Cloud security is a shared responsibility between the businesses leveraging the cloud and their cloud service providers. To ward off cybersecurity threats, it’s critical that both thoroughly understand how to build and maintain robust security models and work closely in tandem to do so.
Businesses and their cloud providers must ensure that security within the cloud is properly integrated into evolving business models as they look to the cloud to re-shape operations and enable greater agility -- and that they agree on the fundamental principles of cloud security and how the different parties bear and share responsibility.
“As a form of contractual security, the cloud consumer accepts responsibility for implementing sound security governance for the layers with direct control, and the cloud provider accepts responsibility for the remaining layers,” says Paul Lewis, CTO of Pythian, an IT services company that supports customized cloud solutions. “Considering the various technology models available, this might be a pretty wide spectrum partnership. These boundaries are often referred to colloquially as ‘Security of the Cloud,’ covering the provider’s responsibilities, and ‘Security in the Cloud,’ covering user-configured components and layers that, if misconfigured, could result in a compromise.”
Cloud Security Approaches
The introduction of new cloud technologies and security go hand in hand. Cybersecurity threats can invade applications and affect a business’s confidentiality, integrity, and availability. Cloud service providers and businesses operating in the cloud should implement a wide range of security technologies used to address and thwart cyber security threats as they bring existing and new applications into the cloud. These extend from infrastructure in the network into the workspace–both security of the cloud and security in the cloud.
Auditing and logging of network and application activity is used to evaluate and correlate potentially harmful activity, for example. Meanwhile, perimeter security is designed to protect systems from unauthorized access. Approaches used to ensure end point and application integrity include vulnerability assessment, patching, antivirus, configuration management, and integrity of source code and artifacts. There are also technologies for data loss prevention concerning the sharing of sensitive information outside of the organization (intentionally or not).
Cloud Security Best Practices
It’s essential for both organizations and their cloud providers to stay proactive in understanding the array of threats and vulnerabilities and the technologies necessary to address them. Here are several best practices of cloud security that should be followed:
- Shared responsibility: Every cloud provider should share the responsibility of helping its customers to comply with their own security requirements through a shared approach to the security of services. A complete matrix of accountability that is continually reviewed and remediated can ensure mutual understanding of these obligations.
- Identity and access management control is a framework that ensures users have the appropriate permissions to access resources, applications, and data on the cloud while securing data and preventing unwanted security threats.
- Security by design means bottom-up implementation of secure coding for applications, zero-trust network and infrastructure, and data access controlled through policy-based data stewardship rules.
- Active monitoring of the cloud environment enables discovery of potential bad actors that may be targeting an organization’s data. Understanding who has access and being aware of suspicious activity helps keep applications and data secure.
- Data protection: Wherever data is created -- in the cloud, at the edge, on premise, within the supply chain or even within the customer's environment -- a consistent application data protection model must be implemented including backup, recovery archive, access control, data compliance, and auditing.
- Do not stand still: There are always more bad actors, and they are great at what they do: finding the right people to exploit, attacking the right systems, and accumulating the right data for ransom. More frequent, less predictable, and potentially more harmful incidents are occurring, resulting in higher cyber security spending, and higher financial and reputational impacts. It’s a big problem, and no one can afford to rest on their laurels. Cloud providers and the businesses leveraging their cloud environments must both constantly evaluate their security posture and invest to keep people and data safe.
Instituting and managing these best practices and technologies in the cloud is essential to ensure the safety of cloud-based applications and data, and it’s critically important that cloud providers and their business customers are on the same page. Cloud security is only effective if businesses and their cloud providers fundamentally agree and share responsibility. They must work in tandem. Otherwise, security risks can be exploited.