Businesses are conflicted about moving their data to the cloud. Some claim that one of the main reasons for moving data to the cloud is because it is more secure. Simultaneously, a top reason for not moving data to the cloud is due to concerns about security. Which opinion is right? The answer isn’t so simple.

Most IT professionals accept that many features of cloud security are better than on-premises approaches, but this is not the full picture. Security is perhaps the most important facet of an enterprise cloud provider as one incident could lead to a catastrophic loss of business. Therefore, they spend a lot of time and money protecting their own infrastructure, including data centers, server hardware, and internet connectivity. However, the picture is more nuanced than that. Cloud providers don’t have 100% of the knowledge or capabilities under their control and therefore cannot deliver 100% security.  

The resulting ambiguity leads many enterprises to juxtaposing thoughts and approaches when it comes to cloud security. A large majority of enterprises recognize the cloud as a powerful business tool, but at the same time still express reservations due to the perceived risks associated with putting data in a public cloud without the security of that data guaranteed. Enterprises need to look more deeply to discern security gaps and determine how responsibility is shared when data travels to the cloud, in the cloud, between clouds and from the cloud.

No one organization or person can have complete responsibility for keeping data secure, the reality is that security is a “shared responsibility” – where organizations, users, IT security professionals and the cloud service providers all have a joint task to ensure all parties are using the cloud securely. When this model is implemented correctly, the benefits to organizations include increased customer trust, risk reduction, positive brand reputation and overall business success in today’s digital economy.

Pointed fingers and uncertain ownership

Optimal cloud security requires a layered defense where businesses address each part of the “stack of responsibility” individually, yet they all interact together as a complete framework. This includes physical security, infrastructure, network control, application-level controls, identity and access management, endpoint protection, data classification, user/device/data control, and collaboration control. It is a lot and can be daunting for any IT team, big or small.  

Cloud service providers offer some security protection, but that does not mean that enterprise cloud data is fully secure. Major cloud vendors like Microsoft, Amazon, and Google correctly point out that the responsibility is not theirs alone and that businesses must embrace the concept of a shared responsibility model. Microsoft, for example, publishes its model for Azure. Amazon has a similar approach for AWS. Both of these models point out that a secure infrastructure relies on the customer playing their part to make the system truly secure and compliant. 

The analyst community realizes this growing need and is sounding alarm bells about the importance of shared responsibility in cloud security. Gartner warns, “Through 2025, at least 99 percent of cloud security failures will be the customer’s fault.” Gartner’s statement implies that enterprises themselves, not the cloud providers, need to ensure that their approach to cloud security is all-encompassing.

Cloud providers have often approached shared responsibility by listing the security features they offer and leaving the rest up to the customer, splitting responsibility into two. While this division is a good start, it can leave the enterprise unsure about how to decide, allocate and implement the areas allocated to them. It is now imperative to assign roles within the organization and determine liability owned by various business lines, including but not limited to, IT security, risk & compliance, users, developers and buyers of the cloud services.

Shared responsibility in action

The car rental process can best illustrate an ideal example of a shared responsibility model. First, the manufacturer is liable for ensuring the car is roadworthy when it comes off the assembly line. It needs to have good brakes, tires, and functioning airbags. After the car arrives at a rental company, both the company and the renter will typically not test the airbags – they just assume they will work as originally installed. As the car gets older, the rental company should check the tires and the brakes, service the car and keep it roadworthy. The renter assumes this is the case and unfortunately, often does not find out otherwise unless they run into an issue with the vehicle. 

On the renter’s side, they need to have the appropriate license for the vehicle, which the rental company checks before handing over the keys. The renter is responsible for accidental damage, though this may not be the actual driver when multiple drivers are sharing the driving. The car includes seat belts, installed by the manufacturer, but it is the driver’s responsibility to wear their belt and ensure that all members of the car wear them too. Additionally, the driver is responsible for driving according to the conditions and road rules. This division of responsibility when renting a car is shared among five groups of people: the car manufacturer, the rental company, the passengers, the renter and the driver. Everyone has their part to play. Ignoring one layer of safety could have tragic consequences so every aspect needs consideration in totality.

Where risk ultimately lies

Microsoft, Amazon, and other cloud providers are working to deliver shared responsibility models at a baseline level, but there needs to be more responsibility from the end-user community. This includes the enterprise itself, information and IT security teams, and the users. Business and IT leaders can only safeguard cloud data if security features are well-understood, switched on, and properly configured at the outset. We saw this issue specifically come out with a recent high profile breach caused by misconfigured AWS rules for public-facing servers, ultimately leading to a major vulnerability and data breach.

Overall, the technology community needs to consider who controls and manages cloud configurations, data flow between different cloud services, collaboration, access, and device controls, and user behavior. The conclusion is that responsibility for risk belongs to the business because at its core, the data collection and security belongs to the business. Even though cloud providers play a big role, they’re not the public-facing company that is assuming risk for handling this sensitive data. Members of the IT team need to be the guardians of security and compliance for the enterprise. They need to work with the CISO and other business leaders to understand and set policies around data control, work with lines of business to help them classify data accurately, ensure regulatory compliance, help the purchasing team make buying decisions, determine which cloud services to allow user access, and ensure user training is comprehensive.

Without strict processes in place and a delineation of who is accountable for what, a business decision like implementing a new public cloud service can put a corporation at serious risk of a data breach or other related security issues. But with the shared responsibility model, businesses can ensure that everyone does their part.

Nigel Hawthorn, EMEA Director, Cloud Business Unit