“The Cloud” offers organizations powerful options for efficiency, innovation, growth, and collaboration. As a result, virtually every organization has assets in the cloud somewhere, even if they don’t think they do. Just consider that any service your organization uses that is delivered over a publicly accessible network is a cloud service. And because these resources touch the public internet, they can introduce significant risk to an organization via common misconfigurations and vulnerabilities in virtual machines, workloads, servers, networking, APIs, storage, applications, and many other services. So, as is often the case, with great power comes great responsibility.
Who is responsible for ensuring your security in the cloud?
It’s all “you” if you host and operate your own infrastructure, be it a full private cloud data center or a few private servers and apps. But who actually hosts all their services on private infrastructure these days when the economies of scale and ready-made capabilities of public cloud services are so enticing? And even in the public cloud security responsibilities are shared, so the answer is still “you” to a greater or lesser extent.
Who is responsible for security in the public cloud?
On the simple end of the spectrum there’s Software as a Service (SaaS). These are often office productivity, file sharing, and collaboration applications. Examples range from general services such as Microsoft Office and G Suite to specialty business functions such as those supplied by Confluence or GitHub. In this model, you are primarily responsible for identity and access management and controlling the data you store in the service. It sounds simple but it is very easy and common to put confidential data in the cloud and inadvertently enable public sharing of that data.
Your responsibility becomes substantially more extensive when it comes to Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) options such as AWS, Microsoft Azure, Google Cloud Platform (GCP), etc. In this case you have a much more extensive set of assets to inventory, configure, protect, and manage. Ignore any of these and you risk exposure in the cloud. This includes:
- Applications, platforms, operating systems
- Identity and access control and administrative privileges
- Compute assets, data repositories, servers
- Web apps and servers
- Networking traffic, ports, protocols, and services including firewalls, proxies, routers, and switches
- Data encryption, authentication, DLP, and data recovery
- Security services such as certificates, web application firewalls, anti-malware, vulnerability management, email and web browser protections, application security