Businesses
are conflicted about moving their data to the cloud. Some claim that one of the
main reasons for moving data to the cloud is because it is more secure.
Simultaneously, a top reason for not
moving data to the cloud is due to concerns about security. Which opinion is
right? The answer isn’t so simple.

Most
IT professionals accept that many features of cloud security are better than
on-premises approaches, but this is not the full picture. Security is perhaps
the most important facet of an enterprise cloud provider as one incident could
lead to a catastrophic loss of business. Therefore, they spend a lot of time
and money protecting their own infrastructure, including data centers, server
hardware, and internet connectivity. However, the picture is more nuanced than
that. Cloud providers don’t have 100% of the knowledge or capabilities under
their control and therefore cannot deliver 100% security.  

The resulting
ambiguity leads many enterprises to juxtaposing thoughts and approaches when it
comes to cloud security. A large majority of enterprises recognize the cloud as
a powerful business tool, but at the same time still express reservations due
to the perceived risks associated with putting data in a public cloud without
the security of that data guaranteed. Enterprises need to look more deeply to
discern security gaps and determine how responsibility is shared when data
travels to the cloud, in the cloud, between clouds and from the cloud.

No
one organization or person can have complete responsibility for keeping data
secure, the reality is that security is a “shared responsibility” – where
organizations, users, IT security professionals and the cloud service providers
all have a joint task to ensure all parties are using the cloud securely. When
this model is implemented correctly, the benefits to organizations include
increased customer trust, risk reduction, positive brand reputation and overall
business success in today’s digital economy.

Pointed fingers and uncertain ownership

Optimal
cloud security requires a layered defense where businesses address each part of
the “stack of responsibility” individually, yet they all interact together as a
complete framework. This includes physical security, infrastructure, network
control, application-level controls, identity and access management, endpoint
protection, data classification, user/device/data control, and collaboration
control. It is a lot and can be daunting for any IT team, big or
small.  

Cloud
service providers offer some security protection, but that does not mean that
enterprise cloud data is fully secure. Major cloud vendors like Microsoft,
Amazon, and Google correctly point out that the responsibility is not theirs
alone and that businesses must embrace the concept of a shared responsibility
model. Microsoft, for example,
publishes its model for Azure. Amazon has a
similar approach for AWS. Both of these
models point out that a secure infrastructure relies on the customer playing
their part to make the system truly secure and compliant. 

The
analyst community realizes this growing need and is sounding alarm bells about
the importance of shared responsibility in cloud security. Gartner warns, “Through 2025, at least 99 percent of cloud security
failures will be the customer’s fault.” Gartner’s statement implies
that enterprises themselves, not the cloud providers, need to ensure that their
approach to cloud security is all-encompassing.

Cloud
providers have often approached shared responsibility by listing the security
features they offer and leaving the rest up to the customer, splitting
responsibility into two. While this division is a good start, it can leave the
enterprise unsure about how to decide, allocate and implement the areas
allocated to them. It is now imperative to assign roles within the organization
and determine liability owned by various business lines, including but not
limited to, IT security, risk & compliance, users, developers and buyers of
the cloud services.

Shared responsibility in action

The car
rental process can best illustrate an ideal example of a shared responsibility
model. First, the manufacturer is liable for ensuring the car is roadworthy
when it comes off the assembly line. It needs to have good brakes, tires, and
functioning airbags. After the car arrives at a rental company, both the
company and the renter will typically not test the airbags – they just assume
they will work as originally installed. As the car gets older, the rental
company should check the tires and the brakes, service the car and keep it
roadworthy. The renter assumes this is the case and unfortunately, often does
not find out otherwise unless they run into an issue with the vehicle. 

On
the renter’s side, they need to have the appropriate license for the vehicle, which
the rental company checks before handing over the keys. The renter is
responsible for accidental damage, though this may not be the actual driver
when multiple drivers are sharing the driving. The car includes seat belts,
installed by the manufacturer, but it is the driver’s responsibility to wear their
belt and ensure that all members of the car wear them too. Additionally, the
driver is responsible for driving according to the conditions and road rules.
This division of responsibility when renting a car is shared among five groups
of people: the car manufacturer, the rental company, the passengers, the renter
and the driver. Everyone has their part to play. Ignoring one layer of safety could
have tragic consequences so every aspect needs consideration in totality.

Where risk ultimately lies

Microsoft,
Amazon, and other cloud providers are working to deliver shared responsibility
models at a baseline level, but there needs to be more responsibility from the
end-user community. This includes the enterprise itself, information and IT
security teams, and the users. Business and IT leaders can only safeguard cloud
data if security features are well-understood, switched on, and properly
configured at the outset. We saw this issue specifically come out with a recent
high profile breach caused by misconfigured AWS rules for public-facing
servers, ultimately leading to a major vulnerability and data breach.

Overall,
the technology community needs to consider who controls and manages cloud
configurations, data flow between different cloud services, collaboration,
access, and device controls, and user behavior. The conclusion is that responsibility
for risk belongs to the business because at its core, the data collection and
security belongs to the business. Even though cloud providers play a big role,
they’re not the public-facing company that is assuming risk for handling this
sensitive data. Members of the IT team need to be the guardians of security and
compliance for the enterprise. They need to work with the CISO and other
business leaders to understand and set policies around data control, work with lines
of business to help them classify data accurately, ensure regulatory compliance,
help the purchasing team make buying decisions, determine which cloud services
to allow user access, and ensure user training is comprehensive.

Without
strict processes in place and a delineation of who is accountable for what, a
business decision like implementing a new public cloud service can put a
corporation at serious risk of a data breach or other related security issues.
But with the shared responsibility model, businesses can ensure that everyone
does their part.

Nigel Hawthorn, EMEA Director, Cloud Business Unit