At the RSA conference last month, I lead a Peer2Peer session on the topic of Security of Public Cloud Services: It Takes a Village.
I and 25 others discussed the notion that cloud services are inherently a shared responsibility model. Far too many corporate users of cloud services often don’t realize that while the cloud provider may have every attestation from PCI to SSAE-16, that means nothing if your team doesn’t know what their responsibilities are around cloud security, and what they specifically have to do.
We spoke about the fact that when you move your applications and data to the cloud, there is a lot of control you surrender. But even with that, there is still a lot that needs to be done to ensure that the applications and data are available—and secure.
At the end of the 50 minutes, which went by quickly, we had brainstormed about 20 security, privacy and risk items that you have to deal with in advance of a move to the cloud. Some of the crucial areas are: exit plans, cloud access security brokers (CASB), disaster recovery, incident management, and more.
Three of the main challenges we identified included:
- What do we need to do? Often the demarcation of responsibilities is not so clear between the cloud provider and the customer. Customers know they are moving to the cloud, but are not always clear of just what they need to do. The goal is to know that while it’s a shared model, make certain there is a clear demarcation of what roles you as customer need to do. Once your cloud service goes live, there should be zero ambiguity as to who is responsible for any task.
- What security tools can we use? When things go off-premises, customers often don’t know what security tools are at their disposal. What tools will the cloud provider supply is often not clear.
- What if there are no corporate-wide cloud transition directions? How does one transition to the cloud when there’s no enterprise-wide cloud transition strategy. Those firms that don’t take the time to develop a structured cloud transition and migration strategy are in effect deploying their cloud services in the blind. Firms also don’t know when it is the right decision to move to the cloud. Since they have not done any sort of assessment if the move to the cloud makes business, strategic and operational sense, there’s a chance the move to the cloud is not warranted in the first place.
When we concluded, the realization that cloud providers ultimately are only responsible for securing the basic infrastructure, which they do quite well. As a cloud client, you still are responsible (and liable) for all of the applications and the governance around those applications and data. And that’s still a lot of work.