BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Don't Let Cloud Security Fall Through The Cracks

Forbes Technology Council
POST WRITTEN BY
Rich Campagna

The public cloud continues to live up to the hype, with enterprises leveraging the power and efficiency of the cloud to the tune of $260.2 billion per year by 2020, according to Gartner. Security, once predicted to be the death knell of the public cloud in the large enterprise, has adapted to cloud challenges through the combined efforts of cloud app vendors and security vendors, along with the enterprise.

To their credit, major cloud vendors have invested heavily in security, with Microsoft alone investing more than $1 billion annually. At the same time, the venture capital community has invested hundreds of millions of dollars into cloud-focused security startups.

As the CMO of one such startup that was created to keep data safe in today's dynamic, cloud-first world, I've seen the inner workings of cloud security firsthand.

Leveraging cloud vendors' native security features and third-party solutions is critical because the lines of responsibility and accountability for cloud security are often blurred between the enterprise and the vendor. In many cases, responsibility will depend on the risk a breach poses to an organization’s reputation and who has the most to lose.

However, the "breaking news test" can serve as a framework to help determine who should be held accountable. Obviously, neither of these parties wants to see their name on the front page of a publication because of a breach. This is particularly true of app vendors because their livelihood is dependent upon ensuring their products are safe for customers to use.

So, if a breach occurs, identifying its root cause (e.g., DDoS attack, malicious insider, SQL injection, etc.) and determining which party would receive the majority of the bad press can reveal who is responsible for what. In the case of app vendors, they typically invest massive amounts of money into securing their underlying infrastructure -- the portion of security for which they are responsible.

As such, company executives must better understand the security and compliance risks associated with data stored in -- and accessible from -- cloud applications, and who will take responsibility should the unthinkable happen.

So what responsibility does that leave for the enterprise?

While cloud app vendors need to ensure that their products are secure on the backend, they do not inspect how organizations' employees are using the data that they store in the cloud. In other words, vendors do not monitor for suspicious user behaviors on their platforms. So, if an employee (or a hacker who has gained privileged credentials) downloads proprietary data or sensitive customer information from a cloud app and sells it on the dark web, it is the enterprise that will have its name appear on the front page of whatever publications cover the breach.

Similarly, if there is an unauthorized download of personally identifying information to an employee’s mobile device, and that device is lost or stolen, the enterprise will take the blame and foot the steep financial penalties for the resulting compliance failure. In both cases, the cloud app vendors do not have their business at stake, which means that it will be incumbent upon enterprises to know what information is under their jurisdiction and step up to fill in any potential security gaps.

Covering Cloud Bases: The Shared Responsibility Model

Ultimately, the responsibility for cloud security and compliance is shared by both the client and the cloud provider. While specific boundaries may vary from one app to the next, cloud providers primarily focus on protecting their services and the infrastructure that runs their services -- including all hardware, software and networking -- from attackers and unauthorized intruders.

The enterprise is responsible for security infrastructure that protects its data. This includes verifying user identity and protecting against credential theft, controlling access from risky contexts such as unmanaged devices and suspicious locations, ensuring that sensitive data is controlled and protected properly, and ensuring that cloud applications aren’t used as a delivery mechanism for malware and threats across the organization.

What’s Ahead: More Cloud, More Risk

Many organizations have started their cloud journey with major SaaS applications such as Office 365, Salesforce and Box. It’s common for those same organizations, once they have a taste of the economic and productivity benefits of the cloud, to start aggressively expanding their cloud footprint. According to our company's research, there are a lot of industry- and function-specific applications moving to the cloud, as well as a systematic migration away from applications housed in corporate data centers and toward infrastructure as a service (IaaS) offerings like AWS, Google Cloud and Azure.

While the public-facing nature of these long-tail applications is similar to that of the major SaaS vendors, there is substantially less focus and budget dedicated to security. This means more responsibility on the part of the enterprise in the shared responsibility model. Greater scrutiny must be given to the care that the app vendor is giving to their part of the model, and enterprises need more restrictive controls in order to better protect corporate data.

Fortunately, this can be achieved rapidly with the latest technology. Shadow IT discovery tools evaluate apps by their native security features, regulatory compliance and more, while contextual access control can govern data access by users' job functions, geographic locations, device types and even custom factors. There is no shortage of solutions that can help organizations protect their data.

The bottom line is that enterprises need to keep the shared responsibility model for cloud security in mind. That means verifying that the cloud vendor is doing its job while building in-house processes and leveraging security tools to ensure the enterprise is keeping up their end of the bargain. Such an approach will help your organization enjoy the business benefits of the cloud while keeping your name out of the breaking news headlines.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?