The two words you should never forget when you’re securing a cloud
When cloud providers sell their services, they know their customers are thinking about cybersecurity – that’s why providers tend to tout their impressive accreditations and certificates.
Those who don’t know better consequently assume the service comes with some security guarantee that removes any worry about cloud security, but this could not be further from the truth.
In the fine print of any cloud computing or collaboration platform is a provision that lays out the buyer’s shared responsibility. While the details vary by service, the concept is basically the same: you remain responsible for maintaining general security hygiene, ensuring the cloud security controls are properly configured, and protecting your data on the system.
Whether you like it or not, we’re all ultimately responsible for our own security, no matter how dependent we are on others for the tools that keep us functioning.
Shared responsibility unites everything
Over the course of two decades, cloud computing has transformed the way people use the internet for work and play. Now any organization, no matter how limited its resources might be, can take on bigger, better equipped, and well-funded competitors. And those well-funded competitors can, in turn, use the same innovations to lower their costs and improve their global efficiencies.
One recent report found that businesses now spend twice as much on cloud services as they do on their own data centers. This massive degree of adoption requires any organization that utilizes the cloud in any way to face some hard truths about what the cloud means for security. This starts with an understanding of how the interconnected nature of cloud computing changes both the expectations and requirements of locking down private data.
If you’ve read this far, you’re probably aware that the cloud means many different things to many different people. There are the Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) offerings most everyone uses without realizing it. And there are the Software-as-a-Service (SaaS) tools—including Microsoft 365 and Salesforce—that many of us utilize dozens, if not hundreds, of times a day.
What unites all these cloud flavors are those two magic words: shared responsibility.
When it comes to security, customers are accountable for everything cloud providers exclude from their built-in security controls.
Hygiene is about more than cleanliness
One of the promises of the cloud is that you can worry less about how and where your information is stored. But data is an extremely valuable asset for any organization. For some organizations, it may be the single most valuable asset.
That’s why moving that data into the cloud requires careful deliberation.
Even if you trust the cloud provider you’re using, you still must ensure you maintain the proper control and visibility of your data. That’s why basic security hygiene is an essential part of the shared responsibility model.
You need to be aware of what kind of data you have. You need to know how it’s classified. Most importantly, you need to know where the data comes from, who can access it, or where it goes. If data comes from external and untrusted sources, including email, you need to block harmful and suspicious content before it reaches internal or external users.
Compliance, complexity and compromises
If the desire to protect an organization’s data isn’t motivating enough, think about compliance. In many regions, businesses need to monitor access to all sensitive data and maintain audit trails, whether that data is the subject of a compliance requirement or not. This requires every organization to consider two constant risks—malicious insiders and unauthorized access to data.
SaaS cloud services can easily become very complex with multiple employees accessing through multiple touchpoints, often without coordination or documentation. This can easily lead to misconfiguration or weak access controls – and misconfigurations can result in data breaches.
Another significant risk is that data can be accessed by other applications and services that are connected to SaaS cloud via APIs. If these are misconfigured or give more permissions than they should, they can also potentially be the source of a breach. Even if configured properly, it is important to consider that APIs themselves could be compromised.
The exploding usage of SaaS cloud such as Salesforce, Microsoft 365, Google Workspace and others makes them reliable and lucrative targets for attackers. And stealing valuable data stored in the cloud may not always be the end goal.
Advanced adversaries will inevitably try to use cloud services as stepping stones for getting into organizations’ networks and attacking other internal and external systems. And phishing and ransomware attacks conducted via cloud services are real risks that will only increase as cloud services become more and more ingrained in our lives.
We’re all in this together
The thing you must admire about cloud providers is their honesty. No matter how many accreditations they may brag about, they’ll tell you exactly where their security obligations end and those of their customers begin.
These lines may not be so clear for the vague network of companies known as the “supply chain.” The numerous vulnerabilities, integrity issues and other potential exploits in the processes and software environments of suppliers have made this so-called chain a target for a skyrocketing number of attacks.
In exchange for the convenience and possible financial benefits of the cloud, you still have many of the same responsibilities of securing your own networks.
Fortunately, when you remember those two crucial words “shared responsibility” by demonstrating basic security hygiene—which includes controlling who accesses your data and scanning all content to determine if it’s malicious—you’ll be well on the way to taking care of your end of the bargain.