Companies continue to transition to the cloud and add to their list of cloud providers at an amazing rate. But amidst all the excitement, there’s one thing that keeps getting lost in shuffle—the cloud security shared responsibility model. In fact, the number of people who said they felt that they fully understood the cloud security shared responsibility model for all cloud services dipped from 18% in 2019 to just 8% this year, according to the Oracle and KPMG Cloud Threat Report 2020. This confusion has created opportunities for cybercriminals to find gaps in the security controls that would otherwise protect cloud data.
So what exactly is getting lost in the shuffle? Well for one, the idea that responsibility for securing subscriber data is not exclusively held by the cloud provider—and awareness of the places where responsibility falls on the cloud service provider (CSP) and, where it falls on you, the company or subscriber. Any unknown responsibility creates risk. And with the growing amount of security breaches today, it’s crucial to have more clarity about where the responsibility lies.
There isn’t an all-encompassing manual for the cloud security shared responsibility model. It varies depending on the cloud provider and the type of cloud service. But something you can do is have an in-depth conversation about the service-level agreement and where responsibility lies with each particular cloud service provider before you sign on the dotted line and drive your new cloud service off the lot.
For example, you might believe at a higher level that you only need to handle data security and identity management for your SaaS platform and that the cloud provider will manage the rest. When in reality, the cloud provider may see those responsibilities (and others) as shared.
This confusion could translate into real consequences. Roughly two-thirds of survey respondents in the Oracle and KPMG Cloud Threat Report 2020 indicated that they found the shared responsibility model for securing their multi-vendor SaaS applications the most confusing. That lack of understanding could cause people at your company to overlook access or configurations that could lead to a breach. Companies today often assume that their cloud data is secure by default, but that isn’t always the case. Corporate financials, IP, and customer personally identifiable information can be put at risk if there isn’t a good understanding of shared responsibility.
So how can you make sure you have a good understanding of who’s responsible for what when it comes to working with your cloud providers?
1. Have ongoing conversations with your cloud providers.
Don’t mistake your cloud service provider for your cloud security provider. See them as your “cloud security partner.” You both have a common goal: to prevent breaches. Your company should task key individuals with the responsibility of working with your cloud providers on a regular basis and meet with them as often as every quarter. This practice helps keep tabs on whether cloud providers are meeting their SLAs and if there will be any changes to your agreement or shared responsibility.
2. Foster a “security-first” culture within your company.
At the end of the day, responsibility for security falls on each of your company’s employees, and we’re seeing that more and more with the rise in remote workforces. This is why a security-first culture is essential in preventing vulnerabilities. Because of the rising number of cloud vendors, cloud platforms, and cloud applications, companies that follow the old model where IT oversees all of the company’s security end up burning out IT and shared responsibility can slip through the cracks.
Two, major ways this can be solved is by employing cloud security architects (CSAs) and business information security officers (BISOs). CSAs are architects that help companies develop cloud security strategies and ensure that the different lines of businesses are meeting security guidelines. BISOs work as liaisons between the Chief Information Security Officer and the line of business to remedy the communication gaps that can happen between lines of business regarding security mandates. The BISOs also work to put security first while factoring in the goals and objectives of the line of business.
3. Become a cloud security shared responsibility model expert.
Companies must invest in their staff to hire and retain shared responsibility model experts. But they also need to realize that it isn’t just IT that needs expertise in the cloud security shared responsibility model. Everyone at the company needs to be aware of their personal responsibility to protect company data. This may mean regular and mandatory training for every employee on how to manage safety and security of company and customer data, regardless of how it is accessed.
4. Use security automation.
Automation is critical because it helps mitigates repeatable processes and manual work so IT teams can concentrate on other tasks. Automation also allows more employees to become experts in the cloud security shared responsibility model. A great example of this is the use of automation and machine learning to identify areas of compromise, taking remediation steps, and being predictive on how other platforms or services with similar configurations may also fall victim to an attack. Plus, automation reduces the risk of human error, which shores up gaps in a company’s security.
5. Gain a deeper understanding of the risks surrounding business fraud.
According to the Oracle and KPMG Cloud Threat Report 2020, 39% of respondents have fallen victim to business email compromise attacks over the last 24 months. Business email compromise is one of the hottest attack trends right now, and it often leads to other attacks. In fact, 91% of all attacks start with an email (as noted in last year’s report). These attacks become incredibly risky when business-critical applications are exposed, so it’s crucial to start understanding what risks are out there and how to mitigate them. The Oracle and KPMG Cloud Threat Report 2020 is a great resource keeping up with the latest trends in security.
Shared responsibility is a widely misunderstood part of cloud security. But you can build a strong understanding of the cloud security shared responsibility model within your company to prevent any gaps or vulnerabilities in the future.
Organizations must continually work to promote a security-first culture from executives to end users. Building out this culture and increasing knowledge around the cloud security shared responsibility model can protect your organization from the next big breach. To learn more about on the cloud security shared responsibility model, read the second report in the Oracle and KPMG Cloud Threat Report 2020 series: Demystifying the Cloud Shared Responsibility Model.