1. What is cloud security?
Cloud security is a collection of policies, technologies, and controls designed to protect data, applications, and infrastructure operating on cloud computing environments. The core objective of cloud security is to ensure the confidentiality, integrity, and availability of all digital resources a business deploys in the cloud, regardless of whether that environment is public, private, or hybrid cloud.
2. How does cloud security differ from traditional security?
To understand the importance of cloud security, it helps to look at the fundamental differences from traditional security approaches. The two models differ not only in tools but also in design philosophy and responsibility allocation.
Traditional security builds defenses using a "castle wall" model: placing a firewall at the entry point of the internal network and strictly controlling all traffic passing through that point. When the entire system resides in a single physical location, this model works effectively. In a cloud environment, network boundaries virtually cease to exist in a physical sense, as data flows continuously between services, APIs, and users from around the world. The attack surface expands with every connected API, every authorized user account, and every integrated third-party service.
| Criteria | Traditional security | Cloud security |
| Scope of control | Fixed physical infrastructure | Distributed, multi-region resources |
| Access points | Internal LAN/WAN network | Internet, open APIs, and remote devices |
| Deployment model | On-premise, centralized | Cloud, flexible scaling by workload |
| Protection method | Physical firewall at network perimeter | Identity control, encryption, Zero Trust |
| Scalability | Limited by hardware | Auto-scales on demand |
| Specific risks | Physical attacks, device theft | Misconfiguration, API leaks, multi-tenancy |
| Operating costs | High CapEx for infrastructure | Flexible OpEx, pay-as-you-go |
3. What is the shared responsibility model in cloud security?
The Shared Responsibility Model is the foundational principle that every IT team must understand before deploying any workload to the cloud. The core principle: the cloud provider is responsible for the security "of" the infrastructure, while the business is responsible for security "on" that infrastructure. Many real-world cloud security incidents originate from businesses mistakenly assuming the provider handles everything.
3.1. Responsibility allocation by service model
Responsibility boundaries shift depending on the service model. Refer to the detailed differences between IaaS, PaaS, and SaaS to determine the appropriate scope of responsibility. With IaaS, the business controls and is responsible for the operating system and everything above. With PaaS, the provider also takes on the runtime and middleware. With SaaS, the provider manages nearly the entire stack, but the business is still responsible for data and user access management.
| Security layer | IaaS | PaaS / SaaS |
| Data and content | Business | Business |
| Applications and configuration | Business | Business (SaaS: provider) |
| Runtime and middleware | Business | Provider |
| Operating system | Business | Provider |
| Network and physical infrastructure | Provider | Provider |
3.2. Risks of misunderstanding the shared responsibility model
When businesses are unclear about responsibility boundaries, security gaps emerge in various forms. The most common include neglecting to encrypt stored data because they assume the provider handles it, failing to establish strict access control policies for internal user accounts, or leaving default cloud service configurations in place without conducting a risk assessment. These vulnerabilities do not originate from provider infrastructure but from the business's own area of responsibility being overlooked.
To operate securely, businesses should conduct periodic assessments: clearly identify which model each workload falls under (IaaS/PaaS/SaaS), create control checklists for each responsibility layer, and ensure there are no blind spots across the entire cloud infrastructure in operation.
4. What are the common threats to cloud environments?
Cloud environments significantly expand the attack surface compared to traditional infrastructure. Understanding each type of threat helps businesses prioritize security resources in the right places and build a proactive response plan rather than reacting after an incident occurs.
4.1. DDoS attacks targeting cloud infrastructure
Cloud infrastructure with its many public access points is an ideal target for large-scale DDoS attacks. Attackers use a botnet with hundreds of thousands of compromised devices to simultaneously flood cloud systems with requests, exhausting computing resources and bandwidth. DDoS attacks on cloud environments are particularly dangerous because the sudden spike in resource costs can cause significant financial damage even before the system fully goes down.
In particular, HTTP flood and Slowloris are two Layer 7 attack techniques that target the application layer, making them harder to detect than Layer 3/4 attacks because the traffic superficially resembles legitimate requests. Without an intelligent filtering layer at the application tier, these attacks can cripple a service without requiring massive traffic volumes.
4.2. Data breaches and configuration errors
Data breach is the most common consequence of cloud security incidents and typically stems from misconfiguration rather than complex technical vulnerabilities. A storage bucket accidentally set to public, an overly permissive security group rule, or an improperly protected API key can all result in millions of customer data records being exposed with no warning. This is the leading cause of cloud security incidents because it originates from within, rather than from an external attacker breaking in.
4.3. Malware, ransomware, and supply chain attacks
Malware and ransomware infiltrate cloud environments through various channels: malicious email attachments, infected open-source library packages, or vulnerabilities in third-party applications integrated into the system. When ransomware encrypts data on cloud storage, businesses not only lose data but also face pressure from ransom DDoS, where attackers combine extortion with continuous DDoS attacks until a ransom is paid.
4.4. Phishing attacks and account takeover
Phishing emails targeting employees to seize cloud account access are the most common entry point. Attackers do not need to break through technical security layers; they simply need to convince an employee to enter their credentials on a fake site. A cloud administrator account, once compromised, can result in the entire infrastructure being controlled, data copied, or systems destroyed within minutes.
Spear phishing targets specific individuals such as IT Managers or C-level executives with highly personalized content, making it difficult for recipients to distinguish from legitimate email. Social engineering combining psychological manipulation and impersonation techniques is why security awareness training for employees is just as important as deploying technology.
4.5. Zero-day vulnerabilities and web application exploitation
Web application zero-day vulnerabilities running on cloud are a prime target for targeted attack groups. What makes them especially dangerous is that these vulnerabilities are unknown and therefore unpatched, with attackers exploiting them during the window between discovery and when a patch is released. Alongside zero-days, common vulnerabilities like SQL injection and XSS remain the cause of many serious security incidents due to unpatched or insufficiently tested applications.
5. Core components of an effective cloud security strategy
A comprehensive cloud security strategy does not rely on a single tool but requires multiple layers of protection working closely together. Each component addresses a different group of risks, and together they form a defense-in-depth system.
| Component | Primary protection role |
| Identity management (IAM + MFA) | Prevent unauthorized access, enforce least-privilege permissions |
| Data encryption (at rest + in transit) | Protect data even if it is stolen |
| WAF / WAAP | Filter malicious traffic, protect applications and APIs |
| Continuous monitoring (SOC 24/7) | Detect and respond to incidents in real time |
| Backup and Disaster Recovery | Ensure business continuity when an incident occurs |
| Zero Trust | No default trust, verify every access request |
5.1. Identity and access management (IAM)
Identity and Access Management is the first and most critical protection layer in a cloud environment. IAM defines precisely who can access which resources, with what permissions, and under what conditions. The least privilege principle requires each account to be granted only the permissions necessary for its function, nothing more. Multi-factor authentication (MFA) must be enforced for all accounts accessing cloud systems, especially administrator accounts.
5.2. Comprehensive data encryption
Data encryption must be applied in two states: data at rest and data in transit. For data at rest, all data on cloud storage must be encrypted with a sufficiently strong algorithm, with encryption keys managed by the business rather than the cloud provider. For data in transit, every connection between client and server, between microservices, and between cloud regions must use TLS/SSL to prevent eavesdropping. Managing the encryption key lifecycle, including regular key rotation and revocation, is a frequently overlooked but equally important aspect of encryption itself.
5.3. Web application firewall and API protection
WAF plays a particularly important role for web applications running on cloud because it serves as the direct filtering layer at the contact point between the internet and the application. WAF analyzes each HTTP/HTTPS request and blocks those showing signs of attack based on rule sets and machine learning. The newer generation, WAAP (Web Application and API Protection), extends protection to APIs, which are an increasingly prevalent attack surface in microservice architectures and mobile applications. Rate limiting controls at this layer also help prevent brute force attacks and systematic data scraping.
5.4. Continuous monitoring and incident detection
Continuous monitoring is a mandatory requirement in cloud environments because anomalous behavior must be detected immediately, not hours or days later. Systems collect and analyze logs from all cloud services, detecting unusual patterns such as logins from new geographic locations, abnormal resource access, or sudden traffic spikes. A 24/7 Security Operations Center (SOC) team ensures timely response when the system triggers alerts, reducing the time from detection to containment.
5.5. Backup, recovery, and incident response planning
The 3-2-1 backup strategy (3 copies, on 2 types of media, 1 offsite) must be rigorously applied to all critical cloud data. Backup alone is insufficient without a periodically tested Disaster Recovery plan. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) must be clearly defined and aligned with business requirements. The incident response plan must detail the internal notification process, steps for isolating the affected system, and service restoration procedures in order of priority.
5.6. Zero Trust model
The Zero Trust model is built on the principle of "never trust, always verify." Instead of trusting all connections originating from inside the internal network, Zero Trust requires identity verification and access control checks for each request, regardless of whether the source is internal or external. This model is particularly well-suited to cloud and remote work environments, where traditional network boundaries no longer exist. Implementing Zero Trust minimizes risk from compromised internal accounts or insecurely connected devices.
6. How is cloud security applied across different deployment models?
Security requirements vary significantly depending on the cloud deployment model a business chooses. Understanding the security characteristics of each model helps avoid vulnerabilities arising from a mismatch between business requirements and cloud architecture. Refer to the detailed comparison of Public Cloud, Private Cloud, and Hybrid Cloud to determine the right model for your business.
| Criteria | Public Cloud | Private Cloud | Hybrid Cloud |
| Infrastructure control | Provider | Business | Shared |
| Security costs | Lower | Higher | Moderate |
| Specific risks | Misconfiguration, multi-tenancy | High operating costs | Difficult policy synchronization |
| Suitable for | SMEs, startups | Finance, healthcare, government | Enterprises with mixed workloads |
With cloud security in hybrid environments, the biggest challenge is synchronizing security policies between on-premise and cloud infrastructure. Data moving back and forth between the two environments creates connection points that must be tightly controlled. Businesses must ensure that encryption policies, access controls, and monitoring are applied consistently across both parts of the infrastructure, without different security standards for the same category of data.
7. Security standards and regulations Vietnamese businesses need to know
Compliance with standards and regulations is not only a legal obligation but also a reference framework that helps businesses build a systematic and measurable cloud security policy. Businesses undergoing digital transformation should address compliance in parallel with the cloud deployment roadmap, rather than handling it after the system is already running.
7.1. ISO 27001 - international information security management standard
ISO 27001 is the international standard for Information Security Management Systems (ISMS), widely recognized in over 150 countries. For businesses operating on cloud, ISO 27001 requires building periodic risk assessment processes, establishing clear access control policies, creating fully documented incident response plans, and organizing security awareness training for all employees. Achieving ISO 27001 certification signals to customers, partners, and investors that the business manages data according to international standards.
7.2. Cybersecurity Law and Decree 13
The Cybersecurity Law (Law No. 24/2018/QH14) sets mandatory requirements for organizations providing services in cyberspace in Vietnam, including obligations to store user data domestically, verify user identity, and cooperate with authorities upon request. Decree 13/2023/ND-CP adds detailed regulations on personal data protection, requiring businesses to implement technical measures to prevent unauthorized access, report data breach incidents within the prescribed time limit, and not transfer personal data abroad without satisfying legal conditions. Businesses should note that the Cybersecurity Law applies not only to technology companies but to all organizations that collect and process user data on digital platforms. Non-compliance may lead to administrative sanctions and service suspension requirements.
7.3. Data Law 2024 (Law No. 60/2024/QH15)
Data Law 2024 is an important step in Vietnam's digital legal framework, governing the classification of data (important data, core data, ordinary data), governance mechanisms, and the protection responsibilities of organizations. For businesses using cloud, this law requires clearly identifying each type of stored data, strictly controlling access by classification, and ensuring that important data is not transferred outside the country without authorization. Failure to properly classify and protect data can lead to serious legal violations even if no data has been leaked externally.
7.4. Personal Data Protection Law (Law No. 91/2025/QH15)
Law No. 91/2025/QH15 is currently the most comprehensive legal framework for personal data protection in Vietnam. The law requires businesses to clearly identify the purpose of collecting and processing personal data, implement technical data protection measures from the system design stage (privacy by design), notify data subjects when a breach occurs, and respect users' right to data deletion. For cloud systems storing customer information, businesses must pay particular attention to data retention time limits, mechanisms for deleting data upon request, and access control for personal data down to the individual processor level. Violations may result in administrative and civil penalties under the law.
8. Cloud security solutions for businesses from VNETWORK
Against a backdrop of increasingly complex threats and a tightening regulatory environment, businesses need a cloud infrastructure platform that is powerful, flexible, and secured from the physical layer up. VNETWORK provides VCLOUD, a cloud computing platform built to meet two key requirements of modern businesses simultaneously: high operational performance and built-in multi-layer security.
VCLOUD is VNETWORK's cloud computing platform, operating on data centers certified to Tier III standard, ensuring high uptime and continuous operation. The system supports flexible deployment from individual VPS for SMEs to large-scale server clusters for enterprises, with the ability to automatically scale CPU, RAM, and storage resources according to actual load without system interruption. Security is integrated directly into every infrastructure layer, including:
- Firewall and Security Group controlling inbound/outbound traffic at the network layer, preventing unauthorized access from unidentified sources
- Two-factor authentication (2FA) and SSH Key Pair to strictly control administrative access, minimizing risk from compromised accounts
- High-speed encrypted data storage protecting data even in the event of a physical incident at the infrastructure level
- Support for Kubernetes for container and microservice workloads, ensuring environment isolation and access control per namespace
- ISO 27001 compliance with security controls operated according to international standards
VCLOUD is suitable for businesses undergoing digital transformation that need stable, cost-effective infrastructure, e-commerce companies that need to scale resources instantly during peak periods, and organizations processing AI or Big Data that require consistently high storage performance. With flexible Public Cloud, Private Cloud, and Hybrid Cloud deployment models and a technical support team available 24/7/365, VNETWORK accompanies businesses from the deployment phase through long-term operations.
9. Conclusion
Cloud security is not a one-size-fits-all problem. Businesses need a layered mindset: protecting from network infrastructure, through the application layer, to email entry points within a unified strategy that is continuously updated against new threats. Understanding the shared responsibility model correctly, complying with the legal framework, and deploying all core protection components are three indispensable pillars for any business operating in the cloud.
FAQ - Frequently asked questions about cloud security
1. What is cloud security and how is it different from traditional security?
Cloud security is a collection of policies, technologies, and controls protecting data, applications, and infrastructure in cloud environments. Unlike traditional security that focuses on protecting fixed physical infrastructure, cloud security must contend with a distributed attack surface, multiple internet access points, and a shared responsibility model between the cloud provider and the business. Security tools and processes are also fundamentally different because the traditional physical network boundary no longer exists.
2. Do small businesses need to invest in cloud security?
Small and medium-sized businesses are actually the most vulnerable group because they often lack a dedicated IT team and a structured security policy. Attackers know this and frequently target SMEs as a stepping stone to attack larger partners in the supply chain. Once customer data and operational systems have been moved to the cloud, the risk of data leaks or service disruptions can cause serious damage regardless of business size. Investing in appropriate cloud security early helps save significant incident remediation costs down the line.
3. How does the shared responsibility model in cloud security work?
Under the shared responsibility model, the cloud provider is responsible for the security "of" physical infrastructure, networks, and platforms. The business is responsible for security "on" that infrastructure, including data, applications, configuration, and access management. This boundary shifts depending on whether the model is IaaS, PaaS, or SaaS. Many incidents stem from businesses assuming the provider handles everything, when in fact the most critical parts, data and configuration, remain the business's own responsibility.
4. What security standards must Vietnamese businesses comply with when using cloud?
Vietnamese businesses must comply with the Cybersecurity Law (24/2018/QH14), Decree 13/2023 on personal data protection, Data Law 2024 (Law No. 60/2024/QH15), and Personal Data Protection Law (Law No. 91/2025/QH15). On the international standards front, ISO 27001 is the most widely referenced framework. Businesses in finance, healthcare, or public services may also need to meet additional sector-specific standards. Building cloud security correctly from the outset helps avoid legal risks and costly remediation later.
5. How does VCLOUD support cloud security for businesses?
VCLOUD integrates multi-layer security directly into the infrastructure, including Firewall, Security Group, two-factor authentication (2FA), SSH Key Pair, and encrypted data storage. The entire infrastructure operates on data centers certified to Tier III+ standard and compliant with ISO 27001, ensuring high availability and strict access control. VCLOUD supports automatic resource scaling based on actual load, suitable for both SMEs and enterprises, combined with VNETWORK's technical support team available 24/7/365 to promptly handle any incident.