It's an exciting time to embrace cloud computing. The sheer number of cloud services, and their innovative features and capabilities, give organizations more visibility and control over their cloud environments than was possible even in the recent past. Cloud service providers (CSPs) also build advanced security into their products, often rivaling or exceeding the security of on-premises infrastructures. However, cloud security failures still happen, and when they do happen, there is often a scramble to determine the cause and who should take responsibility. Organizations must also dig deeper to ask how these failures could have been prevented in the first place.
These questions are extremely challenging given the complexity of modern cybersecurity. The answer lies in defining responsibilities between customers and telecommunications service providers and the importance of human oversight when managing technology.
Misconceptions abound among customers
There are two main camps when it comes to trusting the cloud. There are security leaders who are always worried, and those on the other side of the spectrum who put too much faith in their cloud services to do the heavy lifting of security. However, as is often the case, the best placement is somewhere in the middle.
Many leaders concerned with cloud security will cite statistics like this: Cloud breaches increased 75% from 2022 to 2023. But the truth is that most cloud breaches do not stem from an inherent lack of security measures to protect cloud data, but rather end-user failure. In configuring his cloud service properly using the tools available to him. A shocking statistic from Gartner indicates that by 2025, 99% of cloud security failures will be due to customer error. This doesn't mean there aren't exceptions, but many of the perceived risks of cloud security can be prevented with more vigilance on the customer's part.
But what about those in the other camp, who may view their cloud services as infallible? This false sense of security likely stems from a misunderstanding of the “shared responsibility” model shared between telecom providers and customers.
Two sides to the deal
Today's cloud security is too complex to be the responsibility of one person or party. For this reason, most cloud services operate on a shared responsibility model that divides security roles between the service provider and the customer. Even big players in this space, like AWS and Microsoft Azure, have deployed frameworks to draw lines of responsibility in the sand.
While the exact definition can change depending on the service model (e.g., software as a service, infrastructure as a service, platform as a service, etc.), the cloud provider is typically responsible for security “from” the cloud. The customer is responsible for security “in” the cloud. For example, a cloud provider often secures a computing host's infrastructure and physical facilities, including power and connectivity. Customers handle aspects such as endpoint security, identity and access management, and data classification. These examples only touch the surface but illustrate how cloud security elements can be distributed between the service provider and the end user.
However, while the expectations set forth in shared responsibility models are designed to reduce confusion, clients often have difficulty visualizing what this framework looks like in practice. Unfortunately, when there is a lack of clarity, there is opportunity for threat actors.
Steps to avoid cloud failure
The best scenario for mitigating cloud security risks is when CSPs and customers are transparent and consistent with their responsibilities from the beginning. Even the most secure cloud services are not foolproof, so customers need to be aware of which security elements they “own” versus what is in the hands of their cloud provider. This is especially true considering that they are responsible for most security breaches, especially because they oversee data security. Most breaches can also be traced back to user error or misconfigurations, whether they were too lax when configuring the service or failed to monitor and adjust settings over time. While some mistakes are understandable, especially with the rapid evolution of the cloud, they can lead to serious consequences.
With so much at stake, here are some other steps organizations can take to avoid cloud security failure:
• Don't make assumptions about who is responsible for what
• Take the time to review the fine print of your cloud provider's service level agreement (SLA).
• Hire security leaders with cloud experience
• Conduct regular security audits
Cloud security in 2024 is like a team sport, requiring clear communication and collaboration between technology vendors and customers. When customers understand shared responsibility models and know exactly what they are responsible for in the security equation, they will be better protected against cloud threats today and tomorrow.
