If you’re in the process of creating a security strategy for your cloud deployments, then you understand the complexities that exist. The challenges presented by compliance, data governance, and emerging technology can create a conflicting and shifting front, and the security solutions that are built into cloud services may not provide sufficient control, transparency, or security to meet all requirements.
Unfortunately, your cloud provider will probably not tell you how to effectively approach data security. More likely, they will point to the few basic security tools built into their solution and wish you the best of luck. Why? Because they are not responsible for your data.
As a result, best practices for cloud security are not centered on your public or private cloud provider. They are more about people, processes, and technology. In this four-part blog series, we will dispel several cloud security myths and provide facts that will help you implement the right strategy and technology to keep your organization’s data secure in the cloud. Let’s get started.
Myth #1: Security offered by your cloud provider means your data is well-protected.
Fact: Your cloud provider is responsible for securing the cloud infrastructure. You are responsible for securing you data, especially to and from the cloud.
Despite losing direct control of the data, an organization that utilize cloud services is still the data owner, and usually retains the ultimate responsibility to protect the data – not the cloud vendor. This could be discovered too late if an enterprise experiences a breach and loss of data, and only then discover that the agreement with the cloud provider do not hold the provider responsible. This is best illustrated by the shared responsibility model which customers of cloud infrastructure providers (e.g. AWS, Azure) agree to as part of their service agreement.
However, understanding your rights and data ownership is only part of the equation, as your brand will still suffer as a result of the data loss. Here are some other facts to consider:
Perhaps the most important point to keep in mind when deciding to move your data to the cloud is that regardless of the security schema employed by the vendor, they will always have access to your data in one way or another.
In cases where the vendor is in charge of protecting your data, they will possess the passwords, encryption keys and whatever else needed to protect your data, and the customer will rely on the vendor to perform all security functions on their behalf. Obviously, this means someone on the vendor side will have access to your data in the clear. In addition, if a government comes knocking on the cloud service provider’s door looking for your data, they do not have to come to you to decrypt it.
As data moves into the cloud, the customer transfers control to the cloud service provider. In most cases, customers are essentially “publishing” data to the cloud, giving permission for the provider to copy or move data without notice to unknown locations – sometimes even unknown to the vendor themselves. This can lead to numerous compliance issues, most notably data residency. Meanwhile, the customer can request action on their data, such as protection or deletion, but it is up to the vendor to comply with the request. Data may never actually be removed from all cloud vendor servers, and the customer has no way to verify.
Cloud providers typically don’t provide access to their physical infrastructure for audits. Instead, they rely on an honor system, and customers are not allowed to directly verify security. The standard practice of “trust but verify” in vendor data security does not apply to cloud data security. Not only does this leave potential for holes in security, but it often directly conflicts with internal data security policies and regulatory compliance requirements.
Stay tuned for future blogs in which we will present additional cloud security myths and provide facts that will help you keep your most sensitive data secure as you move more of it to the cloud. In the meantime, you can learn more about Protegrity Cloud Solutions here.