The cost of data breaches, fines for regulatory noncompliance, and proprietary data loss are all driving a greater focus on cloud app security. The 2020 Security Priorities Report from Info-Tech Research Group found when IT professionals ranked their cybersecurity priorities for 2020, data security and cloud security ranked No. 1 and No. 2.
Moreover, a survey by Logic Monitor and IDC found 66 percent of IT professionals say security is the top concern when they're considering adopting a cloud security strategy. Some of that concern is rooted in IT teams trying to apply security strategies for on-premises systems to the cloud. Traditionally, the business' CIO or CISO, sometimes with the help of a third-party security services provider, chooses security technology. They research and deploy firewalls and other hardware, deployed hardened devices, protected endpoints with antivirus and antimalware, restricted who had access to the server room or data center, and monitored their systems. In short, they maintain total control.
When businesses transition from on-premises infrastructure and applications to cloud solutions, they expand their computing capabilities, but they also lose absolute control over security and need to adapt their operations to share responsibility with the cloud provider.
Leading cloud provider AWS states that it is responsible for protecting the infrastructure that runs its services, including hardware, software, networking, and facilities (see the Amazon Shared Responsibility Model image below). Then, depending on the services the business uses, its IT team has the responsibility for implementing and managing additional security measures.
For example, Amazon EC2 users need to perform security configuration, managing the operating system they use, and keeping up with updates. They also need to maintain software running on the system and configure the AWS-provided firewall that enhances cloud app security. On the other hand, Amazon S3 users rely on AWS to secure the operating system, platforms, and endpoints. The customer manages data, implements encryption as needed, and controls user access. Lines are less clear in some cases, such as patch management, where AWS and the user both have some responsibility – the cloud provider for infrastructure and the users for the cloud apps it uses.
The shared responsibility model doesn’t only apply to cloud infrastructure. It’s also an important factor in cloud app security. One of the biggest benefits of Software as a Service (SaaS) applications for IT teams is that they aren’t solely responsible for security. The vendor usually keeps security patches updated and ensures users are running the most recent, secure version of their software. That feature removes the burden that in-house IT teams bear to keep software deployed on-premises patched, updated, and secure.
It's also vital for businesses not to develop a false sense of security in the cloud and lose focus on the responsibilities that remain with in-house IT. With proper education and attention, shared responsibility helps to develop an effective, layered approach to security.
Even though cloud providers can partner with its users to build a solid cloud app security strategy, there's still one element of the business' cloud ecosystem that it doesn't take into account: People.
A business' employees can be a wild card in an otherwise effective security strategy if they share data that should be protected. It's vital for businesses to educate their teams about their data sharing policies and how they align with regulatory compliance.
However, even the most trained and conscientious employees can make mistakes that result in data loss or security breaches. A smart strategy includes a "trust but verify" approach to user activities in the cloud. Taking this approach, you verify the trust you have in your employees after they've been trained on company policies by implementing a method to verify that they're following them.
Trust alone doesn't work. It means a business has no visibility into the thousands of files it shares externally and whether they include data, such as social security numbers, health information, or payment data. It can also mean that data shared internally could violate company policy, for example, sharing salary information. Businesses need a way to verify this type of data loss in real time and mitigate it before it is a full-blown security incident.
Companies transitioning to the cloud need a new security mindset. Their IT teams must realize that they share responsibility with their cloud provider and understand precisely what each party must do. Businesses also need to recognize that even with the strongest security configuration, data loss can still occur if users are uninformed about the risks of sharing sensitive data or sharing a cloud document in error. In addition to other security measures, businesses can reduce this risk by using a scalable method of auditing and reviewing actions employees take to have the ability to find and stop those that don't comply with company policies.
With this 360-degree approach to cloud app security, one that takes a holistic and realistic view of security threats, businesses can ensure their data is safe.
Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.