Cloud and security: harmony built on shared responsibility

by Koen Maris, Director Cyber Security, PwC Luxembourg

 

Brussels, June 27, 2019

One of the most frequently used arguments for moving towards the cloud is “for security reasons”. Cloud vendors are almost always better equipped to ensure maximum security but that doesn’t mean organisations can just ignore security altogether. In the end they will still be held accountable for breaches or anything else happening to their applications or data. That’s just one of the important lessons to learn before embarking on your cloud journey.

The inherent dangers related to cloud security mostly date back to previous generations of ICT infrastructure. Before the cloud era, web developers were used to working on pre-defined servers with built-in security. These days, security concerns are usually directed towards the cloud provider, something which perfectly suits developers as this is historically something that they haven’t had to worry about – so they are happy to leave it to others once again.

And why shouldn’t developers leave it to cloud providers? They have far more experience in securing environments against even the most abundant and sophisticated attacks, so why not fully entrust them with this field of specialisation?

This seems like perfectly valid reasoning, with just one important objection: in the end, organisations are still responsible for their own security – not their cloud providers. A business can outsource the security operations and management as much as it likes, but in the end, they will be held liable if anything goes wrong. So, organisations should at the very least fully understand what level of security is being applied to their data, even if they don’t manage it themselves.

Additionally, data residing in the cloud is just one vector of security; the data traveling to and from the cloud server needs to be secured as well. This is an entirely different architecture compared to the traditional client/server setup with the server residing in the locally hosted data centre.

An entirely new paradigm

The migration towards the cloud has caused an entire paradigm shift, which also impacts security. The traditional LAN network has disappeared and made way for external servers and different routes toward these servers. Twenty years of network experience are being replaced, and new habits, new focus areas and new reflexes need to be shaped. This is no easy feat, especially because most companies don’t even know how many cloud applications are in use throughout their organisation. Moreover, organisations need to understand that the IT infrastructure is no longer the fortified castle it used to be, but rather a vault in plain sight containing all valuable data. This too can be adequately secured but it requires a whole new frame of reasoning.

 

 

An additional obstacle on the road to secure cloud architecture are organisations’ concerns around cloud security – both false and genuine. Often, we can hear CEOs arguing against cloud adoption because of so-called GDPR concerns, but these concerns are not valid at all. Most cloud providers can offer a genuinely GDPR-compliant environment, including servers residing within the EU or even Belgium.

A more imminent threat for the success of organisations’ cloud journeys is the concern over the financial impact of cloud computing weighing on other factors such as security. The quest for cost-saving may eventually lead them towards cheaper but less reliable cloud providers. But these compromises on the level of security may end up costing them far more than they have saved by choosing the cheaper provider. That is why we would argue in favour of a legally imposed minimal service requirement, so that every cloud provider is forced to provide a reasonably secured environment.

Last but not least, the move towards cloud computing is inevitably and inextricably linked to the increasing adoption of mobile computing. Cloud security and mobile security should therefore never be viewed separately but rather as a whole.

It has become clear by now that cloud security is no easy matter and cannot be left to the cloud provider alone. Organisations should always consider turning to a security service provider who can help tie the loose ends together, and thus create a reliable computing infrastructure, from any user device to any type of application and data, wherever they reside.

Such a provider should be able to help public cloud providers to safely provision these services to their employees and their ecosystem. Security service providers such as these can also integrate the cloud providers’ security with their own managed security services platform and take control of the entire security environment. That way they can provide their customers with exactly the amount of security they require and set the priorities that matter to their organisation.