Debunking the Discourse Around Cloud Security

Dive through the recent Cloud Industry Forum (CIF) research and you’ll see that cloud spending has finally overtaken on-premise security spending, and this gap is expected to widen significantly over the next three years, according to the findings.

The research found that nine in ten UK businesses have formally adopted at least one cloud-based service into their IT estates, and combined with the fact that 82% of UK businesses believe that cloud is the key enabler of their organizations, this points to a future that is increasingly dominated by cloud-based services.

The widespread embrace of the cloud has brought with it ample benefits when it comes to collaboration and communication. It has provided new and flexible ways of working which have been found to greatly drive productivity and efficiency in a way that’s never been done before. It’s safe to say that it's definitely here to stay! 

Cloud myths still persist
While this research certainly suggests that things are moving in the right direction when it comes to the cloud, people’s opinions aren’t quite painting the same rosy picture. There still seems to be a widespread discourse surrounding safety concerns when it comes to storing data, apps and workloads in the cloud. 

High-profile cases, such as the NSA data leak in 2017, which saw over 100GB of sensitive, classified data exposed, are seemingly adding validation to people’s fears. In this example, a hard drive was discovered on an unprotected public Amazon S3 server.

Although the leak came from shoddy security practices rather than a fault of the cloud provider, stories like this add fuel to the fire that ‘the cloud is not safe’.

While the lack of education around cloud protocol and safety is fairly widespread, it also seems to extend to CIOs and IT leaders. Rather worryingly, in our own research back in 2018, we found that over half (57%) of respondents falsely believed their on-premise security was superior to anything cloud security could offer. Now, I’m not saying that cloud is always the most secure option, but using a combination of the right technology, training and processes, the cloud has the potential to be even more secure.

We wanted to lift the lid on these misconceptions, so last year we conducted some global research. As part of this, we asked 164 respondents in EMEA about their experiences and attitudes when it comes to cloud security. We found that as well as an obvious lack of education, many still didn’t trust the cloud - at least not as much as the on-premise security architectures they’ve become accustomed to. 

Also, 82% admitted to having concerns when it came to deploying firewalls in the cloud, citing inappropriate pricing and licensing (41%) and a lack of centralized management creating a significant overhead (39%) as their primary concerns according to our own findings. Other responses raised concerns around next generation firewalls simply not being practical for cloud environments.

Busting the myth 
The apprehension with which cloud safety is met is nothing short of ironic given the fact that in many ways, the cloud is actually more secure than on-premise, largely due to cloud providers collectively investing more into security controls than businesses can on their own. Take AWS for example. Its infrastructure hasn't been hacked in years, which is very good going, especially considering attackers are constantly targeting its infrastructure.

So what’s the key to cloud security? First things first, choose established public cloud players that you can rely on. They often have the resources and expertise to protect their own infrastructure. However, in terms of education, what we need is a complete paradigm shift when it comes to cloud safety, the key to which lies in understanding the shared responsibility model.

The shared responsibility model is universal among cloud providers: they ensure their infrastructure will be secure, but customers need to ensure whatever they do in the cloud is secure. In other words, both the cloud provider and the customers share the responsibility of security. 

So in practical terms, it means that in that the 2017 NSA data leak could have been entirely avoided if the shared security model had been used. The attack was solely based upon users not securing the data on the Amazon S3 server, rather than a result of Amazon S3’s security itself. Had the correct user procedures been taken, this highly sensitive and classified information would never have been exposed. 

There’s also a lot to be said for using technology that was built with the cloud in mind, rather than an on-premise solution that has retrospectively been forced to operate in a limited fashion, in an environment that it wasn’t purpose-built for. The cloud is a different beast, with many different ways of operating compared to on-premise environments. While some traditional solutions can be shoehorned into the cloud, security isn’t one of them.

Organizations need to eradicate the dangerous understanding that cloud vendors are solely responsible for their cloud security. Those organizations who are using cloud vendors, but not holding up their end of the bargain - knowingly or unknowingly - are leaving the floodgates open for all kinds of attacks. Users of Azure can sleep easy in the knowledge that their cloud infrastructure is secure from such attacks, but it’s useless if the very data, workloads and applications they’re moving in and out of their cloud environment are undefended to begin with. 

To summarize, as long as you uphold your part of the shared responsibility model, use large established cloud companies that you can rely on and look for cloud-native solutions, you can go to sleep safe in the knowledge that your cloud data, apps and workloads are secure. While the future might be cloud, it will only be cloud if we all learn to use it securely.

What’s Hot on Infosecurity Magazine?