The cloud is changing the nature of business with a powerful approach to streamlining operations and staying current with the latest technology. But as the saying goes, with great power comes great responsibility. In this case, that responsibility breaks down into two sides: cloud vendors and the companies that use them.
Cloud service providers are responsible for security of the cloud; companies are responsible for security in the cloud. Without the right approach on both sides, companies risk cyberattacks that can crash services or compromise customer data.
For companies using CSPs, maintaining best security practices in the cloud is not simple. The cloud is a complex ecosystem of interacting components. They include software as a service, platform as a service, and infrastructure as a service — with each layer interacting. And in addition to protection of data assets, there are legal regulations to follow.
The company using the infrastructure service has control over security options. For example, many of the offerings for companies using Amazon Web Services, such as Amazon Elastic Compute Cloud, Amazon Virtual Private Cloud, and Amazon Simple Storage Service are IaaS, meaning that companies must configure security settings themselves.
Shared Cloud Responsibility Challenges
Getting these settings right can be challenging, so it’s useful to know what to expect when managing them. Let’s take a look at how to effectively deal with some of these challenges:
- Choose the right cloud platform.
First, you need a cloud platform that fits your business needs while keeping the company secure and agile. You’ll also need to decide whether your company can tackle securing and owning all data, even if the data is processed in a cloud platform. The cloud platform will need to provide you with visibility into how your data is processed.
Research what each CSP can provide and what tools you need to function. Most have shared controls for managing patches and configuring operating systems, databases, and applications. Think through how you might use these controls, who at your company will be responsible for them, and why they will serve your needs both now and as your company scales up.
- Understand your role — and theirs.
Sharing responsibility works best for companies when roles are understood. For example, consider IT controls at AWS. Not only is the IT environment shared between AWS and its customers, but so is the management, operation, and verification of IT controls. Given that degree of flexibility, it’s crucial to be clear on what your company is taking responsibility for and what will be left in the hands of the CSP. When these roles are not clearly defined, gaps in security can result — and that puts your company at risk.
The CSP typically manages controls associated with the physical infrastructure, thereby relieving that customer burden. Your company still typically manages access to the cloud platform. Customers can then use the CSP control and compliance documentation to perform their required control evaluation and verification procedures. Ambiguity can arise depending on the services of the CSP that are used, such as a serverless option that is managed versus one the customer manages. These roles need to be clearly defined and understood.
- Think carefully about security.
Data security is the company’s responsibility regardless of CSP, but having the right tools and knowing how to use them can enhance that mission. A foundational step is to make full use of tools that monitor incidents that can alert companies to security issues, because responding promptly to breaches can limit the damage to the company.
To ensure you’re approaching this correctly, empower a team that researches security and infrastructure abilities and limits. These teams will test controls and ideally will be able to identify areas where there are gaps in coverage or find places where tools can be better. A prime example would be multifactor authentication, a choice that the team can evaluate based on the company’s needs.
Cloud services can be transformational to companies small and large, but only if they are used effectively and securely. Understanding that security and service are a shared responsibility is the first step toward crafting the right approach. The key is to get the balance right. Taking total responsibility for every detail of your company’s cloud use is inefficient, but abdicating all control over how your settings are managed in the cloud is irresponsible.
Fortunately, some providers offer enough flexibility to allow just the right degree of control without it being burdensome. Companies that take advantage of this model of shared responsibility will be well positioned in the years ahead to focus on expanding their market share while knowing they have a highly optimized solution in the cloud.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.