Cloud Security Perspectives and Insights

When Security Collides With Your Cloud Responsibilities

Greg Jensen
Sr Principal Director - Security - Cloud Business Group

You could be forgiven for not being crystal clear about how secure your data is, or would be, in the cloud. On one hand, there’s the argument that security in the cloud has gone from being a barrier to maybe even being an incentive for moving your data and applications to the cloud. On the other, there’s a constant cadence of headlines and news spots detailing the latest security breach.

At least some of this confusion comes from the perception that the cloud relieves businesses of all their prior, on-premises responsibilities. Whether it’s the cloud providers who have over promised or users that have underestimated their obligations, this set-it-and-forget-it mindset has clouded—pun not intended—our judgement when it comes to cloud security.

The truth is that the cloud, in all its forms, does offer significant security advantages. For example, the Oracle Cloud can apply patches in real time, shoring up vulnerabilities that might, in an on-premises world, leave your systems exposed until you could take them offline and apply the patch yourself. Considering the number of attacks that sneak through while security patches are waiting to be implemented, this is a real advantage.

But too often we mistake the fact that the cloud offers security advantages for the belief that the cloud is a security panacea and that the cloud service provider will take care of most security issues. Truth is, there’s a lot that your cloud provider can do to help, but they can’t do everything.

For instance, take the employee who shares his password with another coworker or the person who has access and maybe even steals sensitive company information. There’s little that a cloud service provider can do to prevent these behaviors without input from its customers. Of course they can detect suspicious behavior around that credential once it happens. But by then, it may be too late.

This is where the concept of shared responsibility comes into play. And all that really means is getting crystal clear on what your cloud service provider is responsible for when it comes to management and security and what you as the customer are responsible for. It sounds simple, but depending on how many different cloud providers you have, it can get complicated quickly.

In fact, in the recent Oracle and KPMG Cloud Threat Report, we found that only 43 percent of organizations could correctly identify the most common IaaS shared responsibility model. The results were even worse for PaaS and SaaS.

So, where do you start? Turns out there are some fairly simple things you can do to separate your responsibilities from your cloud service provider.

1. Read your contract and SLA.

Your contract and service level agreement should clearly outline what responsibilities you own. You might discover that you’re covering many of these responsibilities already, or you might learn that there are inconsistent gaps from one cloud service provider to the next, which will require you to do additional checks and balances. The important thing is to know your role.

2. Have good conversations with your cloud provider.

This won’t replace reading your contract, but it will give you a place to start and help you clarify any questions. This can also help you keep on top of your cloud provider and make sure they’re delivering what they promise. With Oracle, any customer can request full visibility audit reports that share any patch or vulnerability information to better understand if your data has ever been at risk. This is an important question to ask of any cloud service provider to find out if the same level of visibility can be provided across all services. This is key for compliance reporting in today’s organizations.

3. Appoint a cloud security quarterback.

Having one person that has their thumb on what your business is responsible for is crucial to making sure all sides are living up to their end of the bargain. Plus, this position—which is often called a cloud security architect—can work with both the security team and the applications teams to make sure they know all the best practices and regulatory compliance objectives.

4. Avoid the cloud rush, and pace yourself.

Many organizations are rushing applications and workloads into the cloud at a rate faster than their own SecOp teams can catch up with or respond. It is important to go about your cloud journey at pace that ensures no gap or exposure is left in the open as new services come online.

At the end of the day, the benefits your cloud service provider offers you more than likely greatly outweigh the responsibility you incur as part of your relationship. The key is to identify those responsibilities and figure out how to address them.

For more pointers on shared responsibility, join our upcoming webcast (Aug. 16 at 10 a.m. PT), where we’ll cover the top five cloud transition mistakes organizations make, how to mitigate them, and the top questions to ask your cloud service provider.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.