It’s been estimated that by 2020, at least 92% of all business will be conducted via the cloud. Most of us have at least a vague understanding of the cloud as a ubiquitous, location-agnostic storage space for data and systems. What the cloud actually is, however, is far simpler. It’s the Internet, albeit “partitioned” into systems and data accessible solely by those with the proper credentials. Thus, when we talk about “cloud security,” we’re talking about methods for restricting access to particular data and systems stored on the Internet.
Conceptually, cloud security is not all that different from the more traditional “on-premise” security, which refers to restrictions on access to the local servers on which data and programs are stored. What’s different is how, and by whom, those restrictions are implemented and enforced. Is it any wonder cloud security has risen to a top concern of security and risk management leaders? Despite the cost savings and agility inherent in cloud computing, nearly two-thirds of organizations see security as a significant challenge for cloud adoption.
In late July of 2019, cloud security became a trending topic among experts and laymen alike when a major bank announced a hacker had accessed the personal data of more than 100 million bank customers and credit card applicants which had been stored in the cloud. Although the cloud had been hosted by a third party provider and couldn’t have happened without an inherent vulnerability at the cloud-host level, the FBI concluded the proximate cause of the breach was bank error (specifically, misconfiguration of a firewall). Cloud security made headlines again in late August when a cybersecurity software firm disclosed a cloud security incident impacting customer data going back to 2017. The precise vulnerability exploited by the hacker has not yet been revealed, but whatever that turns out to be, it’s likely “blame” will be apportioned based on a “shared responsibility” model.
Under the shared responsibility model, which has been adopted by most cloud providers, the cloud host has responsibility for ensuring security “of” the cloud, while the cloud customer has responsibility for ensuring security “in” the cloud. To put it another way, the host is responsible for securing the cloud, itself, while the customer is responsible for securing the assets is stores in the cloud. You’d be forgiven for thinking this allocation of responsibility seems a bit “cloudy,” because, it is. Indeed, it’s only growing more so with the proliferation of attack vectors and the introduction of new types of cloud computing and new methods for securing the cloud. It may well be that a better approach to cloud security is as a collaboration between host and customer, defining rules regarding who is responsible for what and responsibility and establishing workable feedback channels for adjusting those rules as the customer and its computing needs change.
You can learn more about Exela’s approach to security here and in our current issue of PluggedIN, A Leap Into the Breach: Leveraging Cybersecurity to Master Your Domain.