Shared Responsibility in Cloud Security

When it comes to cloud computing, many companies first think of the benefits of technology. However, security still often falls by the wayside. The reasons are manifold – high complexity, unclear legal responsibilities and missing strategies mean that especially smaller companies see the security responsibility at the provider – a fallacy, which can have serious consequences in the worst case. If safety is neglected, it can undeniably have devastating consequences. But even today this self-evident knowledge has only gradually made it into the minds of motorists. This is proven by the sometimes very amusing articles, which regularly remind of the hysterical reaction of motorists in the introduction of seatbelts in 1975.

Now that the benefits of the cloud are scarcely disputed, the advent of widespread security awareness is still to come. When looking for the reasons for it is striking that especially small and medium-sized enterprises lag behind the development – a circumstance that has something to do with the available resources.

Holistic Security

Very few companies rely on a singular cloud solution in their everyday life, but mostly use a multi-cloud structure that is individually tailored to the company’s requirements in terms of its structure. The companies use different filesharing, virtualization or collaboration vendors and often a combination of on-premise and cloud solutions . But the more individual and modular the setup is, the more interfaces open up – potential break points for the safety of the entire system. This complexity can overwhelm especially small businesses quickly. The result is above all uncertainty, which leads to the fact that the responsibility is gladly unloaded on the shoulders of the respective provider.

Many rely solely on the provider for the security of their data, but public cloud providers like AWS, of course, have no end-user responsibility, which is always up to the user – but only a fraction of companies are aware of it To create awareness, to communicate meaning and gradually to bring the necessary know-how into the company The term cloud is often associated with a dilemma between productivity and security at the same time efficient clouds are possible.

Clouds are mostly for simplification: the industry is still at the beginning of a fundamental development in the cloud and IoT sectors, and new cloud solutions are continually creating new business models and potentially new risks Eliminating opportunities is a challenge. The idea of ​​efficiency has meanwhile also prevailed in the public sector, where the private cloud is experiencing strong growth, but the public cloud will never be a blanket alternative there.” Simplicity is still the best guarantee of security when building an infrastructure additional layers increase the complexity and thus the probability of security gaps. It is often forgotten that lax security has not been around since the cloud, for example, poor password protection could cause immense damage to the business, but the cloud will increase the attack surface significantly.

The digital transformation now allows employees to flexibly access data and intellectual property across countless systems, applications and devices to perform tasks anywhere, anytime, resulting in multiple vulnerabilities and potential compliance violations. Companies should take a holistic, end-to-end security approach to assess and control risks in real time, and in large companies, security has become more important and has already made it to the boardroom, with small and medium-sized businesses urgently needing to catch up Many see the responsibility solely with the provider, but they can never assume full liability, so a model of “shared responsibility” should be sought by leveraging our software-based security solutions can be implemented.

However, this is only partially liable, as the cooperation between user and cloud provider is generally based on the so-called Shared Responsibility model. Thus, providers are only responsible for the infrastructure itself, while companies are responsible for protecting their own data and applications.

This is all the more true with a look at the legal situation. The US Cloud Act, which allows US security authorities in certain cases access to European customer data, creates a situation in which many providers have the choice to either break the rules of the Cloud Act or the DSGVO. This creates a legal uncertainty whose solution is currently not in sight. Users must therefore ensure that their data does not fall into the wrong hands.

It’s about data that has long been collected and processed throughout the enterprise. Security must apply analogously to all levels. Responsibilities are still often delegated or integrated into existing processes that date back to times when the IT department alone was managing the enterprise infrastructure. These times are, so the unanimous opinion in the round, over.

In order to assess and control the diversity of cyber risks in real time, companies should adopt a holistic, end-to-end security approach.” In large companies, security has become more important and has already made it into boardrooms Companies urgently need to catch up in order to meet the security requirements of the advancing digitization, notes Sebastian Spann of Microfocus.

Conclusion

At the latest since the entry into force of the GDPR and potentially draconian penalties for violations of the rules and regulations, data protection and data security are also in the focus of the boardrooms. And since the widespread use of cloud solutions, appropriate precautions are urgently required. However, it is often forgotten that lax security measures in companies are not a new phenomenon. Even in the past, poorly protected passwords could cause immense damage to the company. However, the risk is significantly increased by the cloud – because it simply offers more attack surface due to the large number of interfaces. After all, each additional software layer increases complexity many times over – and with it the likelihood of security holes.

In addition, the development and operation of cloud-based business applications today no longer allow for post-deployment security as an add-on to an existing infrastructure. The widespread triumph of DevOps requires a Security by Default approach, which meets the dynamics of modern software development. When development becomes a process, then security must be considered process-wise.

Many companies still see a contradiction between productivity and security. According to the participants in the discussion, this misjudgment must be overcome. If appropriate security concepts are taken into consideration right from the start, are incorporated into the development process and also reach a cultural level, secure and at the same time efficient cloud solutions can be realized.

The need for a comprehensive change of consciousness is all the more true because development has just begun: the technological possibilities of the cloud are creating new, data-based business models. The Internet of Things creates a multitude of additional interfaces, which in turn require completely new, smart security concepts. At the end of this development is the use of artificial intelligence – both in the analysis and in the backup of data.