Sharing Cyber Responsibility in the Cloud

Through 2025, 99% of cloud security failures will be the customer’s fault.
– Gartner1

As businesses move their on-premises systems and processes to the cloud, many also focus on keeping their digital assets secure. With so many players and moving parts, it’s critical to know where the responsibility of cloud platform providers for protecting applications and data begins…and where it ends. If any gaps in security controls and policies exist between the cloud provider and a business, it’s up to the business to find and close those gaps.

The need for tight security in the cloud is paramount as cloud-enabled supply chains continue to expand. In addition to knowing how the responsibility lines are drawn, businesses also need to demonstrate those responsibilities to any entities with which they share digital assets.

Determine how cloud-enabled services are secured

There are a few things organizations can do to assess their security posture in the cloud.

Step 1: Inventory all services running in a cloud environment
This step helps determine where services are hosted and what they’re used for. With many cloud services managed outside of IT and security—by business unit owners or even individuals such as those in marketing or human resources—accomplishing this step may not be straightforward.

Some teams may use cloud services to host applications. Others could be using applications that a customer or vendor is hosting in the cloud on the business’s behalf. In both cases, it’s important to know everything running in these environments.

Step 2: Identify security policies and controls for each service
Ascertain how and where risk mitigation controls have been applied. These controls should be mapped to IT security policies and ultimately connected to business objectives.

This exercise can be an eye-opener as organizations may discover that some services have liberal access control policies, little data privacy measures, and few system protection methods implemented, leaving systems and data exposed to loss, theft, and misuse.

Step 3: Find out what cloud providers offer for cloud security
Check the shared responsibility model that each cloud service provider offers. This will shed some light on where to relieve some of the burdens.

The provider security controls and processes will vary, so teams need to scrutinize their specific model to see how well it suits unique business, operational, and technical requirements. The leading cloud providers typically protect cloud-based device operating systems and related virtualization layers as well as the physical security of servers and networking gear within their facilities.

Step 4: Examine the organization’s role in protecting the entire cloud environment
Your responsibilities characteristically begin with the firewall and usually extend to applications, data, systems, and user accounts. Holistically speaking, the provider will protect the cloud infrastructure; organizations are responsible for anything inside the cloud. Of course, something that pops back out of the cloud operating environment often lands back on the organization’s shoulders.

Learn more about the shared responsibility programs from these primary vendors:

AWS  |  Azure  |  Google

Demonstrating cloud security posture to customers and partners

Customers and business partners expect you to protect their sensitive data—to their satisfaction—which may not be aligned with internal policies and controls. Customers and partners may request proof, each with their own unique (and lengthy) set of questions and versions of acceptable responses—taking up valuable time from IT teams. They may also require an audit. That can also involve extensive time from IT as they interface with the auditor to review security controls and deployed policies.

One proactive option is to conduct a security assessment of the cloud environment through an independent third-party auditor—the resulting report can be handed over to customers and partners. This assessment approach is likely more thorough than the mechanism used by customers and partners, and can sometimes give them confidence to skip their lengthy questionnaire or audit so everyone can get down to business.

Peace of mind with critical business relationships

Working with cloud service providers with a formal shared responsibility model helps businesses demonstrate security posture to customers and partners, alleviating security concerns. Bringing the reputations and processes from the leading cloud providers into security posture reports conveys how seriously you take cloud security.

Understanding what the cloud providers offer for security controls also helps organizations understand business risks and the gaps that need to be closed to protect digital assets. You can then take the necessary steps to bolster protection for meaningful business relationships and peace of mind that the business ecosystem is safe from cybercriminals.

  1. 1. Gartner, “Is the Cloud Secure?,” Oct 2019