Indonesia
Indonesia
In recent years, many companies have been adopting cloud services, but behind that convenience lie security risks. To use cloud environments safely, you need security measures that differ from those used in traditional on-premises environments.
This article clearly explains the fundamentals of cloud security, the types of specific services available, and key points for selecting the options best suited to your organization.
Table of Contents
Cloud security refers to the set of measures, technologies, and services used to protect data stored in cloud computing environments, as well as applications and operating systems running in those environments against a variety of threats such as unauthorized access, data breaches, and system compromise.
As cloud services become indispensable business tools, the security measures around them have become critical factors that determine a company’s credibility and business continuity.
Driven by digital transformation (DX) and new ways of working, many organizations are adopting cloud services to improve operational efficiency and reduce costs.
According to the 2024 Information and Communications White Paper, more than 80% of companies in Japan use some form of cloud service, and the market continues to expand.
However, as usage grows, cyberattacks targeting cloud environments and data breaches caused by misconfigurations are also on the rise, making cloud security increasingly important.
Source: Overview of the Reiwa 7 (2025) Edition of the Information and Communications White Paper (Japanese Only)
In traditional on-premises environments, companies manage their own physical servers and network devices and focus on “perimeter-based defense” to protect the internal network.
In contrast, cloud services are accessed via the internet, blurring the boundary between internal and external networks. As a result, data-centric security based on a Zero Trust approach—protecting information regardless of where access originates—is required.
| Aspect | On-premises | Cloud |
|---|---|---|
| Security approach | Perimeter-based defense (protect the internal network) | Zero Trust (trust no access by default) |
| Primary protection targets | Physical servers, network devices | Data, identities, applications, devices |
| Responsibility | Managed entirely by the organization | Shared between the cloud provider and the customer (shared responsibility model) |
| Threat entry vectors | Mainly external network attacks | Diversified, including unauthorized access, misconfigurations, and API vulnerabilities |
Cloud services are typically categorized into three types based on what they provide: SaaS, PaaS, and IaaS.
Each category differs in the “shared responsibility model,” i.e., who is responsible for which security measures.
Understanding the types of services you use and clarifying where your responsibilities lie is the first step toward appropriate security.
SaaS (Software as a Service) delivers software over the internet.
Customers use the application’s functionality, while the cloud provider manages the underlying infrastructure and OS.
PaaS (Platform as a Service) provides a platform (OS, middleware, etc.) for developing and running applications.
Customers run their own applications on this platform.
IaaS (Infrastructure as a Service) provides IT infrastructure such as servers, storage, and networks over the internet.
Customers can freely build system environments, including the OS.
While cloud services are highly convenient, they come with unique security risks. It’s important to understand these risks and prepare countermeasures in advance.
Because cloud services are accessible via the internet, leaked IDs and passwords can make them prime targets for unauthorized access by third parties.
Using easily guessable passwords or reusing passwords significantly increases the risk of account compromise. Unauthorized access can expose customer information and corporate confidential data.
Cloud services tend to be multifunctional and complex to configure. Human errors such as incorrect permission settings or failing to verify the scope of sharing frequently lead to unintended data exposure.
As a typical example, a file intended to be “internal only” may be accidentally set to “public on the internet.”
Even without malicious intent, employee carelessness can cause information leaks.
“Shadow IT,” where employees use personal devices or unauthorized cloud services for work, is a major security risk because information is handled outside the company’s control.
Other common mistakes include sending files containing confidential information to the wrong recipient.
If a cloud service’s servers experience failures or come under cyberattacks like DDoS, the service may become temporarily unavailable.
When business-critical services go down, your operations can be directly affected. It is important to back up data and prepare a recovery plan in advance.
| Risk type | Examples | Main causes |
|---|---|---|
| Unauthorized access | Intrusion into systems, data theft/manipulation | Weak passwords, leaked credentials, phishing, lack of multi-factor authentication, missing regular patching |
| Misconfiguration | Unintended data exposure due to incorrect permissions | Human error, insufficient knowledge of cloud configuration |
| Employee mistakes | Shadow IT, misdirected emails, lost devices | Low security awareness, weak internal rules |
| Service outages | Inability to use business systems, operational disruptions | Provider-side failures, DDoS attacks, ransomware |
Various security services have emerged to address cloud-specific risks. Below are three representative categories.
CASB (Cloud Access Security Broker) establishes a single control point between a company and multiple cloud services to enforce centralized security policies.
It visualizes who is using which cloud services and how, helping you discover shadow IT and control risky actions that could lead to data leakage.
CWPP (Cloud Workload Protection Platform) specializes in protecting cloud workloads, such as servers, virtual machines, and containers.
In IaaS and PaaS environments, it offers capabilities such as scanning for workload vulnerabilities, preventing the execution of malware, and monitoring for configuration issues to keep cloud infrastructure secure.
CSPM (Cloud Security Posture Management) continuously monitors cloud security configurations and automatically detects and remediates misconfigurations and policy violations.
“Posture” refers to the overall security stance—CSPM helps ensure your cloud environment maintains the correct security posture. It can evaluate the security state across multiple cloud services using consistent criteria.
To choose the most suitable cloud security services for your organization, keep the following points in mind.
First, understand which cloud services (SaaS, PaaS, IaaS) your organization uses and to what extent.
Then clarify your security objectives, such as “visualize shadow IT,” “manage vulnerabilities in the development environment,” or “prevent data leaks caused by misconfigurations.” Depending on your goals, you can identify which category—CASB, CWPP, or CSPM—best fits your needs.
It is essential to verify whether the security service you are considering supports the major cloud platforms you use (e.g., Microsoft 365, Google Workspace, AWS, Azure).
Also check support for services you plan to adopt in the future to make your investment effective over the long term.
As an objective indicator of trustworthiness, check whether the provider has obtained third-party security certifications.
In particular, providers with ISMS Cloud Security Certification (ISO/IEC 27017), an international standard for cloud security controls, can be considered to have established a highly reliable security posture.
| Comparison point | What to check |
|---|---|
| Fit to objectives | Does it address your challenges (e.g., shadow IT control, vulnerability management)? |
| Coverage | Does it support the cloud services you use (e.g., Microsoft 365, AWS)? |
| Features | Are required capabilities available (visibility, control, threat protection, data protection)? |
| Trustworthiness | Has it obtained third-party certifications such as ISMS Cloud Security Certification? |
| Deployment and operations | Is it easy to deploy? Are the admin UI and support robust? |
Beyond adopting specific tools, it’s essential to reinforce day-to-day operational basics to keep your cloud environment secure.
Access control—strictly managing “who can access which information”—is fundamental. Enforce the principle of least privilege by granting only the minimum permissions needed based on role and job function.
In addition, don’t rely on ID and password alone. Implement multi-factor authentication (MFA), such as SMS codes or authenticator apps, to significantly reduce the risk of unauthorized access.
If data is leaked, encryption is extremely effective in preventing the contents from being read.
Implement both “encryption in transit” when sending data to the cloud and “encryption at rest” when storing data in the cloud. Many cloud services provide encryption features by default—verify that the settings are enabled.
Audit logs record “who did what and when” in cloud services.
Reviewing these logs regularly allows you to detect suspicious access and unusual operations early.
Long-term log retention is also essential for investigating root causes and determining impact if a security incident occurs.
If you use PaaS or IaaS, your OS, middleware, and in-house applications may contain vulnerabilities.
Perform regular vulnerability assessments, and promptly apply patches and fixes when new issues are found to reduce the risk of cyberattacks.
No matter how advanced your systems, you cannot eliminate risk if users lack security awareness.
Conduct regular training on phishing tactics, safe password management, and the risks of shadow IT to improve security levels across the entire organization.
Cloud services are indispensable to modern business, but maximizing their benefits requires appropriate security measures.
As discussed in this article, start by understanding the types of services you use and your areas of responsibility, and by recognizing cloud-specific risks.
Then, by leveraging security services such as CASB, CWPP, and CSPM, and rigorously implementing foundational measures like access control enhancements, vulnerability management, and policy violation detection, you can build a secure and highly productive cloud environment.
KDDI Cloud Inventory provides one-stop management of device security processes and a wide variety of cloud-based security features. Contact us to learn more.
Strengthening Security and Governance at Global Branches
Connect with KDDI consultants for inquiries and quotations.
What is the best solution for your problem?
Please consult a KDDI consultant.
