Cloud computing is the fuel powering modern digital transformation. Across the globe, organizations invested heavily over the course of the pandemic to adapt to new market conditions, drive more efficient business processes and support mass home working. It’s estimated that 60% of corporate data globally is now stored in the cloud, and much of this will be in public cloud datacenters.
Yet while many IT leaders cite security concerns as a top roadblock to public cloud projects, the truth is that those who do invest often unwittingly expose their organization by misunderstanding where security responsibilities lie. The best way to mitigate these risks is to adopt a data-centric security approach which will keep sensitive data safe no matter how complex the environment.
Concerns in the cloud
So much positive is written about migrating data and workloads to the cloud. It can drive enhanced IT agility, scalability, redundancy, and cost savings, to name but a few benefits. But this positivity often masks another reality: cloud computing often equals complexity, and complexity is the enemy of security. This is especially true when organizations invest in multiple cloud service providers (CSPs) and blend public and private clouds with on-premises deployments, in a hybrid approach. Research tells us that 92% of enterprises have a multi-cloud strategy, while 80% favor a hybrid cloud approach.
This can lead to potentially critical mistakes being made, including misconfigurations and unpatched vulnerabilities. A cybersecurity study last year found that 96% of organizations are moderately to extremely concerned about cloud security. Data loss or leakage (64%), data privacy (62%) and accidental credential exposure (46%) were their top three concerns.
Complicating matters further is that many organizations believe their CSP will take care of all their security needs. One study found that two-fifths of IT professionals thought that the cloud provider will protect their applications and data. In fact, the truth is far more nuanced. Both provider and customer have a shared responsibility for security. Failing to recognize this could leave organizations exposed. Back in 2019, Gartner predicted that over the next three years, “at least 95% of cloud security failures will be the customer’s fault,” and in that case, "shared" responsibility is a bit of a misnomer.
What CSPs say about cloud security
To add further complexity, not all CSPs define shared responsibility in exactly the same way. The Cloud Security Alliance has a handy guide explaining where the grey areas are. For example:
Microsoft Azure: In IaaS environments, the CSP takes care of only three areas: securing physical hosts, the physical network and the physical datacenter. For SaaS, PaaS and IaaS the customer is responsible for securing all data, devices, and accounts and identities.
Amazon Web Services: The CSP is responsible for all infrastructure (hardware, software, networking, and facilities) that runs its cloud services. However, customers will be responsible for all their data, applications, operating systems, network and firewall configurations and more. This includes client- server- and network-level encryption.
How to secure data in the cloud
This complexity can make consistent security policy enforcement a challenge across multiple CSPs and types of cloud environment (SaaS, PaaS and IaaS). Adding to the challenge is the fact that many organizations are struggling with cybersecurity skills shortages, meaning they often have crucial gaps in technical expertise relating to specific platforms. Frequently, the business leads cloud adoption, leaving IT teams playing catch-up. It’s also true that CSPs are constantly innovating, which increases the complexity and opportunity to make configuration mistakes.
The answer is to adopt a data-centric security approach which will ensure the organization’s most important assets remain protected no matter where they reside—on-premises, in private clouds or across multiple public CSPs environments. The right provider should deliver:
- Detailed and automated data discovery and classification capabilities
- Highly scalable and fault tolerant protection of that data via data tokenization, encryption, data masking and hashing
- Data protection across any hybrid, multi- and cloud native environment
With data-centric security, organizations can simplify risk and compliance management in the cloud and focus more of their efforts on growing the business.