Misconfigured cloud environments are increasingly identified as the source of damaging data breaches and leaks, raising serious questions for enterprises. Where does responsibility for data security in the cloud lie, and how can security professionals best work with their teams and cloud providers to resolve the problem?
Cloud environments and the storage of business-critical data within them carry inherent risk. These risks have been exacerbated by the rise of shadow IT, which makes it easy and inexpensive for anyone in the organisation with discretionary spend to purchase cloud-based applications to support their business operations, without necessarily subjecting them to the same level of rigor that is applied before enterprise-level cloud services are selected and implemented.
As with all data security risks, the responsibility lies with the organisation that has collected the data (the data controller in a General Data Protection Regulation [GDPR] world) to ensure it is processed, stored and transmitted securely. Outsourcing IT work and functions does not mean the risk is automatically outsourced.
However, there is some variation on responsibilities, based on the nature of the cloud service provided by a third party. There is little onus on data security for the supplier of cloud-based IT infrastructure (IaaS), for example, because it offers only the basic system structure on which the customer builds its own IT environment. While the provider might be responsible for general maintenance and the overall security of the IT system, it is not in charge of the data itself. The story is similar for cloud platforms (PaaS), which supply tools to further facilitate the customer’s needs.
Where the situation becomes more fluid is at the application level, as the cloud provider has a more active role in the operation of the service and may therefore have access to the data contained within it.
And while many of the cloud provisioning services take great pains to secure the information they are processing, storing and transmitting, an organisation cannot be complacent when it comes to protecting the data it has in the cloud.
The first step is to undertake the appropriate level of due diligence on the cloud service supplier to ensure that data will be managed securely so that the interests of both the customer and its clients will be protected. Front of mind from the outset should also be having the right controls – both process and technical – in place to manage any risks that do exist, particularly where data held may be of a sensitive nature, such as personal information.
Privacy regulations must also be taken into account. For example, the personal data of EU citizens comes under the jurisdiction of the GDPR (currently the most prevalent legislation). Responsibility for this personal information is placed on the data controller (the customer) to ensure that processing of data is compliant, while the data processor (the cloud provider) must take accountability for some of the information being handled – because data stored in the cloud is shared more widely than that in traditional on-premise environments – and the ultimate liability remains with the controller.
The focus should be on appropriate data classification up front, defining the correct level of responsibility and ensuring that those requirements are communicated clearly as contractual responsibilities. Once everyone is aware of the need to protect the information, appropriate measures to do so can be identified, documented and tested to protect the information stored. This includes processes for notification in cases of breaches and response plans in case the worst case happens.
Many organisations opt to use a public cloud provider, rather than a private one, for some or all of their requirements, and this can change the responsibility dynamic.
Amazon Web Services (AWS), for example, is transparent that responsibility for data security and compliance is shared between it and the customer. AWS operates, manages and controls the components from the host operating system, while the customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS-provided security group firewall. Further responsibility divides are determined by the services used.
AWS also provides a number of in-built tools that the customer can use to remediate and mitigate any potential risks. There is also a level of support provided, which can remediate most security risks and provide feedback as to how the customer can improve their security and compliance, if required.
Security by design ensures that IT security is inherent in an organisation’s operations and is an approach that can be adopted when outsourcing services to the cloud. The following checklist covers the key points to address:
IT security professionals have a significant role to play in ensuring that the right standards are met in all aspects of cloud service provision so that it benefits the organisation without introducing risk that is, at best, unnecessary and, at worst, counterproductive.
From a technical perspective, this includes undertaking thorough testing of cloud services and putting the right controls in place to mitigate the risks that do exist. But it is also about fostering understanding throughout the business so that people see how their individual actions, such as using unauthorised applications, can have a direct impact on the overall enterprise.
Regardless of where data is stored, information security is everyone’s responsibility. See what Turnkey’s SAP security support can do for you.