Organizations have a shared responsibility with cloud providers in securing data and applications. (Photo by Ethan Miller/Getty Images)

Fortinet Consulting Cloud Architect John McDonough last week pointed out in a webinar that the cloud security offered by Microsoft is not infallible because it's delivered by well-known corporate brand with a lot of resources. In fact, McDonough said it often falls short of what organizations really need.

On one hand, McDonough said in various reports that Microsoft offers firewalls for its Azure cloud that come with some important features, such as intrusion detection, transport layer security, and URL filtering. However, McDonough said the Azure firewall often needs add-ons for capabilities to be activated, and its tools are just “OK” compared with solutions from pure-play security vendors. 

In the webinar, McDonough said intrusion prevention, botnet protection, SD-WAN support, data loss prevention, and virtual patching are among the other critical functions security pros should look for in a firewall product. He said enterprises need to not just protect what’s behind the firewall, but also data that goes back and forth as well as the people who are connected to the firewall.

Craig Burland, chief information security officer at Inversion6, said the webinar by McDonough hits on two important concepts: businesses have a big role to play in securing the cloud; and a cloud migration means more work for their cybersecurity teams — not less.

Burland said cloud services of all types — IaaS, PaaS, and SaaS — rely on a shared-responsibility model. The provider only secures what they provide, said Burland, and the enterprise is responsible for protecting the data and ensuring proper configuration — not the cloud provider. 

“Misunderstanding this key aspect of cloud services has left — and will continue to leave — companies exposed to unwanted security risks,” Burland said. “When companies move to mitigate this risk, they need to be aware that many of their on-premises security tools won’t extend to the cloud.”

The tension between best-in-breed and all-in-one solutions has always troubled organizations, and it’s particularly noticeable during economic downturns, where organizations may sacrifice capabilities in lieu of cost, said Claude Mandy, chief evangelist, data security at Symmetry Systems. Mandy said the distinction between "security of the cloud" versus "security in the cloud" that’s formalized in the shared-responsibility model puts the onus on organizations to make the determination whether the security provided by the cloud service provider is sufficient for their needs. 

“In most instances, the cloud service provider’s responsibility ends before the protection of applications and data of the organizations,” Mandy said. “Ensuring that data and applications are protected is where we encourage organizations to focus on first. This lets organizations make well-thought-out economic decisions on what to bundle compared to targeting a security mesh approach. This will let organizations focus on what capabilities are needed to protect what it cares about most while leveraging the economies-of-scale that a cloud service provider can offer for commodity security services, like network security services.”

Brad Hong, customer success manager at Horizon3ai, said he and his team constantly see huge blast radii in attacks and penetration tests originate from the smallest misconfiguration, or even lack of configuration, allowing attacker’s to simply log-in to public facing environments. Hong said he couldn’t agree more with McDonough’s critique of end-users’ misconception that too big to fail doesn’t apply to security infrastructures.

“Lest we forget that cloud computing is just storing it on someone else’s computer — by relying on a big corporation’s brand-name reputation as a seal of security, organizations are practicing negligent risk transference with poor procurement risk management practices as the cherry on top,” Hong said. “Like any software or hardware brought into a company’s inner sanctum, the IT team has not only the responsibility but the sole ownership of duty to ensure third-party risk is mapped out and accounted for.”