By Oscar Moncada, co-Founder & CEO of Stratus10 Cloud Computing. He’s worked in AI, software engineering, and led teams at Fortune 1000s.
When you’re planning to migrate your internal applications, DevOps or databases to the cloud, one of the top considerations remains to ensure data privacy and integrity. And, in most cloud implementations, your cloud provider assumes some—but not all—responsibility for cloud security.
Cloud security is what works to ensure data privacy and security. In the cloud, security is built across multiple layers and effectively monitors your infrastructure. We’ve all heard about major security breaches in the news, but the fault in these cases involves misconfigurations of cloud services and are, in fact, the fault of the user, not the cloud.
The cloud requires a “shared responsibility” model, with a whole host of parameters set forth by cloud providers that enterprises must implement and maintain. Ultimately, the cloud can be much more secure for companies because of the 24/7 monitoring; however, if companies don’t properly set up their security, they are vulnerable to attacks.
It usually makes business sense to outsource some of the security measures not controlled by the cloud platform to third-party providers. That saves your team’s bandwidth to focus on essential tasks and maximizes ROI.
How does shared responsibility impact cloud security?
Shared responsibility is a simple moniker masking a security situation that many business leaders may find unclear. Any cloud hosting agreement involves service delivery and data transfer that happen in areas where data access, ownership and responsibility begin and end.
This means the boundaries between your and your provider’s responsibility can blur.
So, when it comes to cloud security, there are a few hard-and-fast rules you need to keep in mind about what you’ll still account for and what your provider will assume. Depending on the provider you choose, their control will likely include:
• Cloud network infrastructure: The physical resources required to support and operate cloud networks themselves, such as data centers, servers and all hardware within them.
• The virtualization layer: All hardware and software that abstracts individual devices’ resources and makes them available to cloud service users via virtual machines.
Outside of these areas, nearly every other aspect of cloud security remains on your to-do list. But quite a few of them can also be outsourced where it makes sense to lighten the load further.
Which cloud security practices should you outsource?
As a rule of thumb, you should outsource cloud security responsibilities that are overly burdensome to in-house IT teams. Since the costs of recruiting and retaining cloud security specialists are rising, and with the ongoing tech skills gap, relying on in-house security expertise is becoming increasingly challenging.
With ongoing security tasks like continuous scanning and monitoring—they’re strong candidates for outsourced services. Prime examples include:
• File Integrity Monitoring: Cyberdefense focuses on the data being protected. FIM services regularly assess the status of information stored on the cloud and index any additions, deletions or other changes against a stable baseline to assure authorization.
• Identity and Access Management: This approach focuses on user accounts, access credentials, access sessions and user behaviors in and around cloud platforms.
• Managed Detection and Response: Cloud MDR revolves around constant scans for existing and potential risks to cloud data. Internal vulnerabilities, external threats and the relationships between them inform real-time incident response and recovery.
In addition, if your organization is subject to one or more regulatory compliance frameworks, such as the PCI-DSS, EU GDPR, HIPAA or SOC 2, you should seek out a managed cloud security provider. In some cases, it may be required to assess cloud and other protections through a third party for certification; working with a cloud security provider from the outset will streamline implementation and long-term management, reducing compliance costs.
Of course, if you want your internal IT resources to be equipped to handle cloud security, you’ll want to pick a provider who will include comprehensive training.
How do you select a provider?
Finding a provider whose capabilities align with your requirements and who has clients with a similar profile to yours is just the first step. You’ll also want to ensure the vendor understands security within the cloud platform at various levels: network, infrastructure, application and personnel access. Additionally, look for the implementation of automation tools, which provide ongoing security monitoring, to maintain a high level of security and keep risks as well as costs down. To expedite the search for the right security provider, you could contact your public cloud provider directly for a referral to a certified partner.
Once you’ve got your selection pool, you’ll have to feel out each vendor’s proposal for aspects that meet your specific business needs: cost, training, IT support, remediation, continuous monitoring and recommendations.
Which cloud security responsibilities should you keep in-house?
Certain cloud security considerations make more sense to keep in-house. In general, these elements of broader IT strategy relate most closely to your organizational structures, such as HR, onboarding, training and overall security policy.
Another major area to consider keeping in-house is any security program or safeguards focused specifically on back-end coding and logic pertaining to internal apps or databases, especially any containing sensitive data subject to compliance requirements.
You’ll want to keep any third-party risk management programs internal if any strategic partners you work with may not mesh easily with your cloud.
The most important thing to remember is that shared responsibility is still some responsibility. If your team can access resources in the cloud, then they’re responsible for properly securing them.
If your organization is not already on the cloud, it’s almost inevitable. The cloud is changing everything at a remarkable pace, and your cloud security should never be an afterthought. With limited internal security resources, a company’s best cloud security strategy is often to outsource the setup and maintenance to a qualified managed service provider. Doing so can simplify implementation and make ongoing maintenance and adjustments easier—and cheaper.