In Blog, Cloud Adoption

Cloud security is a shared responsibility

As we’ve discussed in a previous article, the cloud is one of the most secure places for your data. However, that doesn’t mean that cloud security concerns are unwarranted, or that you can migrate your workloads to the cloud and expect security to be taken care of for you.

This is because security in the cloud is a shared responsibility. Public cloud vendors are responsible for securing cloud infrastructure. This includes physical infrastructure, compute, storage, and networking resources. Everything else – operating system, supporting infrastructure, customer data – are all the responsibility of the organization using the cloud. Essentially, the application owner is responsible for everything above the hypervisor. Organizations may also need to configure certain services provided by the cloud vendor, such as perimeter security.

In-house cloud security or third-party vendors?

With the above knowledge in mind, companies interested in keeping their cloud data safe have a choice to make: hire third-party, point-based security vendors, or bring cloud security in-house.

In recent years, point-based solutions have received criticism. A decade ago, companies could get by with one or two solution providers. With only a couple of vendors, gaining a unified, “single pane of glass” perspective on security was relatively easy to achieve. But in 2019, most companies rely on over a dozen point-based solutions to enable security across a cloud infrastructure. This has led to a lack of visibility and increased chances of human error.

However, point-based solutions and security vendors still have a place in an enterprise security system. Prime use cases include porting compliance control sets to the cloud and early security threat warnings. Third-party solutions have the added benefit of generally working in any cloud environment, making them ideal for developing a unified multi-cloud operational model.

So when does it make sense to bring security in-house? The answer depends on your IT resources. Developing an entire cloud security solution – and keeping that solution up-to-date – is impractical for all but the largest enterprises. And even then, any resources spent on security mean time and funds taken from other, more innovative areas.

For most organizations, the optimal security infrastructure is one in which in-house resources are used to integrate native cloud and third-party point-based solutions to achieve as close an approximation to “single pane of glass” visibility as possible.

Alternatively, Managed Service Providers (MSPs) such as Hanu can help. Much like leveraging a cloud provider, MSPs have a view of multiple environments across many customers enabling them to have a holistic understanding of threats and incidents. This lets them implement mitigation across their entire customer base proactively. With a managed service provider, you get the benefit of having a full-time IT security team with multi-faceted experience at your disposal, at a fraction of the cost you’d require for an in-house security team.

When to leverage native cloud security features

Although public cloud providers don’t take responsibility for data above the hypervisor level, they do provide tools to help you on your data security journey. When it comes to the cloud, most organizations are in a constant battle between moving fast and staying secure. But if you understand the tools at your disposal – particularly in the case of Microsoft Azure – the cloud can be a business enabler, not an inhibitor.

An example of how companies can leverage the cloud for both security and business gains is seen in Azure’s compliance controls. When organizations move PCI, HIPAA and other major compliance regulations to the cloud, they inherit global security and compliance controls. This saves significant time in training staff and developing internal controls. Additionally, Azure is also prohibited by law to share your data with anyone, barring a court order.

Before looking to third-party providers or developing security in-house, make sure you’re leveraging everything your CSP has to offer when it comes to native cloud security.

If you enjoyed this article, make sure to come back next week when we’ll discuss specific strategies, tips, and best practices for cloud security in 2019.

Have more questions about security in the cloud? Contact the experts at Hanu today – we’re happy to answer any questions you have regarding your specific security requirements.