In the last few years, many companies have shifted their workload from on-premises servers to the cloud due to their scalable and elastic nature and ability to reduce infrastructure costs. The cloud computing market value is expected to grow to $947.3 billion by 2026.
Although 94% of companies have started using cloud services, there has been a growing concern about its security. Companies witnessed a 600% increase in malware attacks. They fear that their data will be vulnerable to cyber-attacks, hacks, DDOS, and other risks.
Cloud service providers (CSP) such as AWS and Azure have built-in capabilities to secure the cloud environment. They constantly innovate to make their offerings more secure. In fact, Microsoft’s Azure has even made security a key differentiator of its offerings.
However, cloud security is not the responsibility of cloud providers alone. According to Gartner, 95% of cloud security failures are the company’s fault. Companies must share equal responsibility to ensure that their data and applications are secure on the cloud. They cannot blame the CSPs for the security lapses.
CSPs such as AWS and Azure have published a shared responsibility model to make a clear distinction of responsibilities.
What is shared responsibility model and how does it work?
In simple words, the CSPs are responsible for the security ‘of’ the cloud. The companies take care of the security ‘in’ the cloud environment.
Companies take care of the data, platforms, applications, operating systems, and identity, and access management.
CSPs look after the infrastructure, networking, edge locations, availability zones, hardware, software, and all the facilities that run the cloud services.
Of course, some responsibilities could vary depending upon other factors too.
- Private cloud: The company is solely responsible for cloud security in a private cloud as applications are hosted within its data center. It takes care of the infrastructure, virtual network, physical network, firewalls, and operating systems.
- Public cloud: The cloud provider is responsible for the infrastructure and physical network in the public cloud. The company looks after the operating system, data, virtual network, applications, etc. So, the responsibilities are shared between the provider and the company.
- Hybrid cloud: The hybrid cloud spreads the workload across multiple environments, including private and public cloud environments. So, companies have the choice to safeguard their sensitive data by hosting it on a private cloud and at the same time enjoy the benefits of a public cloud. However, as multiple providers are involved, determining responsibilities can be challenging. The shared responsibility model is the best way forward to secure the cloud. The vendors will look after the security of the infrastructure by ensuring uniform security across all environments, while the company will protect the application layer and the data.
Responsibilities could also vary depending on how the workload is hosted. For example, if it is hosted as Infrastructure-as-a-service (IaaS), the CSP manages the host operating system and storage, and the company takes care of the container and network security. If the workload is hosted as platform-as-a-service (PaaS), the CSP will look after the low-level infrastructure and networking controls, and the company will manage the user access management and application-related codes.
Sometimes external factors could also play a role in assigning responsibilities. For example, in AWS, responsibilities vary depending on the regions and laws and regulations applicable to the company.
Companies and cloud service providers must consider these factors before sharing responsibilities.
How to move forward with shared responsibilities?
Once the responsibilities are clear and agreed upon, companies must build a strategy to secure their applications and data.
Here are a few steps they could take to maintain cloud security.
- Adopt a zero-trust security approach: Never assume that security threats occur from external factors alone. Even internal factors such as unauthorized access to a database by an internal employee could expose the resources to vulnerabilities. So, adopt a zero-trust security approach to prevent lapses. Everybody has to be authenticated to gain access to resources.
- Set up multi-factor authentication: Set up multi-factor authentication to ensure that the users provide a minimum of two pieces of evidence to authenticate their identity. No one should be allowed to access the resources on the cloud without successfully being authenticated. Security experts consider it to be the cheapest solution to establish cloud security.
- Monitor the network traffic and log analysis: Automate security to monitor the network traffic and analyze user activities 24/7. This will help identify abnormal activities and enable the designated security team to take pre-emptive action to protect the network.
- Establish data loss prevention policies: Create a comprehensive data loss prevention policy and share it with all the users within the company to guide them on how to protect the data from being lost.
Cloud security is non-negotiable. It is crucial for the company’s reputation and compliance. However, don’t let that be the reason for avoiding cloud adoption. Companies can build a secure cloud environment with basic security processes in place and agreed shared responsibilities with cloud service providers.
We, at Heptagon, can also help companies in securing their cloud environment. Contact us to know more.