Sharing is caring: who’s responsible for cloud security?

Data is now the most precious commodity in the modern world and is only likely to increase in value. With so much of that stored in the cloud, it’s essential that a robust security system is in place… but who is accountable for this? 

Keeping track of who had access to your data centre and knowing who was responsible if things went wrong used to be pretty simple. As long as you knew who had a key to the server room, there was only ever a fairly small pool of people it could be. But with 90% of businesses now using some type of cloud service, keeping everything safe has become a more complicated proposition. With the rise of hybrid- and multi-cloud solutions that complexity is only going to increase.

“When a breach or leak occurs, determining what happened or who is responsible is not just about placing blame – it’s crucial in ensuring that it doesn’t happen again.”

Yet, with multiple organisations now involved in providing an enterprise with a range of cloud-based applications and services, that’s not necessarily a simple process.

To help ascertain who’s responsible for what, major cloud service providers (CSPs) have sought to draw a line between security in the cloud, which the customer is responsible for, and security of the cloud, which the CSP takes on. That means the underlying hardware, software, networking and facilities are handled by the CSP, but anything on top of that – such as applications, customer data, encryption and network configuration – is the enterprise’s responsibility.

“Splitting the job makes it more manageable and ensures all parties involved are aware of their roles in keeping the business safe.” 

This distinction has regulatory implications too. For example, in the EU, GDPR laws state that the data owner is always responsible for its security and must demonstrate that it has carried out due diligence in the search for partners. So, blaming the service provider after a breach isn’t an acceptable excuse, even if it might be partly responsible. Considering that GDPR fines can be eye-wateringly high, any organisation that stores or processes personal information about EU citizens within EU states must make sure all parts of their business are aware of their responsibilities.

 It’s more difficult than it looks…

 Cyber security is today a 24/7/365 job, yet many companies lack experience to control usage, protect data and guard against threats such as malware and ransomware.

“According to analysts at 451 Research, less than a third (32%) of enterprises have protected their cloud environments against data leaks, and less than half (46%) use identity management technologies to safeguard their clouds.”

Shadow IT adds an extra layer of complexity, making it increasingly difficult for organisations’ internal IT teams to keep cloud-based systems, applications and data safe.

It doesn’t stop there. The more hybrid IT becomes, the more challenging securing different cloud environments becomes too. Businesses with hybrid digital infrastructures need to have visibility and control over their cloud workloads, with cohesive policies and processes and ensure that their CSP keeps their security promises.

Find the right partner to share the burden

A managed security service provider (MSSP) can help businesses tackle these challenges, taking on all (or just certain aspects) of an enterprise’s cyber security, from management and operation to verification of IT controls. By harnessing an MSSP’s expertise, integrated platforms and tools, and experience in managing hybrid multi-cloud infrastructures, businesses are able to reduce the operational complexities of safeguarding their digital infrastructure, applications and data.

As more and more CTOs and CIOs have to find a way of balancing the growing technology needs of the business with meagre increases in IT budgets, working with an MSSP can also be financially more sustainable than a DIY approach. This is because of the predictability of OPEX spending that comes with working with an external partner, compared with the huge CAPEX spending that businesses would need to make to ensure they have the required cyber-security tools, capabilities and expertise in-house.

“Fundamentally, cloud-enabled digital transformation helps businesses become more agile and scale services more easily than when they relied on on-premises infrastructure.”

This enables them to keep up the pace in increasingly competitive industries. While embracing a cloud-first approach, businesses must always remember that cloud security is a team effort – just assuming that your chosen CSP has got it covered is not an option.

Sharing the responsibility ensures that everybody in the chain remains vigilant against attacks and leaks.

Read about the power of data and the debate between anonymity and privacy here.