With today’s explosion of remote workers, we’re seeing an overwhelming reliance on the cloud. Its agility, anywhere access, and dynamic scalability make the cloud ideal for this new working paradigm. But what about cloud security? Whose responsibility is it anyway?
By Phil Alberta, President and Chief Information Officer, IPM
With so much reliance on multiple cloud providers and solutions, from diverse locations and sources, protecting and securing the cloud has gotten much more complex, and in some cases even misunderstood. This leaves risky gaps and exposure. Yes, cloud providers including Microsoft Azure and AWS handle infrastructure security – including compute, storage, database, and networks. But it’s vital to understand that once your data arrives in the cloud, its full security fate rests in your own hands.
Embracing a Shared Responsibility Model
There is a duality to cloud security that requires deep understanding and strategic management in a practice that can be called a shared responsibility model. Here, the cloud provider is responsible for the secure infrastructure of the cloud. The customer on the other hand takes primary responsibility for protecting data in the cloud including user data, platforms, applications, identity access management, as well as the operating system, firewall configuration, and other components.
It’s important to note that this shared responsibility for security doesn’t fall into place automatically. It takes careful planning, precise implementation, and continuous monitoring to perfect. To build your secure cloud environment, consider the following five best practices:
1. Develop a comprehensive plan: Take another look at your cloud provider(s) agreement and identify where they can help you to improve security, and where you may need to add technology and solutions to your overall strategy. In the shared responsibility model, you need to know where the cloud provider’s agreed-upon responsibility ends and yours begins. Then you can better integrate your provider’s security controls into your overall security strategy.
Using this greater detail from your cloud provider, you can develop a plan to include:
- An assessment of new assets that need to be budgeted for. i.e., threat detection and response software, automated patching updates, swapping out high-risk legacy hardware for more secure devices.
- Forecasting of your organization’s potential workforce shift to determine the longer-term effects and needs of remote working and related devices.
- Alignment between IT, security, and HR on a timetable to execute security improvements. This may entail giving employees new devices, training on new software and security protocols, and budgeting priorities.
2. Understand your compliance requirements: Reassess your compliance needs and then identify and use the tools your cloud provider makes available to help you monitor and prove compliance. Azure Policy is one tool offered to centralize compliance data for quicker auditing and tracking. It enables policy creation at the core of Azure and supports ongoing enforcement by setting guardrails on resources.
3. Know your risk tolerance: Fully understand what data you need to secure and what risks you are willing to accept for that data. Map out your data risk tolerance by data type and the strategy you will implement to protect it. By classifying your data based on its sensitivity such as personally identifiable information (PII) or HIPAA regulated health records, you’ll have a strong idea of which data sets you need to best protect.
4. Design and implement technology controls: Organizations can use managed services and solution providers to help design and execute a cloud security plan and help navigate the complexities of cloud data security protocols. This plan can include application and access controls needed to further ensure sensitive cloud data is not compromised and can be recovered. Given the expected increase in remote users, it is imperative to limit access to applications in accordance with work productivity needs. Phishing attacks and malware introduction into networks are a common result of inadequate control at the device endpoint.
5. Develop a continuous monitoring program: Security threats and risks function in a fluid environment. This demands regular assessment of the controls in place and the agility to adapt as situations change. It includes evaluation of your threat response system, secure onboarding and offboarding of employees’ devices, timeliness of all patching updates, and due diligence in making use of updated security controls across all major programs.
The responsibility for a secure cloud is a shared one. And as organizations continue to rely more heavily on cloud-powered workloads, your security strategy must be a priority that remains front and center. By inspiring collaboration and consensus between your cloud providers, solutions providers, and internal IT security staff, you’ll enable a more productive and secure environment in which workers will thrive.
About the Author
Phil Alberta is President and Chief Information Officer for IPM, an IT consulting firm focused on supporting secure cloud transformations with field-proven expertise in planning, deploying, and supporting today’s hybrid IT infrastructure.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.