Cloud Security Is Also Your Responsibility
Is Cloud Security a Concern for Your Organization?
As the industry becomes increasingly digitized, more organizations are using cloud-based services to store data and deliver services to their clients. Perhaps your business uses a service such as Amazon Web Services to host apps or Azure to design, test, and deploy them. No matter what cloud service you rely on, you expect certain security safeguards to be in place to prevent any loss or breach of that data.
It’s a common belief that once information is stored in the cloud, it’s safe. In a perfect world, this would be true – the controls used by the cloud service provider would be enough. In reality, cloud security is also your responsibility. In addition to the protections instituted by the cloud service provider, it’s essential to ensure that cloud security is part of your organization’s security architecture.
Who Secures What Information?
When building a security architecture plan, it must be clear which party is responsible for the various layers of cloud security. Generally speaking, the cloud vendor will be responsible for everything that goes on within the cloud infrastructure. Their focus is the physical infrastructure, as well as their networking, computer, and storage resources.
Your organization is responsible for user security and monitoring, as well as taking care of identity and supporting services such as delegation, auditing, and super-user privilege management. You’ll also be responsible for information security surrounding your data. This includes encryption, key management, ACL, and logging. Your organization will also need to maintain application-level security around the application stack, service connectors, storage, and database.
Choosing a Cloud Provider
A cloud vendor’s responsibilities should be clearly laid out in their customer agreement. It’s essential to perform a gap analysis on any service provider you’re considering in other to ensure that their platform is well-established and mature, as well as compliant with regulatory and enterprise security standards. Some things to look for are:
Compliance with industry and regulatory standards: It’s important that any cloud vendor you use be compliant with enterprise security standards such as ISO 27001 and HIPAA, for example. If they host regulated data, they must be compliant with regulations such as Sarbanes-Oxley and PCI DSS.
Full disclosure: If there are specifics about their security architecture that could assist with or negatively impact security management, the cloud vendor should disclose these details. It should also disclose all relevant data if such disclosure becomes necessary because of regulatory or legal needs.
Support of cloud security automation: Any mature cloud service should publish API(s) that allow your team access to information necessary to mitigate risks (this includes user privileges and profiles, export/import of security event logs, change management logs, firewall policies, etc.).
A Shared Responsibility for Cloud Security
Although many organizations assume that all cloud-based data is secure and well-protected, this belief can weaken your security framework. Cloud security is a responsibility that is shared between the organization, third parties, and the cloud vendor. This is why it’s essential to develop a strong security architecture and choose a mature cloud services provider that operates in a transparent manner and is compliant with industry regulations and best practices. Cloud security isn’t perfect, but by taking these steps, you can help ensure that your organization’s data remains confidential, safe, and accessible.
Do you have questions about building or improving your organization’s security architecture? Contact the expert team at CISOSHARE to find out more!