Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

How cloud security is evolving to a platform centric approach-Part 1

Today’s security landscape

The rapidly evolving threat landscape has created significant security implications for consumers and businesses. Cloud development has reached the inevitable point where a new, unified approach becomes necessary to face a dynamic set of security challenges. Within a cloud hyperscaler ecosystem, security methods are evolving toward developments intended to centralize several distinct security domains that apply to specific software products or applications.

Recent attacks by the Sandworm group on Ukraine’s infrastructure (first reported by CERT-UA and ESET in April 2022) have used malware vectors like the IndustroyerV2 framework. This framework is compatible with ICS technologies like IEC-104, and enables the outputs of compromised industrial devices to be modified. The attacks also used CaddyWiper and AwfulShred to corrupt industrial machine files, overwriting them with null byte characters and destroying data irreversibly.

To mitigate this particular security threat requires minimizing the external attack surface — such as by separating and categorizing specific networks — and increasingly isolating functionality and network services, completely disabling them in as many scenarios as possible.

The multitude of attack vectors such as malware, web pages, text messages as well as the multitude of attack types (ARP cache poisoning, Man-in-the-Browser, etc.) call for complex, intelligent, dynamic security solutions which should also account for deep and dark web security awareness such as threat detection for Tor nodes.

Here are a few features that these types of security solutions have in common:

Distinct security domains

Ad hoc security domains and modules should be centralized and managed in an abstract manner to address separate security concerns — as they apply to SDN/NFVs, APIs, containers and other individual attack surface groups and categories. Each security management domain is part of an automated security management framework (ASMF), depicted below. The domains integrate with intelligent security automation for their respective infrastructure, network or service, as well as for the related virtualized resources provisioned in the cloud. The ASMF is responsible for automated secure data collection, analytics and decision engine, security orchestration as well as for managing trust and other policies. Based on this architecture, security modules are easily scalable and security can be applied consistently throughout the network, providing a holistic and completely new approach.

Emerging technologies (SDSec, DevSecOps, SaC )

Software-defined security (SDSec) enables the creation of dynamic security measures or policies that adapt easily to changes in the security landscape. Complex software-defined controllers — with integrated security implementations — are part of evolving software-defined networking (SDN) architectures. SDSec controllers are aware of the relevant network topology and infrastructure while integrating security policies for routing and firewalling. They enable complex network function deployment and service chaining capabilities for virtual network traffic flow automation — to dynamically compute decisions (about security relevance, requirements, etc.) on traffic flows and direct them only to their previously designated network elements.

Evolved cloud security solutions such as DevSecOps-based hyperautomation — with absolutely no manual intervention — make use of infrastructure configuration files for dynamic orchestration instead of manual resource provisioning. These configuration files, together with configuration scripts for related tools and application runtime, are components of the Infrastructure-as-Code (IaC) virtualization technology.

Security-as-code (SaC) employs the same approach to codifying security policies and auditing modules directly into the configuration code, including build artifact integrity validation, security service level agreements (SSLAs) or other regulatory elements. Centralized DevSecOps approaches will evolve in order to enable secure software production automation as part an enterprise software factory model or architecture — benefiting from integrated security process orchestration. Within such a complex and automated ecosystem, security architects must also mitigate automation-based security risks, such as those endangering critical elements of the ecosystem by some rapidly automated propagation and replication of attacks to the entire cloud infrastructure, networks, services and operations.

Evolved security platform centralization

Rather than categorization by security domain, cloud security centralization will eventually evolve towards platforms that instead categorize attack types at a high level, using AI/ML in to identify and recognize each attack type and respond with hyper-automated risk mitigation.

Many different types of attacks (see sidebar for a minimal number of examples) can be individually categorized and managed in an attack-centralized AI-driven SDSec engine, with automated attack-specific mitigations.

Thus, we can secure the cloud ecosystem from all known types of attack, as well as zero-day attacks, creating the most securely comprehensive approach. If all known types of attack are accounted for and mitigated, then the ecosystem will be 100% protected.

Security platform centralization is desirable and recommended for all complex ecosystems and architectures, including for 5G mobile networks, Industrial Control Systems as well as for robotic vehicles systems, with security implementations integrated into the fabric and addressing each phase of the SSDLC, while facilitating easy monitoring, automated risk characterization and risk mitigation across the whole cloud system.

If you are considering implementing a platform like this, check the next part of the article on how to take the first step.

Share this article

About the author

Mihai Lucian Belu

Lead Cybersecurity Products and Services Architect, Atos’

Mihai Lucian Belu is Lead Cybersecurity Products and Services Architect within Atos’s Service Engineering team. He has more than 20 years of diverse interests and experience in cybersecurity, cloud automation, software development and programming.

Follow or contact Mihai

All articles


When to move sensitive data to cloud and how to select which cloud?


The future of CSP’s security: shared fate or shared responsibility?


The proliferation of cloud security features


Simplifying security amid the magnitude of the multi-cloud environment


Part I: How cloud security is evolving to a platform centric approach


Part II: How cloud security is evolving to a platform centric approach


Deciphering the Sovereign Cloud


Getting Started with DevSecOps

Why low-code/no-code should not mean low/no security


Six winning ways to secure IaC


A CSP’s simple guide to all things FedRAMP


Managing the top security threats to public cloud


Protecting your sensitive data with double key encryption


How AI can simplify cloud security management