First, we need to differentiate between the public cloud and the private cloud.
So, basically, the public cloud consists of cloud applications such as Office 365, Google Suite, Box.com, Dropbox, Salesforce, ServiceNow, etc. There are literally tens of thousands of cloud applications available. We call this Software as a Service (SaaS).
On the other hand, a private cloud is when you rent space in an Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) provider, and set up network and computing resources. Take a look at this diagram:
Every column shows the 9 layers of computing, from networking to applications. If a layer is shown in white, it means you manage it; if it shows in blue, the vendor manages it.
In the first column, “Packaged Software”, you get to manage all the layers: you need to setup the network, setup the storage devices, servers, virtualization (if any), install and manage the operating systems, middleware and runtime environment, and manage the data and applications.
The second column shows Infrastructure as a Service (IaaS). In this model, the vendor will take care of networking, storage, servers, and virtualization, and you take care from the operating system and up. An example would be Amazon Web Services.
The third column shows Platform as a Service (PaaS). In this model, the vendor takes care of networking up to runtime; you just bring the applications and data. An example would be Google App Engine.
And the fourth module shows Software as a Service, in which the vendor takes care of all the layers. An example would be Office 365.
So, what happens with security in each of the models?
In packaged software, you are responsible for all the information security; this is the traditional model of infosec: firewalls, AV, IDS/IPS, log analysis, vulnerability management, etc.
Logically, as we move into IaaS and PaaS, the vendor takes care of the security of the blue layers, and you have to worry about the white layers’ security.
OK, so we are now ready to define cloud security, cloud application security, and cloud access security.
Cloud security covers all the layers, except the application layer, in IaaS, PaaS, and SaaS:
This is, of course, a very extensive body of knowledge that includes problems from traditional information security as well as new problems specific to the cloud. If you want to learn more about this branch of information security, I recommend you take a look at the CSA Security Guidance. I also recommend John Rhoton’s book, “Cloud Computing Protected: Security Assessment Handbook”.
Cloud application security is the security of only the application layer of IaaS, PaaS, and SaaS:
This type of security consists in properly programming cloud applications to avoid vulnerabilities such as SQL injection, cross-site scripting, weak authentication and session management, cross site request forgery, etc. You can find the complete list of web application vulnerabilities in the OWASP site.
Finally, cloud access security focuses on securing the interaction between the user and the cloud application in a SaaS solution:
Cloud access security is all about controlling the organization’s information in cloud applications: who is uploading and downloading files, what documents have sensitive information, what documents are exposed to the Internet, which users have anomalous behavior, what cloud applications are inherently risky, and several other variables.
The type of software solutions that take care of this layer of security in the cloud is called Cloud Access Security Brokers, or CASB.
Gartner defines CASB as:
“…on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement.”
To sum it up:
Cloud security covers the security of all the computing layers in public and private clouds.
Cloud application security covers the security of cloud applications, making sure the application layer is safe.
Cloud access security covers the security of the interaction between the user and the cloud application in a SaaS deployment.