The fact is, there’s still lots of confusion about who is responsible for which aspects of cybersecurity when a company adopts cloud services. Companies often rush to deploy these services for competitive reasons, without giving enough thought to the security and privacy implications.
In many cases, business executives or departments are the drivers for moving workloads to the cloud, and security sometimes gets lost in the shuffle. Much of this stems from the shadow IT movement of recent years, in which business users deploy cloud services without central IT even knowing about it.
Meanwhile, even many IT executives assume cloud service providers are responsible for ensuring the continuous security of all data and applications in the cloud. The thinking is that the comprehensive security offered by cloud providers, combined with the existing provisions of the company using a cloud provider, are more than enough to stop data breaches from happening. This creates a false sense of security when leveraging the public cloud.
Industry research confirms there are a number of misconceptions about security and data management when it comes to the cloud.
Furthermore, the assumption that an organization’s current governance model and security controls will suffice for all cloud-based workloads is shortsighted. Governance models need to be updated to include cloud considerations. Current methods of authentication, access control, encryption and monitoring all must be reviewed to ensure compatibility and compliance with cloud initiatives.
The differences in security responsibilities by cloud service type can also be a source of confusion. Understanding these differences is key to ensuring proper security provisions are in place.
In general, with Infrastructure as a Service (IaaS) offerings, internal IT is responsible for administration, applications, data, runtime and middleware, while the service provider is responsible for operating systems, virtualization, servers, storage and networking.
With Platform as a Service (PaaS), internal IT is responsible for administration, applications and data, and the service provider handles runtime, middleware, operating systems, virtualization, servers, storage and networking. And for applications as a service, internal IT is responsible for administration and the service provider handles all other functions.
Moving to the cloud certainly removes some of the burdens of IT management from companies. But it doesn’t mean abdicating all responsibilities to service providers. That’s especially true of security, and internal IT must take ownership to ensure the protection of data and workloads.
The stakes are high when it comes to cybersecurity. Data breaches and other incidents can end up costing millions of dollars in lost or stolen data, lawsuits from customers and business partners that have been impacted, lost business, damaged brand and reputation, etc.
It’s not a question of cloud providers being lax in protecting their own infrastructure. The leading cloud providers have built some of the most secure environments possible, because much of their business model depends on having strong security and reliability in their IT infrastructure.
It’s more a question of cloud customers doing their part to protect the privacy and security of their own data — whether it resides on premises or in the cloud.