With so many organizations moving to cloud-based computing services, it’s time for CIO’s to start thinking differently about cloud services.
Organizations are more frequently using the cloud to store highly sensitive information. A study conducted by the SANS Institute showed that 48.2% were using the cloud to store business intelligence, while 47.7% were using it to store their intellectual property and 42.7% to store consumer information. This is obviously a highly valuable target to any attacker, and not surprisingly 56% of respondents listed unauthorized access to sensitive data as their biggest concern.
Despite these figures, many organizations are still under the impression that cloud security in all its aspects is something the cloud provider is responsible for and that they as end customers shouldn’t concern themselves with security. This is of course a very dangerous position to take as pretty much every cloud service operates under a security paradigm called “Shared Responsibility”. Although the security of the platform itself is the provider’s responsibility, content uploaded to a cloud service is usually the responsibility of the end customer.
To put it simply: anything that is uploaded to the cloud from your organization is your responsibility.
In the end, the concept of shared responsibility means that you must take ownership of your own security posture on the cloud. IT research firm Gartner predicts that by 2020, 95% of all cloud security failures will be the result of client oversight. Pointing fingers and trying to pass blame for the breach onto a service provider is not helpful and does nothing to promote a security driven culture. An omission to act in accordance with your own organization’s security posture simply because a workload happens to run on the cloud is never an acceptable excuse.
What is cloud security?
Cloud security is whatever you do to protect your organization against a cloud-based attack. There are many compelling reasons why organizations are switching to the cloud, including lower operating costs and greater operational flexibility. As an example, by adopting a BYOD or “bring your own device” policy and conducting business through a cloud-based service, organizations can greatly reduce their operational IT costs.
Unfortunately, the nature of cloud-based services can also create some inherent security vulnerabilities. Before the advent of the cloud, companies were able to protect themselves from cyber-attacks by having their IT department manage all physical internet-connected assets. Employees could only access company resources by signing in to a secure system from a secured network and IT was able to monitor usage and to prevent problems from happening. When every endpoint in the organization was managed by IT, it created a clear perimeter that could be held and defended against intruders.
Today, almost nothing in this operating model applies to new cloud-based services. Employees can typically access the cloud from any device and from any network. Therefore, IT no longer has full visibility into events taking place on the network. For example, if an employee is duped by a phishing scam and downloads a file infected with malware or visits a malicious website that infects his device, IT often won’t know that this has taken place until the event is over. Despite this lack of visibility, the IT department is usually still held responsible for protecting the company from a breach.
So, how do you close the gap between expectation and reality? How do you protect your company from a breach when you don’t fully control the usage of devices or even the networks they are being used on? The first step is to understand the threat landscape, and then to apply good cloud security policies to counter it. Read our blog post on the most common security threats to cloud services to find out more!