What People Often Get Wrong About Security in the Cloud
Keeping your cloud environment secure takes a joint and ongoing effort between you and your cloud provider.
Nowadays, understanding the ins and outs of cloud security should be table stakes, at least in theory. Yet, there are a handful of myths on the subject that seem to persist no matter how many high-profile security breaches make the headlines. Let’s look at some of the more prominent of these ideas, explain why they’re wrong and, hopefully, bring them a step closer to going away for good.
Myth #1: The Cloud Provider Is Responsible for Cloud Security
Yes and no. They are responsible for security, but only partially. Believing that the cloud is secure by default can have devastating consequences.
Security in the cloud relies on a Shared Responsibility Model. It’s an agreement and mutual understanding that both the provider and the customer have their individual roles to play in ensuring security.
“Security of the cloud” is different from “security in the cloud.” In a Shared Responsibility Model, the provider is responsible for the former, security of the infrastructure that supports and hosts their cloud, while the customer is responsible for the latter, security of the data and applications from others with access to the same cloud platform. Security of the cloud is about data center physical security, server stability, network protection and availability. Security in the cloud is about data protection, access control management, application security and regulatory compliance.
Cloud security requires each side of the agreement to do its part.
Myth #2: The Cloud Protects Your Data Automatically
Another commonly held myth (which also often stems from misunderstanding of the Shared Responsibility Model) is that the cloud provider protects customer data from being lost.
First, let’s think about typical data-loss events. They range from accidental file deletion or overwriting (as a result of a coding error, for example) to malicious scenarios like ransomware attacks.
Cloud providers do offer native data protection features. Amazon S3, for example, offers versioning, which can preserve, retrieve and restore every version of every object. But the native solutions aren’t foolproof. They aren’t always enabled by default; they require extra effort and understanding to be used effectively; and they are often limited in configuration and coverage.
The cloud customer is responsible for ensuring they have a solid data backup system and a disaster recovery plan. These often involve third-party backup solutions tailored to your organization’s needs and regular testing of your recovery procedures.
With a Shared Responsibility Model, while cloud providers are responsible for ensuring service availability—they tend to go to great lengths to do that—they do fail from time to time. Safeguarding the data you store in the cloud by protecting it from being lost and having a plan for recovering it is your responsibility.
Myth #3: The Cloud Provider Controls Your Data
Another common myth is that placing your data in the cloud means handing the cloud provider control over it.
Data ownership does not change just because the data is stored in the cloud. The customer retains ownership of their data; all that’s different is where and how the data is stored.
Control over data is exercised through Identity and Access Management (IAM), the security discipline around providing the right individuals access to the right resources and for the right reasons. For example, only the sales organization within a company gets access to customer sales data stored in a particular cloud storage service, while access to service delivery infrastructure is only available to engineers responsible for managing service delivery.
Another important aspect of control over data is physical data location. This is the location of physical devices that store a customer’s data. Different countries have different laws about data protection, privacy and cross-border data transfers. For instance, GDPR, the European data privacy law, has specific rules about transferring EU citizens’ personal data outside the European Economic Area. Some countries simply prohibit their citizens’ data from being stored outside their borders.
Big cloud providers have data centers in multiple countries, and it’s up to the customer to ensure they are complying with the relevant regulations by selecting the right data center regions to store their data in.
In a nutshell, you own and control your data regardless of where it’s stored, in the cloud or your company’s own data center.
Myth #4: Configure Your Cloud Security and You’re Done
Just like on premises, security in the cloud is an ongoing process, not a one-time exercise.
The cyberthreat landscape is constantly changing. New vulnerabilities emerge all the time, and so do new types of attack a threat actor can employ. Your cloud environment’s configuration can change frequently with scaling of services, updates and deployments. This dynamic environment makes taking special care with security even more critical
One way to maintain the required level of vigilance is through integration of Security Information and Event Management (SIEM) tools. They aggregate and analyze data from various sources within your cloud environment in real time. They help identify abnormal patterns and can generate alerts for immediate response. For instance, if there's a sudden spike in data transfers or login failures, SIEM can flag it as potentially unauthorized or malicious activity.
Also crucial to staying on top of cloud security are regular security audits—they surface any misconfigurations or compliance issues you may have—and keeping cloud services and applications updated to ensure all the latest vulnerability patches are in place.
Another pillar of security is employee training. Humans are often the weakest link in security. Phishing attacks remain a common entry point into an organization’s network, in the cloud or otherwise. Regularly training and retraining employees to recognize such threats is vital.
Myth #5: Move Everything to the Cloud to Secure It
Finally, let’s address the false notion that moving all data and applications to the public cloud is the best way to secure it all. Of course, if you’ve made it this far down in the article, you already understand why this is false.
Broadly, there are three models for using cloud services: public, private and hybrid. Public cloud is where you share infrastructure maintained by a cloud provider (AWS, Azure, GCP and so on) with others. Private cloud is used exclusively by your organization, be it on-premises or through a service provider. Hybrid cloud, as the name suggests, is a mix of both.
Hybrid cloud offers the best of both worlds and is often the most sensible approach for businesses—especially for large enterprises. It allows organizations to match each workload’s specific needs with the most suitable environment.
A healthcare provider, for example, can exercise strict security and compliance control over protected patient data by storing it on premises. Meanwhile, it can host its public-facing apps and websites in a public cloud to leverage its scalability and breadth of tools.
The security strategy must be appropriate for the infrastructure model being used. A hybrid environment calls for a unified approach to security, one that provides visibility and control across both components, public and private. That means selecting tools and policies that are compatible with both and meticulously planning and executing network security, encryption and access control. Security management as an ongoing program is especially important in a hybrid cloud environment.
In conclusion, moving applications and data to the cloud, all or just some of them, doesn’t mean outsourcing security to the cloud provider. Yes, the provider is responsible for securing their infrastructure, but the customer is still responsible for securing their cloud environment and preventing data loss. The key is to have a clear understanding of the Shared Responsibility Model: where in the stack the provider’s responsibility ends and the customer’s begins.