Cloud Security is a Shared Responsibility
Cloud security refers to the efforts of securing data, applications and infrastructure intrinsic to the use of cloud computing, including policies, technologies and controls.
To improve operational agility and reduce costs, organizations are increasingly distributing cloud-based applications and their data among varying environments. These environments include private clouds, hybrid or dedicated public clouds, and software-as-a -service (SaaS) applications, each bringing unique agility benefits and security issues.
Concerns over data exposure have made cloud security a priority. The challenge lies in balancing an organization’s need for agility with the need to improve the security of applications as well as that of data as it moves between various clouds. Gaining visibility and fighting attempts to exfiltrate data – whether from external locations or through lateral attacks – is imperative across all locations where applications and data reside.
A number of different teams within an organization could be responsible for cloud security: the network team, security team, apps team, compliance team or the infrastructure team. However, cloud security is also a shared responsibility between the broader organization and its cloud vendor. Exactly how this breaks down varies by the nature of the cloud offering:
- Private cloud: Organizations are responsible for all aspects of security for a private cloud because it is hosted in the organization’s own data center. This includes the physical network, infrastructure, hypervisor, virtual network, operating systems, firewalls, service configuration, identity and access management, etc. The organization also owns the data and its security.
- Public: In public clouds, such as Amazon Web Services (AWS®) or Microsoft Azure®, the cloud vendor owns the infrastructure, physical network and hypervisor. The customer still owns the workload OS, apps, virtual network, access to their tenant environment/account, and the data.
- SaaS: SaaS vendors are primarily responsible for the security of their platform, including physical, infrastructure and application security. These vendors do not own the customer data or assume responsibility for how customers use the applications. As such, the customer is responsible for preventing or minimizing the risk of data exfiltration, accidental exposure or malware insertion.
As organizations transition from private clouds to public clouds or SaaS applications, they may rely on their vendors to secure the data, apps and infrastructure. However, whatever platform security measures are used, the organization still maintains responsibility for the security of its own data.
To safely enable applications, IT security must be confident that their cloud vendors have implemented the appropriate security measures to keep the applications and data secure. To compensate for what cloud vendors lack in security, organizations must also have the right tools in place to manage and secure risks effectively. These tools must provide:
- Visibility into activity within SaaS applications
- Detailed analytics on usage to prevent data risk and compliance violations
- Context-aware policy controls to drive enforcement and quarantine if violations occur
- Realtime threat intelligence on known threats and detection of unknown threats to prevent new malware insertion points
Learn more about protecting your data residing in SaaS apps in our e-book, When Proxies Aren’t Enough: Three Pillars of Security in Office 365 Deployments.