It’s no longer an on-prem world. For years we’ve all heard about the disappearing security perimeter, the shift to SaaS, cloud-based workloads and new concepts like containers and Kubernetes. For years tech marketing and airport billboards have promised that the cloud can help your organization scale, become more competitive and transform your business. Which it can, but for many organizations, particularly those in highly regulated industries, the question remains:
Is the cloud secure?
Is The Cloud Secure? Like most things in life, the answer is “that depends”.
There’s a few different factors such as the cloud provider you choose, where the cloud instance is located, and how well your security team understands cloud security and their responsibilities.
First things first: most cloud providers are going to be secure– especially if you go with a well-established and known vendor. There’s a few geographical areas of the world that may be more risky from a breach or government-surveillance perspective, but those risks should be well evaluated by your legal and risk teams before a contract is even considered.
The biggest thing you need to consider is how well your team understands cloud security.
Cloud Is Different Than On-Prem
One of the biggest mistakes security teams make is treating the cloud like it’s an extension of their on-premise architecture. This is understandable in some ways-- most cloud instances could essentially be thought of as Linux endpoints, and organizations have already invested a ton in solutions like SEIMs and EDR tools that they are familiar with, are entrenched in the security stack, and will have their place in the stack for a long time yet.
But cloud is a fundamentally different animal. Unlike your on-prem or user endpoints, cloud servers can be stood up or spun down in minutes, and-- crucially-- the cloud instances can be accessed from anywhere in the world from any endpoint, without going through the corporate firewall….unless you have correctly configured your cloud security.
It’s A Shared Responsibility
The biggest gap in cloud security is understanding the Shared Responsibility model. Pioneered by AWS, Shared Responsibility has now become widely adopted among cloud providers, and the basic tenant is that the cloud provider is responsible for the security of the cloud infrastructure, while the customer is responsible for securing their data in the cloud.
Put another way, the vendor is responsible for the cloud, the customer is responsible for what’s in the cloud. It seems simple, except that 93% of cloud deployments have some misconfiguration in their security and there remains low confidence among executives that their teams adequately understand the shared responsibility model.
Amazon has recently introduced it’s Well-Architected Tools to help AWS customers get better visibility into their security, but ultimately the responsibility for securing the applications running in the cloud and the content they hold or process remains firmly and clearly with the customer.
How Do You Secure The Cloud?
First and foremost, as stated above, the most vital part of cloud security is understanding where your responsibility for security starts. Once you do that, implementing the right controls are vital. Aside from firewalls, using Identity Access Management (IAM), Multi-Factor Authentication (MFA), per-app VPN, and other tools are good best practices for securing cloud deployments. But even the most robust security stack doesn’t work if you can’t see everything in your cloud, which is where visibility and analytics are key.
Using a tool that can provide visibility into all of your cloud deployments and robust analytics to allow you to ask and answer questions of your clouds is an all-important capability for cloud mature and cloud-native organizations.
Using the cloud is secure...but it’s only as secure as you make it. It’s not enough to just choose a reputable, big name vendor and assume they have their ducks in a row. Your organization also has responsibility to keep the applications and content in the cloud secure-- which is where most cloud users stumble.