By Aman Madhok, Regional Director Sales – Govt & PSU, Radware – India, Middle East & Telco North
Most organizations across verticals have understood that moving to the cloud and securely storing and accessing the data is the need of the hour. But do all organizations also understand that securing their data is not just the responsibility of the cloud providers? No. It is very important to understand that while moving to the cloud and in the cloud there are a lot of responsibilities that the customer has to own and take care of. Rather it would be good to say that it’s a shared responsibility by both the cloud service provider and the customer, and it becomes more important when it is a public cloud. Security for data classification, network controls and physical security needs clear owners. The security team maintains some responsibilities for security as you move applications, data, containers, and workloads to the cloud, while the provider takes some responsibility.
The data on the public cloud is huge and threats are both from outside attackers and within the organization. A single successful attack could cost organisations billions with loss of revenue, fines, penalties and business interruption. As per a Gartner report by 2025 a full 99% of all cloud security failures will result from user error. The cloud provider may manage security across the provided operating systems, virtual layers, hypervisor, infrastructure and physical security but, customisable cloud capabilities like application management, network configuration and encryption are the customer’s responsibility. The cloud customer is also responsible for encrypting data in transit and at rest.
Majorly vendor responsibility for data security revolves around the following
• Customer data stored in the cloud
• Platform, application, and, identity & access management
• Operating system, network and firewall configuration
• Data encryption, integrity and authentication
Customers’ responsibilities increase depending on the kind of cloud service models they take – IaaS, PaaS or SaaS. While the least responsibility lies when it is SaaS and the most with IaaS,in IaaS, the user is responsible for OS and software stack required to run the applications and data. With PaaS, the user is responsible for the security of any code or data or content produced on the platform. And with SaaS, it reduces to bear some security responsibilities such as protecting login credentials from phishing or social engineering attacks.
Customer’s share of cloud security responsibilities
Irrespective of the type of cloud service the customer opts for, they will be responsible for securing what’s under their direct control:
- By design all the data and information access is under the customer’s control and it has to be retained for better management and access controls
- Propriety codes and application logic’ responsibility of securing and controlling throughout the life cycle is on the customer
- Customer is responsible for all facets of their identity and access management (IAM), including authentication and authorisation mechanisms, single sign-on (SSO), multi-factor authentication (MFA), access keys, certificates, user creation processes and password management.
- Customers should also plan and maintain their platform and resource configuration, whether they want server-based or serverless.
This is why a customer needs best practices to secure the cloud environment from security threats:
- Enforce policies and data governance: Organisations should enforce and put-in place policies for cloud data ownership and responsibility
- Diligently manage identity and access controls: Organisations should make sure that they use the best practice guidelines as well as tools and managed services which are provided by the cloud providers.
- Use a cloud management solution: This offers a single dashboard to manage all data, analytics, and users in one place
By understanding the shared responsibilities and actively taking responsibility for the same will help not only securely the cloud environment and organisational data but will also help in eventually positively impacting the financial aspect of the organisation.
