Cloud Security is a Shared Responsibility
Cloud security is a shared responsibility between the vendor and the organization. However, the organization is always responsible for securing its own data.
Cloud security refers to the efforts of securing data, applications, and infrastructure intrinsic to the use of cloud computing - including policies, technologies and controls.
Cloud-based applications and the data that go with them are increasingly becoming distributed among varying environments to improve the agility of the organization and reduce costs. These environments include private clouds, public clouds (hybrid or dedicated), and software as a service (SaaS) applications, each bringing its own unique agility benefits and security issues.
The concern over data exposure has made cloud security a priority. The challenge has become balancing the organization’s need for agility while improving the security of applications and securing the data as it moves between the various clouds. Gaining visibility and preventing attacks that are attempting to exfiltrate data, both from an external location and through a lateral attack, becomes imperative across all of the locations where the applications and data reside.
There are a number of different groups within an organization that could be responsible for cloud security: the network team, security team, apps team, compliance team, or the infrastructure team. However, cloud security is also a shared responsibility between the cloud vendor and the organization.
Private– Enterprises are responsible for all aspects of security for the cloud as it is hosted within their own data centers. This includes the physical network, infrastructure, hypervisor, virtual network, operating systems, firewalls, service configuration, identity and access management, etc. The enterprise also owns the data and the security of the data.
Public– In public clouds, like AWS® or Microsoft® Azure™, the cloud vendor owns the infrastructure, physical network and hypervisor. The enterprise owns the workload OS, apps, virtual network, access to their tenant environment/account, and the data.
SaaS– SaaS vendors are primarily responsible for the security of their platform, which includes physical security, infrastructure and application security. These vendors do not own the customer data or assume responsibility for how customers use the applications. As such, the enterprise is responsible for security that would prevent and minimize the risk of malicious data exfiltration, accidental exposure, or malware insertion.
As companies transition from private to public cloud, or to SaaS applications, the responsibility for securing data, apps and infrastructure falls less in the hands of the enterprise and more into the hands of the vendor. However, regardless of the platform used, the enterprise will always be responsible for ensuring the security of its own data.
In order to safely enable applications, IT security must be confident that their cloud vendors have implemented the appropriate security measures to keep your applications and data secure. To compensate for what cloud vendors do not se-cure, an organization must also have the right tools in place to manage and secure the risks effectively in order to keep their data secure. These tools must provide visibility into activity within the SaaS application, detailed analytics on usage to prevent data risk and compliance violations, context-aware policy controls to drive enforcement and quarantine if a violation occurs, and real-time threat intelligence on known and detect unknown threats to prevent new malware insertion points.
To learn more about the shared responsibility of SaaS security between the vendor and an organization, read Safely Enabling Microsoft Office 365.