The decision to take your business into the Cloud is a business decision.  It’s technology-based sure, but it’s just one of many technical solutions that you could implement to meet the requirements of your business.  Used right, it can help drive your business goals- but using it right, means using it securely. Security should inform, or at least be a key factor of your organisation’s decision on which Cloud model and which Cloud provider you choose- It’s not just an afterthought.

In the end, security is still your responsibility

The datacentre, the infrastructure or the server may not be yours, but your data is your data no matter where it is.  The data is still your business’ financial details, your HR details, your clients’ details and even your IP- whether stored on servers in your office or in the cloud -, it’s always your ultimate responsibility to make sure it is all sufficiently secured. 

Cloud service providers may well provide tools to help you secure your data, but it’s up to you to define your organisation’s security policies and to make sure that the controls required to comply with them are implemented to your defined requirements.

Shared security and different cloud models

OK – so the ultimate responsibility is yours, we’ve established that.  But if the datacentre isn’t yours, it’s not fully within your control – right?

That’s true.  So in practice, with Cloud Services you’re looking at a ‘shared responsibility’ approach to security.  So what does that mean?

It’s your data on their infrastructure, so it makes sense that the responsibility for overall security is split, and with public cloud being multi-tenanted by nature it’s in everyone’s interest that everyone takes their responsibility seriously.

Exactly where the line of demarc for responsibility is will depend on the cloud model being consumed.  Again it makes sense; under the bonnet of your ‘as-a-Service’ solution is, by design, not your concern, so you can’t actually secure it technically.  That said, it’s still ultimately your responsibility to make sure it does happen, which mean paying attention to service agreements, cloud provider published standards etc.

In the case of Software-as-a-Service (SaaS) solutions such as Salesforce or Office 365 for example where all you get is an application, your main responsibility is how you control access to that application and protecting the data within it.

At the other end of the spectrum, if you’re consuming an Infrastructure-as-a-Service (IaaS) offering such as Amazon EC2 or Google Cloud Platform (GCP) then your scope of security responsibility becomes much broader.  As you have more control over what is deployed and how, you now have to consider things like network and application security, patching of Operating Systems and applications and securing remote access- all this as well as the access control and data protection that lands on your plate with SaaS.

There’s a bunch of “in-between” too, and the only way you can be sure that your business is as secure in the cloud as it is elsewhere (and is secure as it needs to be) is to first recognise what your business is responsible for with every cloud service you consume.  Once you know the scope, your security and IT teams or partners can create, adapt and apply the requisite business security policies accordingly.

This is why security is such a key factor in deciding whether to use cloud services and which cloud services you should adopt, and also why it’s a business decision and not a technical one.

It’s always a balancing act- sure that collaboration tool is free and easy to use but does it mean you lose control over your critical data?  Add too many ‘hoops’ for your employees to jump through though and productivity will drop or worse, you’ll stumble into ‘Shadow IT’ territory as staff find their own, easier ways to work outside of the business’ control.

So cloud should be part of your business strategy, and your cyber security strategy should be comprehensive enough to secure it- but in order for your Cloud workloads and data to be secure both parties have a part to play. 

You pay your Cloud Provider to keep up their end of the bargain, and you really can’t afford not to keep yours.