive visibility, accurate threat identification and an automatic, immediate and coordinated defense against attacks and other threats.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?