Cloud Security: Understanding Your Risks and Responsibilities

Cloud computing is a key tool for organisations everywhere, offering a wealth of opportunity to extend IT capabilities and take advantage of innovations.

And as more organisations move to remote or hybrid working, Cloud services are more valuable than ever. But whenever new technologies are implemented, challenges emerge.

Many of those lie in security, some of which are common across IT infrastructures and others that are unique to the Cloud. The latter mostly boil down to the inherent insecurity of Cloud environments: if you are allowing access to your data and systems from anywhere with an Internet connection, how do you restrict that access to authorised users only?

It’s an issue that organisations struggle with, as can be seen in the results of Snyk’s State of Cloud Security Report 2022. It found that 80% of respondents experienced at least one severe Cloud security incident in the past year.

The report also learned that 41% of respondents said that Cloud-native services make their operations more complex, increasing the attack surface and makes vulnerabilities more likely.

This can especially be problematic if combined with a lack of expertise on how to remain secure, as is frequently the case in smaller businesses.

Organisations must also consider the legal and contractual requirements associated with the Cloud.

In general, organisations are responsible for ensuring the data they collect – be it personal data, payment data or any other kind of data – is protected.

This remains the case even if a third party, such as a Cloud provider, is the one implementing most security controls.

In fact, various standards and frameworks now list explicit Cloud security requirements for the Cloud user, so it is likely that laws and contracts will increasingly demand the same.

In the case of personal data, laws such as the GDPR (General Data Protection Regulation) do not just make you – the data controller – responsible for protecting that data, but also impose tight restrictions on transferring it outside the EEA.

As such, if you store or process personal data in the Cloud and your Cloud provider’s physical servers are not in the EEA (as is frequently the case), this is something you will need to address.

Who is responsible for what?

A fundamental part of Cloud security is establishing who is responsible for implementing relevant measures.

For example, access controls will almost certainly be configured by the Cloud customer, but physical security is managed by the Cloud service provider.

Meanwhile, network security may be shared by both parties. Customer-managed measures are, naturally, for you to implement. However, given that you – the data controller – are ultimately responsible for keeping the data you collect secure, it is important you conduct due diligence checks on the provider-managed controls.

In practice, these checks usually consist of confirming your contract contains the appropriate clauses, like an explicit recognition that you own the data and intellectual property stored in the Cloud.

The checks will vary depending on your legal, contractual and business requirements, but it’s advisable to compile a written checklist so nothing gets overlooked. This can also help prove you have met your responsibilities if you are audited or investigated.

Understanding Cloud relationships

Another major point to consider is the type of Cloud service(s) you are using. This is a key variable in determining who implements what.

Software as a Service generally gives the customer the least amount to manage themselves. Their security burden will instead consist of securely configuring the software and due diligence checks.

Platform as a Service gives the customer a bit more work, as they must supply, manage and secure the applications that are served on the platform.

However, the provider manages the underlying Cloud-based platform and infrastructure, on which you must conduct the necessary due diligence.

Finally, Infrastructure as a Service gives customers the most to do in terms of active security management, since they supply the platform and software themselves and are therefore wholly in charge of securing it.

The Cloud provider simply provides the virtual servers and network equipment on which that infrastructure is hosted, which you must check.

How to manage Cloud security

To address your Cloud security risks and responsibilities, organisations should establish what their requirements are and, following a risk assessment, determine what security measures they need to meet those requirements.

For ideas, you could look at the controls listed in general security standards such as ISO 27001, or more Cloud-specific guidance like ISO 27017 or the CSA Cloud Controls Matrix.

Once you’ve done this, you can list the Cloud services you use (or intend to use), and categorise them by service type: Software-, Platform- or Infrastructure-as-a-Service.

If at least two types apply to you, you could present your security measures in a matrix providing a clear overview of what you must manage, what your Cloud provider will look after, and where you share the responsibility.

From here, you can form a more detailed implementation plan for the measures you must implement yourself, and add provider-managed controls to your list of due diligence checks.

You can find out more about what that plan might look like by reading Securing Cloud Services: A pragmatic guide.

This book, written by security architect Lee Newcombe, explains everything you need to know about Cloud security.

It covers the key concepts of Cloud computing and its security architectures, and then looks at the security considerations you must acknowledge.

It’s ideal for anyone looking at implementing Cloud services, whether that’s Software-, Infrastructure-, or Platform-as-a-service.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.