Cloud Security. Whose responsibility is it?
We live in the era of cloud computing. Consumer and business computing has been severely influenced by the emergence of cloud computing – and cloud security has become an enormous issue for individuals and businesses alike.
We all know about data breaches from constant media reporting. Most of us have been impacted by a cloud security issue, whether we realise it or not. To understand why cloud security continues to be an ongoing issue, we must understand who is responsible for cloud security.
Who is responsible for cloud security?
Corporations make a mistake in believing that when they migrate to the cloud, the responsibility of cloud security automatically shifts to the cloud provider. Users presume their company policy will keep them safe. Customers assume they can use the same password for every SaaS account they have, without ill effect. They are all wrong.
We must note that cloud security is the entire ecosystem of people, processes, policies and technology that serve to protect data and applications which operate in the cloud. The responsibility here is a shared one; shared between the organisation, the cloud provider, and all its users. While data can be safe in the cloud, everyone with access to that data affects whether it remains safe. Cloud security must be everyone’s responsibility.
Is the need for cloud security on the increase?
There is a growing need for better cloud security as companies are obligated to protect organisational data; both their own data and data that belong to customers. High-profile data breaches have spurred business to look at and manage their cloud security proactively. However, as business ups the ante on cloud security, hackers are also becoming more sophisticated.
The main question is not whether the cloud is secure; it is whether your business is using the cloud securely. To complicate matters, the security downsides of the cloud are directly related to its benefits.
5 benefits and security downsides of cloud computing
Cloud computing makes back-up, disaster recovery and the continuity of business less expensive and easier. The ability to mirror data at several sites allows for redundancy and increases reliability as a result.
Cloud Security Downside: more data spread across more locations leads to increased opportunity for error and breach.
Data centres that are owned and operated by an enterprise require hardware, software and all associated IT management. Cloud computing removes the need for most of this, allowing IT teams to spend time on achieving more important business goals.
Cloud Security Downside: many businesses no longer employ IT professionals to oversee basic computing tasks, allowing sloppy password management and poor account security to creep in.
Cloud computing services are generally consumed on-demand, in a self-service format. This allows for large amounts of computing resources to be provisioned rapidly. The ability to do so with a few clicks of the mouse gives a business a lot of flexibility and allows for better capacity planning.
Cloud Security Downside: rapid data transfer benefits attackers as well as users and developers. Entire customer databases have been stolen from cloud-based applications without their sysadmins even becoming aware.
Cloud eliminates the capital investment required to procure hardware and software. It also removes the need to set up and run on-site data centres, including costs associated with power, cooling, IT expertise etc.
Cloud Security Downside: some cloud services are so cheap, they are purchased and run with little process or scrutiny, often by people or departments with no security expertise.
The benefits of cloud computing include the ability to scale. In other words, the ability to deliver the right IT resources (less or more computing capability, less or more storage etc, at the right time, to the right location, and from the right location.
Cloud Security Downside: applications can quickly scale to take on more users, which can very quickly lead to dangerous amounts of personally identifiable information sitting on cloud servers which may not have been built to protect against attack.
Threats to cloud security
The reality is, no matter how sturdy your architecture, cyber attackers find loopholes to get into the infrastructure. Everyone who wants to maintain the security of their data in cloud must be aware of the main threats to cloud security:
- Account hijack – one of the biggest IT threats which compromise credentials.
- Insider threat – a violation that happens as a result of employees, e.g. an employee is misusing authorised access.
- Malware injection – codes or scripts used for malicious activities.
- Abuse of cloud services – storing of illegal software in the cloud, e.g. pirated music and videos.
- Insecure Application Programming Interfaces (APIs) – the means to customise the features of the cloud, which can become vulnerable through its authentication or encryption requirements.
- Denial of Service (DoS) – cyber-attacks which, although not breaching sensitive information, has long-term effects of making servers unavailable.
- Data breaches – with the cloud, this is amplified.
- Insufficient due diligence – cloud security is compromised when there is inadequate owing diligence done when organisations aren’t clear about its policies.
- Shared technology issues.
The documented incidents of cyber-attacks have demonstrated how businesses often cannot recover reputationally and sometimes financially from such a hit. The return to compliance can usually cost millions, but the loss of confidence from shareholders and customers is unquantifiable. Mitigating such risks of any suspicious activity by employing the best cloud security practices is critical for corporations.
Sharing cloud security responsibility with vendors
Businesses must take responsibility for ensuring that their data is secure. However, with a cloud vendor, it becomes a shared responsibility. Enterprises distribute cloud-based applications among varying environments, which dictate the level of responsibility organisations possess in data protection.
- Public cloud – the cloud vendor owns infrastructure with the business retaining ownership of the data and virtual network. Responsibility of security is shared.
- Private cloud – the cloud is hosted in an enterprise’s data centre with the sole responsibility of security vested in the corporation. The business is responsible for the protection of its infrastructure, as well as the applications and data that run on it.
- Software-as-a-Service (SaaS) – cloud vendor hosts applications and makes them available to businesses via the internet. Users have instant access to documents without the inconvenience of installing applications on personal devices, synchronising data across many devices. SaaS dictates who is responsible for which specific security tasks.
Whatever the choice of infrastructure, the cloud vendor will not secure customer data, which falls in the domain of the organisation’s responsibility. Regardless of whether businesses choose a public or private cloud, the reality is that every business and individual is at risk of a breach. Ensuring cloud security and safeguarding data is a non-negotiable business practice. Corporations must ensure they work closely with their cloud providers, treating the relationship as a partnership and not solely as a service. Vetting the details of the service offered by the cloud provider allows the business to consider any loopholes.
The shared responsibility model
Cloud providers follow the shared responsibility model with businesses closing the loop on security and compliance. This model allows the cloud provider to take responsibility for security OF the cloud environment while the organisation takes responsibility for security IN the cloud. This matrix of responsibility eliminates single points of failure and achieves higher security. Sharing the responsibility of cloud security reduces the day-to-day operational responsibility for the enterprise and ensures holistic compliance.
Organisations are responsible for the:
- Platform, identity and access management
- Operating system
- Network traffic encryption, server-side encryption and data integrity
Cloud providers are responsible for:
- Compute, database, storage and networking
- Availability Zones
- Edge locations
Gartner reported recently that within the next five years, approximately 95% of cloud security failures would be attributed to default within organisational security. Having a clear understanding of the responsibilities and roles of both parties in the shared responsibility model is vital. The business needs to ensure that the cloud provider’s security standards are acceptable based on the enterprise’s industry, company requirements, regulations and risk profile.
The future of cloud security
As businesses become agile, they will use cloud computing even more for at least one application and related data. Cybercrime equally continues to rise, and organisations cannot risk storing vital data on unsecured servers as the penalties from a data breach can be exorbitant. The only way to mitigate such risks is a substantial investment in cloud security to ensure you protect enterprise data from data breaches. Additionally, it is crucial to recognise that there is a digital symbiotic relationship between cloud security and compliance. The structuring of regulations means that one cannot exist without the other. Whether state, federal or internal, businesses are obliged to remain regulatory compliant.
Every modern business understands that it is a commodity to protect cloud infrastructure because the real asset of any business is the data you share in the cloud. The frequency of cyber-attacks is increasing, and many companies are resorting to hiring cloud security experts to discover and track any security problems pre-emptively.
For a free consultation on how to manage your cloud security, contact us today.