Cloud security - whose responsibility is it?
Jun 11, 2018
The UK cloud market is continuing to boom. From my experience of working with a wide range of businesses, the days of “why” cloud have long gone, and “how and what” cloud is now the order of the day.
Multi-cloud deployments are rampant. Initially, organisations pursued a multi-cloud strategy because they were uncertain about cloud reliability and security, and the ability to avoid vendor lock-in. While redundancy and vendor lock-in concerns still drive some multi-cloud deployments, they are more commonly driven by the need to find more price-competitive cloud services, or to take advantage of the speed, capacity or features offered by a particular cloud provider in a particular geography.
In Europe, due to the introduction of regulations like GDPR, some organisations pursue multi-cloud strategies for data sovereignty reasons.
Whilst there are huge benefits of moving to the cloud, a number of data breaches involving cloud systems have made headlines recently. A question I am increasingly asked is – if the cloud providers own the infrastructure and cloud user organisations own the data, who is actually responsible for the security? So here are my thoughts.
As with any outsourcing, the processes that are outsourced are the responsibility of the service organisation, in this case the cloud providers. However, we also need to understand the type of service that is being used, as the responsibility of the infrastructure cloud provider will vary significantly to the software provider in a more traditional outsourcing arrangement.
- Infrastructure as a service (IAAS) - the cloud provider is responsible for protecting the infrastructure that runs all of the services offered in the cloud. This includes hardware, software, networking, and facilities that run the cloud services. For example, the cloud provider will need to make sure that only authorised parties have physical access to their data centres. They will keep the relevant network security applications running and monitor logs for security alerts and address any related issues of the security of the network itself.
- Platform as a service (PAAS) – the cloud provider is responsible for the operating system in addition to everything in IAAS.
- Software as a service (SAAS) – the end to end management of the infrastructure, platform and the software is the responsibility of the SAAS provider.
I strongly believe security in the cloud is a shared responsibility. A common theme, which works well when implemented properly, is the need for cloud users to develop a deep understanding of the services they are consuming and leverage the knowledge and tools provided by the cloud provider to improve their overall security posture.
Days of “why” cloud are disappearing, the huge benefits that cloud technologies offer are gaining ground, with cloud implementations running at an all-time high. The absence of a standard risk assessment framework, and disparate deployment models and vendor competencies, can make cloud adoption complex – security therefore has to be a frame of mind that permeates the company. The faster that organisations improve their cloud security, the better equipped they will be to exploit the significant opportunities in the digital world.