Cloud Security Architecture: Your Guide to a Secure Infrastructure
March 13, 2025

Dotan Nahum
Check Point Software Technologies

For many, security is like an onion. Sure, it can bring tears to your eyes when implementing it. However, the real reason for this analogy is that security comprises many layers; the more you have, the greater your chances of preventing a breach. Within this context, securing your cloud infrastructure can be compared only to an enormous (and intimidating) onion — one that'll surely win prizes at the farmers' fair.

Rethinking Security by Taking a Step Back

Before diving headfirst into implementing your cloud security architecture, it's crucial to take a step back and understand the threats you face. This is where a process-driven approach, like threat modeling(link is external) can help you take that step back and begin identifying potential security threats and vulnerabilities within a cloud environment, enabling you to put yourself in attackers’ shoes and ask:

■ What are my valuable assets in the cloud? (Data, applications, etc.)

■ How could someone try to compromise these assets? (Exploiting software vulnerabilities, social engineering, etc.)

■ What are the potential consequences of a successful attack? (Data breach, financial loss, reputational damage, etc.)

■ What can I do to mitigate these risks? (Implement strong access controls(link is external), encryption, intrusion detection systems, etc.)

Understand and Defend Your Attack Surface

Threat modeling can be a good starting point, but it shouldn't end with a stack-based security approach. Rather than focusing solely on the technologies, approach security by mapping parts of your infrastructure to equivalent security concepts. Here are some practical suggestions and areas to zoom in on for implementation.
Network Security

If you're on AWS, for example, your network starts at the VPC (Virtual Private Cloud). Traffic using security groups and network ACLs will allow for proper network control and help in micro-segmentation — dividing your network into segments and applying security controls to each segment.

Similarly, you can use a WAF(link is external) (Web Application Firewall) to protect your web applications from common exploits like SQL injection and cross-site scripting (XSS).

Once you have these fundamentals covered, a good next step is embracing a zero-trust architecture, which is based on the principle of "never trust, always verify." No user, device, or piece of data is automatically trusted, regardless of whether they're inside your network.

Workload Protection

When protecting workloads in the cloud, consider using some variant of runtime security. Kubernetes users have no shortage of choice here with tools such as Falco, an open-source runtime security tool that monitors your applications and detects anomalous behaviors.

However, chances are your cloud provider has some form of dynamic threat detection for your workloads. For example, AWS offers Amazon GuardDuty, which continuously monitors your workloads for malicious activity and unauthorized behavior.

Inventory Management

Consider implementing a system for tracking software versions running across your entire stack. While this can be time-consuming, it will prevent the "are we vulnerable" debate at your next stakeholder meeting.

Use this inventory to determine which components need to be updated or patched based on known vulnerabilities. Regularly review and update your software to ensure you're running the most secure versions.

2MFA

Implementing two-factor authentication adds an extra layer of protection by requiring a second form of verification, such as an authenticator app or a passkey, in addition to your password. While reaching for your authenticator app every time you log in might seem slightly inconvenient, it's a far better outcome than dealing with the aftermath of a breached account. The minor inconvenience is a small price to pay for the added security it provides.

AI for Threat Detection

While the mention of AI in the context of cloud security might have you rolling your eyes due to the current hype surrounding the technology, there's a genuine use case for leveraging AI and ML to enhance threat detection. Traditional security systems, often relying on static rules and signatures, struggle to keep pace with the dynamic nature of cloud environments and the constantly evolving threat landscape(link is external).

By leveraging machine learning, security systems can analyze vast quantities of security data, including network traffic, user activity logs, and security events, to identify patterns and anomalies that may indicate malicious activity. Examples of AI/ML in action include:

■ Enhancing security information and event management (SIEM) platform accuracy by correlating events from various security sources.

■ AI-powered network traffic analysis (NTA) reveals more anomalies, such as malware communication, data exfiltration, and command-and-control activity.

■ User and entity behavior analytics (UEBA) utilize AI to establish baselines of normal user behavior and identify deviations that may indicate insider threats or compromised accounts.

Never Stop Moving

By rethinking your approach to security and first seeking to understand which areas of your infrastructure are most vulnerable, you can take a more proactive approach to building secure infrastructure.

Understanding your attack surface, implementing cloud-specific security measures, and managing your software inventory are all great tips to significantly enhance the security posture of your cloud infrastructure. However, this post wouldn't be complete without the ever-present reminder that security isn't a desired state but a journey.

Dotan Nahum is Head of Developer-First Security at Check Point Software Technologies
Share this

Industry News

May 19, 2025

Docker, Inc.® announced Docker Hardened Images (DHI), a curated catalog of security-hardened, enterprise-grade container images designed to meet today’s toughest software supply chain challenges.

May 19, 2025

GitHub announced that GitHub Copilot now includes an asynchronous coding agent, embedded directly in GitHub and accessible from VS Code—creating a powerful Agentic DevOps loop across coding environments.

May 19, 2025

Red Hat announced its integration with the newly announced NVIDIA Enterprise AI Factory validated design, helping to power a new wave of agentic AI innovation.

May 19, 2025

JFrog announced the integration of its foundational DevSecOps tools with the NVIDIA Enterprise AI Factory validated design.

May 15, 2025

GitLab announced the launch of GitLab 18, including AI capabilities natively integrated into the platform and major new innovations across core DevOps, and security and compliance workflows that are available now, with further enhancements planned throughout the year.

May 15, 2025

Perforce Software is partnering with Siemens Digital Industries Software to transform how smart, connected products are designed and developed.

May 15, 2025

Reply launched Silicon Shoring, a new software delivery model powered by Artificial Intelligence.

May 15, 2025

CIQ announced the tech preview launch of Rocky Linux from CIQ for AI (RLC-AI), an operating system engineered and optimized for artificial intelligence workloads.

May 14, 2025

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists.

May 14, 2025

CodeRabbit is now available on the Visual Studio Code editor.

The integration brings CodeRabbit’s AI code reviews directly into Cursor, Windsurf, and VS Code at the earliest stages of software development—inside the code editor itself—at no cost to the developers.

May 14, 2025

Chainguard announced Chainguard Libraries for Python, an index of malware-resistant Python dependencies built securely from source on SLSA L2 infrastructure.

May 14, 2025

Sysdig announced the donation of Stratoshark, the company’s open source cloud forensics tool, to the Wireshark Foundation.

May 13, 2025

Pegasystems unveiled Pega Predictable AI™ Agents that give enterprises extraordinary control and visibility as they design and deploy AI-optimized processes.

May 13, 2025

Kong announced the introduction of the Kong Event Gateway as a part of their unified API platform.

May 13, 2025

Azul and Moderne announced a technical partnership to help Java development teams identify, remove and refactor unused and dead code to improve productivity and dramatically accelerate modernization initiatives.