Skip to Content

Cloud security – a team sport

Leonardo Carissimi
December 9, 2020

The cloud security is evolving at a rapid rate and 2021 is going to be another year of transformation – one that will enable enterprises to be more secure, agile, resilient and adaptive. Interestingly, even today in majority of Cloud adoption surveys, cybersecurity and regulatory concerns are identified as the top barriers inhibiting adoption of cloud. Ironically, this happens after years of heavy investment from the main cloud providers in controls, audits, and certifications. As a result, the main risks are shifting to customers and according to Gartner, by 2023, most security compromises over the cloud will be due to the customer negligence, not the cloud providers.

This phenomenon can already be seen in multiple cybersecurity incidents that make headlines every day – lack of proper patching, hardening, weak passwords, misconfigurations, employee mistakes or frauds, application vulnerabilities on the customer side – causing the main breaches, not the cloud provider.

Does this mean that data in the cloud is more secure than on-premises data?

Unfortunately, the answer isn´t so easy. First and foremost, customers must make sure the cloud provider in fact has a robust set of controls in place, get information and proof of it, and make sure it meets your cybersecurity and regulatory needs.

But, more importantly, cloud security isn´t dependent on the cloud provider or the company alone, and it will never be about finding who´s fault caused a security breach. Cloud security is a team sport, and as in any successful team, to win here each team player must know its role and responsibilities and act accordingly.

Shared responsibility model

The general rule is what it is known as the “shared responsibility model,” where customers are responsible for choosing how their data is handled IN the cloud, and the provider is responsible for the security OF the cloud. Note that the line between what IS the cloud depends on the service model considered – IaaS, PaaS, or SaaS.

Just a reminder:

  • IaaS stands for Infrastructure-as-a-Service and represents pay-as-you-go IT infrastructures such as virtual machines, storage, networking, and virtualization available for you in the cloud.
  • PaaS means Platform as-a-Service and it is a type of cloud offering that delivers application infrastructure (middleware) capabilities as a service, including databases, APIs and analytics.
  • SaaS is Software-as a-Service. It is software that is owned, delivered, and managed remotely by one or more providers. The provider delivers software based on one set of common code and data definitions that are consumed in a one-to-many model by all contracted customers at any time on a pay-for-use basis or as a subscription based on use metrics.

Having these definitions in mind makes it easier to identify what IS the cloud in each case and to distinguish data protection IN the cloud versus OF the cloud. Now we can understand the responsibilities of each party in each case. While we tried to be thorough, the examples below are illustrative rather than exhaustive.

Responsibilities in an IaaS model

When talking about IaaS, cloud provider responsibilities include physical access control, surveillance, proper environmental conditions, network (LAN) security, server (hardware and hypervisor levels) security, incident monitoring, response, disaster recovery, and continuity in physical and IT infrastructure levels.

Customer responsibilities will include the security of all layers, starting from operating systems: vulnerability management, updates, patching, hardening, log and audit management, security incident monitoring and response, application control, data-in-motion, and data-at-rest encryption, identity, and access management, firewalls, VPNs, among others. Take note of which operating system image is used – standard (provided by the cloud) or custom (if yours).

Responsibilities in a PaaS model

When the cloud model is PaaS, cloud provider responsibilities are the same, in addition to the security of the platform is offered as a service and at the operating system level. Customer responsibilities with regards to the components on top of the platform, for example, application and data, are described in more detail in the next model.

Responsibilities in a SaaS model

Finally, in the SaaS model, the cloud provider is responsible for pretty much all the layers, from the physical infrastructure up to the application security. This may lead to the misunderstanding that the customer has no responsibility at all. However, customer responsibilities include:

  • Security of its data, including identity and access management to ensure right users and devices access the cloud resources
  • Application control in order to avoid shadow IT/apps
  • Making sure that the applications used to meet security and regulatory requirements (data encryption, data loss prevention, and tokens) can be used to detect and protect the handling of sensitive data
  • Log and audit management, and incident detection and response

Conclusion

So, as many customers consume cloud services from different providers and in different models, proper governance of cybersecurity in cloud services becomes a complex topic. If knowing the responsibilities of each team player is key to success, it will be via orchestration, governance, and management of the entire “team” that will be the real competitive advantage to your company in your digital transformation journey. Don’t be afraid to accelerate the journey but be sure the responsibilities are clear as well as the risks and manage it all accordingly.

To find out more about how we can help you, visit our Cloud Security Service

Follow Leonardo Carissimi on LinkedIn.

Leonardo Carissimi

Expert in Cybersecurity

With 20+ years of experience in the Security Industry, I’ve developed solid technical background that I leverage along with leadership, management and business skills to create and deliver innovative security solutions in order to protect and enable growth of the companies I work for.
My expertise includes marketing, alliances, portfolio & go-to-market approaches, business development & pre-sales ; consulting and managed services; talents development; and P&L management.
In Capgemini I am leading and growing our Cyber Security Practice with special focus to GDPR/LGPD.