Cloud security is a shared responsibility between vendors and their customers. Companies need to adopt the necessary cloud security controls in the face of growing cyber risk.
- Cloud security differs from traditional IT security, with the responsibility shared between cloud vendors and their customers.
- Cloud security controls include processes and technologies that defend businesses against threats and human error.
- The controls a company puts in place will depend on its chosen cloud deployment and service models.
The migration to cloud-based IT has reached a fever pitch, accelerated by the pandemic-driven surge in remote working. For the first time, companies spent more on cloud services than on data centers in the past year, marking a turning point in the relationship between IT vendors and customers.[i]
But the cloud is not risk-free, especially in an environment where data security is a shared responsibility between cloud companies and users. Research from IDC suggests 98% of businesses have experienced at least one cloud data breach since the beginning of 2020.[ii] There are two shortcomings contributing to this surge in cloud data breaches: misconfigured cloud security controls and human error. Indeed, Gartner has predicted that 95% of cloud security failures will be linked to customers’ lapses by 2022.[iii]
What Are Cloud Security Controls?
Cloud security controls refer to the range of measures companies take to protect their cloud environment, including the processes and technologies they use to defend themselves against breaches. Together, these controls help businesses recognize the threats they face, address vulnerabilities in their cloud environment and implement defenses to complement the cybersecurity measures offered by their cloud vendors.
According to the Cloud Security Alliance (CSA), an industry organization that encourages best practice in the management of cloud systems and data, cloud security controls fall into three categories:
- Preventative: to address vulnerabilities in cloud systems.
- Detective: to detect an attack before it manifests as a full-blown breach.
- Corrective: to minimize the effects of an attack after it has taken place.
How Can Cloud Computing Improve Security?
Cloud computing is not inherently risky. In fact, major cloud vendors build robust data security into their solutions, backed by their extensive resources and decades of experience. Few companies have the IT capabilities or manpower to deliver the same standard of data security at scale, which is why there is an advantage to partnering with a cloud provider.
However, data security in the cloud is a shared responsibility. Cloud vendors are responsible for protecting their data centers and cloud infrastructure, but it falls on their customers to protect the data that flows to and from these systems and within their organization. This is where cloud security controls come into play, helping businesses protect the data and systems they use in the cloud whether the data is static or being handled by their employees.
The stakes are higher than ever. A successful breach does not only result in the loss of sensitive information or operational disruption. It can also shatter a company’s reputation and rupture the trust it has built with customers, which can take years to reestablish. And it can lead to regulatory penalties for non-compliance or civil lawsuits for violation of privacy, if controls are found to be deficient.
Cloud Controls Matrix
The industry standard for defining cloud security controls is the CSA’s Cloud Controls Matrix (CCM).[iv] With nearly 200 control objectives covering 17 different domains, the CCM was created to help organizations assess the security of their cloud implementation at a granular level.
The comprehensive spreadsheet also specifies which actors in the cloud supply chain should be responsible for individual security controls. By following this framework, companies can take a systematic approach to ensuring their cloud data and processes are both secure and compliant.
Cloud Security Controls — Deployment Models
A company’s cloud deployment model will influence the level of responsibility it takes in protecting its cloud data and infrastructure, versus the responsibility placed on its cloud vendor. In general, businesses will opt for a public cloud deployment, a private cloud deployment or a hybrid approach.
- Public cloud deployments: In the case of a public cloud deployment, companies rely on a vendor’s infrastructure and physical IT network to run their cloud applications. However, they still own their own operating system, applications and data, and the responsibility falls on them to secure these assets. It is a common misconception that public cloud vendors are responsible for protecting their customers’ data; this is rarely the case.
- Private cloud deployments: When companies choose a private cloud deployment, they retain full control over their cloud hardware and software. The same is true whether it is located in their own data center or hosted by a third-party provider. While this forces businesses to secure their own data, it also brings clarity as to who is responsible for its security and what controls must be put in place.
- Hybrid cloud deployments: Hybrid cloud deployments are increasingly popular because they help companies make the transition from on-premises to cloud-based IT at their own pace. In a hybrid environment, data and applications move back and forth between private and public clouds, with companies often scaling their public cloud usage to meet spikes in demand. This approach allows for greater flexibility, but it also complicates the cloud supply chain and requires companies to take great care when setting their cloud security controls.
Cloud Security Controls by Service Model
In addition to varying by deployment model, cloud security controls also depend on which service model a business chooses for its cloud systems. There is some overlap between deployment and service models, but in the latter case the determining factor is whether a business is buying cloud software, cloud-based infrastructure or a cloud development platform.
- Software-as-a-Services (SaaS): When companies invest in a SaaS cloud solution, they pay a recurring fee to use powerful applications without building their own IT infrastructure to support these. For their part, SaaS vendors implement cloud security controls for the infrastructure and application itself. That leaves customers to adopt their own controls for any data that flows in and out of the SaaS application, and for employees who use the software.
- Infrastructure-as-a-Service (IaaS): In an IaaS service model, businesses pay to run their applications or operating system on external cloud servers. This type of service comes with scalable storage, computing power and network infrastructure, without the need to build or manage cloud infrastructure internally. IaaS cloud vendors implement security controls in their infrastructure and network resources while their customers cover the rest, from the applications they use, to the data they manage, to the people who use these cloud systems.
- Platform-as-a-Service (PaaS): In a PaaS service model, customers gain a cloud-hosted platform upon which they can build, run and manage new applications without investing in or managing the underlying infrastructure. PaaS vendors host both the hardware and software behind this platform, as well as the developer tools required to create and test new applications. These range from middleware and data management technologies to power analytics and DevOps services. The vendors are also responsible for implementing cloud security controls across each of these layers.
Risks Associated with Cloud Security Controls
As mentioned, the first challenge in securing cloud-based systems is to determine who is responsible for each element of the cloud supply chain. Even if vendors take all the necessary precautions to secure their infrastructure and software, human error and poor configurations continue to plague their customers and lead to breaches.
The public cloud in particular offers an attractive target for hackers. With a virtually limitless attack surface and so many actors sharing data via public cloud applications, there are countless opportunities for entry. Ransomware, phishing and other malware attacks are increasingly common in the public cloud. Many businesses have responded by opting for a Cloud Access Security Broker (CASB), as an intermediary level of software or hardware that helps identify risks and improve security controls.
Automation has also become a crucial component of cloud security. Few companies have the resources to monitor the variety and volume of threats they face each day, so automated solutions that rely on artificial intelligence help them keep pace.
Features and Benefits of Cloud Security Controls
When configured and applied correctly, cloud security controls provide companies with end-to-end protection for their cloud applications, infrastructure and data, be it from external threats or human error. This begins with visibility across the business’s cloud systems, users and security policies, which can then be assessed and improved to fix gaps or vulnerabilities.
This combination of visibility and control delivers a range of benefits, including:
- The ability to monitor and evaluate cloud configurations.
- Integrated security measures that cover every piece of the cloud supply chain.
- Best practice and accountability for every actor in the chain, from the IT department to end users.
- Improved confidence in data privacy and compliance practices.
- A clear division of security responsibilities between cloud vendors and customers.
- A complete view of cloud data, which helps detect at-risk information and processes.
- A mechanism for the continuous assessment and improvement of cloud security.
Cloud Security Controls — Why Are They Important?
Breaches and human error will only become more common unless companies put the necessary measures in place, extending across data centers, devices and third-party services. Choosing the right cloud security controls can minimize business risk.
The Bottom Line
The transition to cloud-based IT is not just a technological change. It is a transformation that requires new processes, new ways of working and new security controls. Even if companies partner with leading cloud vendors that offer the latest protections in their products and services, they still need to secure the data, applications and infrastructure that remain in their care. To harness the benefits of the cloud without elevating risk, businesses need to get their cloud security under control
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly