There are several widely accepted truths about public-cloud services of varying levels of veracity—that they are cheaper, more flexible, and can be more quickly deployed. Perhaps none is more dangerous, however, than the assumption that the cloud is, by nature, more secure.
Just last year: Four million customers of a U.S. cable provider were exposed to the Internet after a contractor failed to properly secure a public-cloud database; hackers stole from a professional-services firm millions of emails stored in a public cloud containing confidential communications and the plans of some of its biggest clients; six million customer records were made public online after a telecom provider’s CRM vendor failed to limit external access to public-cloud servers.
Many business leaders assume that, when they enter into a contract with a public-cloud vendor or any other web-service provider, they are signing away their responsibility for the protection of the data stored outside their own resources. The reality is that the public web and cloud services, for all their benefits, are no more innately secure than any other traditional hosting options.
The uneven handshake
What actually happens when you ink a deal with a public cloud or web service is what we call the “uneven handshake.” The vendor does agree to provide you with an array of services, but they do not assume responsibility for managing your cyber risk. Instead, they provide you with a number of options for how you might set up and configure their security tools.
Cloud- and web-service providers go to great lengths to absolve themselves of any obligation to protect their clients’ data, from their six-page, four-point type online contracts (that nobody ever reads before hitting Accept) to their security-related FAQs and training tools. Some even incorporate into their dashboards an explicit reminder that users, by default, are exposing their data to the public Internet. Many clients still assume that if a breach were to occur, landing them in some legal hot water, their public-cloud vendor will sit next to them in court. However, cloud providers have done everything in their power to make sure they will never have to do that.
It’s great that cloud providers offer customers a few options for setting up and configuring their cybersecurity. However, it’s a mistake to assume that the choices they provide are sufficient for every company’s needs.
Don’t trust, always verify
The good news is that the zero-trust approach that leading companies have taken to secure their own IT environments can also be used to mitigate cyber risk in their digital-business initiatives. While, at one time, we assumed that everything on the inside of an organization’s network could be trusted, the increasing frequency of successful cyber-attacks built on exploiting that trust disabused us of that notion.
Traditional, perimeter-centric security strategies failed to provide the adequate visibility, control, and protection of user and application traffic. Enter zero-trust architectures, applying the principle of “never trust, always verify” to all entities—users, devices, applications, packets—regardless of what they are and their location, relative to the bounds of the corporate network.
It’s become clear—through the experience of the many companies that have dealt with breaches of their web- and cloud-based data and digital services—that exploitation of trust is as much of a risk in the public cloud as it is in the enterprise data center. Leveraging public-cloud services for digital-business efforts can change who owns and maintains the base architecture, but it does not mitigate or transfer cyber-risk responsibility.
A public cloud service might have a great security model, but it’s not necessarily the right security model for all their customers. They may not be subject to the same regulations, have the same customer demands, or handle the same types of sensitive intellectual property as their clients. That cloud vendors provide basic security and infrastructure patching is a tremendous value. However, their priority is maintaining and monetizing their cloud infrastructure, not becoming a managed-security provider. It’s the customer’s responsibility to protect their data as robustly as if it were sitting in their own headquarters.
Consider security from the start
Thus, when enterprise leaders are thinking about entering into a cloud agreement, it’s critical that they start thinking about a security model for protecting the digital business. What’s more, as most companies are in multi-cloud environments, they must be able to put in place and oversee a strategy that encompasses multiple platforms in multiple locations, where regulations can vary dramatically.
By establishing zero-trust boundaries—just as they would to effectively compartmentalize different segments of their own networks—companies can better protect critical data hosted in the cloud from unauthorized applications or users, reduce the exposure of vulnerable systems, and prevent the movement of malware throughout their network.
Where to begin
While enterprises across industries are eager to leverage the public cloud to build their digital-everywhere businesses, they must balance its benefits with their responsibility to keep sensitive data—personal health information, personally identifiable information, intellectual property, payment card data—secure. A workload containing such data must be more strongly protected that one with more benign data.
Too often, business leaders do not fully appreciate the true value of, and risk to, the data they deploy to the cloud, and the risk they expose their organizations to when they fail to secure it properly.
So, what actions can be taken to better protect data in the public cloud?
- Determine what you need to protect inside your cloud. People talk a lot about the attack surface—the area or space that malicious actors can leverage for attacks—which is a massive, uncontrollable expanse of invisible technology controlled by others. Instead, companies can reduce the attack surface down to a “protect surface” and create and define access and enforcement points for critical data.
- Understand what types of data you are storing in your cloud service. If this data falls into the category of the four “Ps”of Toxic Data—personal health information, personally identifiable information, intellectual property, payment card data—validate that the security configuration of your cloud deployment ensures proper protections for this data, according to your corporate-compliance standards.
- Set up security access controls. Secure these data repositories, as well as any applications that access this data, so that, as you evolve your digital strategy, you maintain compliance. Limit who in your organization should have access to the protected surface.
- Consider a vendor-neutral encryption model. This helps ensure enterprise compliance with corporate and security mandates and gives companies full control over unauthorized access, such as the government issuing a subpoena to their cloud-service provider.
- Monitor the heck out of your hybrid cloud environment. Don’t settle just for security alerts; make sure your team reviews all the logs they can. Analyze all the good traffic, too.
- Stay up to date on the security capabilities of your cloud providers and vendors. Cloud vendors introduce new services and capabilities frequently.
The cloud is not an “easy” button. It’s only reasonable that there will be some anxiety about migrating certain data types to it, but that can fuel honest conversations about what is cloud-appropriate, what’s not, and how to your security teams will protect the workloads that are already there.