Cloud Digital Transformation Security Challenge
- January 12, 2020
- Posted by: RunSecurely
- Categories: cloud security, data protection, privacy
Cloud computing has become a prevalent force, bringing economies of scale and breakthrough technological advances to modern organizations, but it is more than just a trend. Cloud computing has evolved at an incredible speed and, in many organizations, is now entwined with the complex technological landscape that supports critical daily operations.
This ever-expanding cloud environment gives rise to new types of risk. Business and security leaders already face many challenges in protecting their existing IT environment. They must now also find ways to securely use multiple cloud services, supported applications and underlying technical infrastructure.
The Need to Use Cloud Services Securely
The surge in business processes supported by cloud services has been well evidenced by organizations using cloud services store confidential data in the cloud environment. But when using cloud services, organizations are still unsure whether to entrust cloud service providers (CSPs) with their data.
CSPs generally provide a certain level of security as substantiated by multiple surveys, but cloud-related security incidents do occur.
CSPs cannot be solely responsible for the security of their customers’ critical information assets. Cloud security relies equally on the customer’s ability to implement the right level of information security controls. Nevertheless, the cloud environment is complex and diverse, which hinders a consistent approach to deploying and maintaining core security controls.
The Rise of the Multi-Cloud Environment:
As organizations acquire new cloud services, they typically choose these from a selection of multiple CSPs and therefore need to deal with a multi-cloud environment, which is characterized using two or more CSPs.
Organizations favor a multi-cloud environment because it allows them to pick and choose their preferred cloud services across different CSPs (e.g. AWS, Microsoft Azure, Google Cloud, Salesforce). However, each individual CSP adopts its own jargon, its own specific technologies and approaches to security management. The cloud customer therefore needs to acquire a wide range of skills and knowledge to use different cloud services from multiple CSPs securely.
Overcoming Cloud Security Challenges:
While CSPs provide a certain level of security for their cloud services, organizations need to be aware of their security obligations and deploy the necessary security controls. This requires organizations to understand and address the many security challenges presented by the complex and heterogeneous aspects of the cloud environment.
Our ISF members have identified several obstacles to operating securely in the cloud environment. The main challenges include:
- Identifying and maintaining the appropriate security controls
- Balancing the shared responsibility for security between the CSP and the cloud customer
- Meeting regulatory requirements to protect sensitive data in the cloud environment
The rapid explosion of cloud usage has accentuated these challenges and, in some instances, left organizations insufficiently prepared to tackle the security concerns associated with using cloud services.
Balancing the Shared Responsibility for Security Between the CSP and the Cloud Customer:
Securing the use of cloud services is a shared responsibility between the CSP and the cloud customer. The security obligations incumbent on the CSP are to protect the multi-tenant cloud environment, including the backend services and physical infrastructure, as well as to prevent the commingling of data between different customers.
While the CSP maintains much of the underlying cloud infrastructure, the cloud customer is responsible for securing its data and user management. Whether the customer’s responsibility extends to performing security configurations for applications, operating systems and networking will depend on the cloud service model selected.
This shared responsibility for security can create confusion and lead to over-reliance on the CSP to mitigate threats and prevent security incidents. It is essential that the cloud customer does not depend wholly on the CSP to deploy the appropriate security measures, but clearly understands how responsibility for security is shared with each CSP in order to identify and deploy the requisite security controls to protect the cloud environment.