Cloud Network Security
Cloud network security encompasses the policies, technologies, controls, and architectural frameworks applied to protect data, workloads, and communications within cloud-hosted and cloud-connected infrastructure. This reference covers the structural mechanics of cloud network security, the regulatory landscape governing cloud deployments, classification boundaries between major delivery models, and the documented tradeoffs practitioners and procurement officers encounter. The sector spans providers operating under frameworks including NIST, FedRAMP, ISO/IEC 27001, and CSA STAR, making it one of the most standards-dense segments of the broader network security fundamentals field.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps
- Reference table or matrix
Definition and scope
Cloud network security is the discipline concerned with protecting the network layer of cloud environments — including virtual networks, inter-service communications, ingress/egress traffic flows, and hybrid connectivity — against unauthorized access, data interception, denial-of-service conditions, and lateral movement by threat actors.
Scope extends across three primary cloud service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Each model shifts the boundary of customer-controlled network security controls differently. In IaaS deployments (e.g., virtual machines on AWS VPC or Azure Virtual Network), the customer retains direct control over firewall rules, routing tables, and network segmentation. In SaaS, the provider manages nearly the entire network stack, leaving the customer responsible primarily for identity, access policy, and endpoint configuration.
The Cloud Security Alliance (CSA) defines the cloud network security domain in its Cloud Controls Matrix (CCM), which maps 197 control objectives across 17 domains, with network security comprising controls in the Infrastructure and Virtualization Security domain. NIST Special Publication 800-145 formally defines cloud computing and its five essential characteristics, three service models, and four deployment models — a taxonomy that underpins regulatory and procurement language throughout the US federal and commercial sectors (NIST SP 800-145).
Core mechanics or structure
Cloud network security operates through a layered architecture that differs fundamentally from on-premises network security in three structural respects: the abstraction of physical hardware into software-defined constructs, the shared-responsibility model governing control plane versus data plane ownership, and the elastic, API-driven provisioning of network components.
Virtual Private Clouds (VPCs) and Subnets. Cloud providers implement network isolation through logically partitioned virtual networks. Within a VPC, traffic flows between subnets are governed by security groups (stateful, instance-level firewall rules) and network access control lists (stateless, subnet-level rules). These two control layers correspond roughly to traditional host-based and perimeter-based firewalling respectively. The distinction between stateful and stateless inspection is covered in greater detail on the firewall types and selection reference.
Software-Defined Perimeters. Cloud environments implement software-defined networking security principles where routing, switching, and filtering decisions are made by a control plane software layer, not by dedicated appliances. This enables programmatic enforcement of network segmentation strategies at scale — a VPC peering policy or transit gateway route table can segment thousands of workloads without physical reconfiguration.
Egress and Ingress Controls. North-south traffic (between the cloud environment and external networks) is regulated via internet gateways, NAT gateways, VPN concentrators, and dedicated interconnects (e.g., AWS Direct Connect, Azure ExpressRoute). East-west traffic (between workloads within the cloud environment) requires explicit microsegmentation policies; absent these controls, a compromised workload can reach adjacent services across the same VPC.
Cloud-Native Security Services. Major IaaS providers offer native services covering web application firewall functionality, DDoS mitigation, DNS filtering, flow log analysis, and threat detection. These services integrate directly with cloud IAM systems, enabling policy enforcement tied to resource identity rather than network address alone — a foundational principle of zero trust network architecture.
Causal relationships or drivers
The expansion of cloud network security as a distinct practice area is driven by three compounding factors: the migration of regulated workloads to cloud infrastructure, the dissolution of traditional network perimeters by distributed workforces, and the demonstrated attack surface presented by misconfigured cloud networking components.
Regulatory drivers are explicit. The Federal Risk and Authorization Management Program (FedRAMP), administered by GSA, mandates that all cloud services used by US federal agencies meet a defined security baseline tied to NIST SP 800-53 control families — including those governing network boundary protection and access control (FedRAMP Authorization Boundary Guidance). As of the FedRAMP Authorization Act signed into law in December 2022 as part of the FY2023 National Defense Authorization Act, the program's authority was codified in statute for the first time, increasing compliance pressure on cloud providers serving government clients.
In healthcare, the HHS Office for Civil Rights enforces HIPAA's Technical Safeguard requirements (45 CFR §164.312), which require covered entities and business associates to implement technical security measures that guard against unauthorized access to ePHI transmitted over electronic communications networks — including cloud networks (HHS HIPAA Security Rule).
The financial sector faces additional layering through FFIEC guidance and, for publicly traded firms, SEC cybersecurity disclosure rules finalized in July 2023, which require material cybersecurity incident disclosure within four business days of materiality determination (SEC Cybersecurity Rule, 17 CFR Parts 229 and 249).
Classification boundaries
Cloud network security controls are classified along four axes:
By deployment model: Public cloud (multi-tenant, provider-managed physical infrastructure), private cloud (dedicated infrastructure, on-premises or co-located), hybrid cloud (on-premises interconnected with public cloud), and multi-cloud (workloads distributed across 2 or more distinct cloud providers). Each model presents distinct trust boundaries and control ownership distributions.
By service model: IaaS grants the highest customer network control; PaaS abstracts the OS and runtime, leaving network configuration partially managed by the provider; SaaS abstracts the application and infrastructure stack entirely, with customer network security limited to identity federation, conditional access policies, and API security.
By control type: Preventive controls (security groups, NACLs, WAFs, encryption in transit), detective controls (VPC flow logs, cloud-native SIEM integrations, network traffic analysis pipelines), and corrective controls (automated remediation via cloud-native policy engines such as AWS Config Rules or Azure Policy).
By enforcement layer: Network-layer controls (L3/L4 filtering), application-layer controls (L7 inspection via cloud WAF or service mesh), and identity-layer controls (IAM policies governing API-level network resource access).
Tradeoffs and tensions
Visibility vs. cost. Full packet capture in cloud environments generates storage and egress costs that scale with traffic volume. Organizations typically choose between full flow logging (lower fidelity, lower cost) and selective deep packet inspection (higher fidelity, significantly higher cost). VPC flow logs in AWS, for example, do not capture payload content — only connection metadata — creating detection gaps for encrypted lateral movement.
Shared responsibility ambiguity. Provider-managed services abstract infrastructure security but the boundary of responsibility for network controls is frequently misunderstood, documented below under misconceptions. Misassigned responsibility is a leading cause of cloud security incidents per the CSA's Egregious Eleven threat taxonomy.
Speed of provisioning vs. security review cadence. Infrastructure-as-code pipelines can provision new VPCs and security group rules in under 60 seconds. Security review and approval workflows in regulated industries frequently operate on timescales of days to weeks, creating pressure to bypass review for routine changes — a dynamic that has contributed to documented misconfiguration incidents.
Secure access service edge convergence vs. vendor lock-in. SASE architectures consolidate network and security functions into unified cloud-delivered services, reducing architectural complexity. However, consolidation around a single SASE vendor creates dependency risk if service outages affect both network connectivity and security enforcement simultaneously.
Common misconceptions
Misconception: The cloud provider secures the network. Cloud providers secure the physical infrastructure, hypervisor layer, and global network backbone. Customer-controlled resources — including security group rules, VPC routing tables, S3 bucket policies with network conditions, and inter-service firewall rules — remain the customer's responsibility. AWS, Azure, and GCP each publish explicit shared responsibility model documentation detailing this boundary.
Misconception: Encryption in transit eliminates network security requirements. TLS encryption protects data confidentiality during transmission but does not prevent network-layer attacks, misconfigured routing that exposes services to unauthorized subnets, or lateral movement by authenticated but unauthorized principals. TLS/SSL certificate management addresses the encryption layer, but network segmentation and access control remain independent control requirements.
Misconception: Cloud environments cannot be segmented like on-premises networks. VPCs, subnets, security groups, private link services, and service mesh architectures provide segmentation granularity comparable to — and in some cases exceeding — traditional VLAN-based approaches. Microsegmentation applied to cloud workloads can enforce per-process or per-container network policies.
Misconception: FedRAMP authorization means a cloud service is secure for all government data. FedRAMP authorization indicates a service has met a defined baseline control set at Low, Moderate, or High impact level. The authorizing agency's specific data classification and mission requirements may exceed the baseline, requiring additional controls and a formal Agency ATO (FedRAMP Program).
Checklist or steps
The following sequence reflects the standard phases of implementing cloud network security controls within a new or migrated cloud environment, as structured by NIST SP 800-53 and CSA CCM domain mapping:
- Define authorization boundary — Document which cloud accounts, VPCs, and services are in scope for security controls. Reference FedRAMP boundary guidance if federal data is processed.
- Inventory network-exposed resources — Identify all public IP addresses, internet-facing load balancers, open security group rules (particularly 0.0.0.0/0 inbound), and unauthenticated API endpoints.
- Apply VPC segmentation — Separate workloads by sensitivity tier into distinct subnets or VPCs with explicit peering or transit gateway policies governing inter-segment traffic.
- Enforce least-privilege security group rules — Replace permissive inbound rules with source-specific CIDR blocks or security group references limited to required ports and protocols.
- Enable flow logging — Activate VPC flow logs (or provider-equivalent) to a centralized, tamper-evident log destination. Retention period should meet applicable regulatory minimums (HIPAA requires 6-year retention for security documentation per 45 CFR §164.530(j)).
- Implement encryption in transit — Enforce TLS 1.2 minimum on all inter-service and client-facing traffic; document cipher suite configurations per NIST SP 800-52 Rev 2 guidelines (NIST SP 800-52).
- Integrate cloud-native threat detection — Enable provider-native services (e.g., AWS GuardDuty, Azure Defender for Cloud, GCP Security Command Center) and route alerts to a SIEM for network security platform.
- Establish a change management process for network resources — Require security review for changes to security groups, routing tables, firewall policies, and VPC peering configurations.
- Conduct periodic network vulnerability scanning — Schedule automated assessments per network vulnerability scanning methodologies, including checks for publicly exposed management interfaces and unpatched network appliance firmware.
- Document and test incident response procedures — Define playbooks for cloud network incidents (e.g., exposed S3 bucket, open security group, compromised EC2 instance with external C2 traffic) aligned to network security incident response frameworks.
Reference table or matrix
| Control Domain | IaaS Customer Responsibility | PaaS Customer Responsibility | SaaS Customer Responsibility | Governing Standard |
|---|---|---|---|---|
| VPC / virtual network configuration | Full | Partial | None | NIST SP 800-53 SC-7 |
| Security group / firewall rules | Full | Partial | None | NIST SP 800-53 AC-4 |
| Encryption in transit | Full | Shared | Provider-managed | NIST SP 800-52 Rev 2 |
| DDoS protection | Shared | Shared | Provider-managed | CSA CCM IVS-06 |
| Flow logging / traffic visibility | Full | Partial | None | NIST SP 800-53 AU-12 |
| DNS security | Full | Partial | None | NIST SP 800-81-2 |
| Network access control (identity-based) | Full | Full | Full | NIST SP 800-53 AC-17 |
| Intrusion detection (network layer) | Shared | Shared | Provider-managed | CSA CCM TVM-07 |
| Certificate management | Full | Shared | Provider-managed | NIST SP 800-52 Rev 2 |
| Regulatory compliance documentation | Full | Full | Full | FedRAMP, HIPAA, PCI DSS |
Responsibility designations follow the shared responsibility model frameworks published by AWS, Microsoft Azure, and Google Cloud Platform. "Shared" indicates both provider and customer hold defined obligations.
References
- NIST SP 800-145: The NIST Definition of Cloud Computing
- NIST SP 800-53 Rev 5: Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-52 Rev 2: Guidelines for TLS Implementations
- NIST SP 800-81-2: Secure Domain Name System (DNS) Deployment Guide
- Cloud Security Alliance: Cloud Controls Matrix (CCM)
- FedRAMP Program — General Services Administration
- FedRAMP Authorization Boundary Guidance
- HHS HIPAA Security Rule — 45 CFR Part 164
- SEC Cybersecurity Disclosure Rules — 17 CFR Parts 229 and 249 (2023)
- ISO/IEC 27001:2022 — Information Security Management Systems