Sharing responsibility between the customer and the provider.
01
Managing risk while moving to the cloud
02
Clarity is key
04
A shared responsibility model
03
How you define security determines how you address it
GET A PDF OF THIS EBOOK
Let me read it first >
05
Why SaaS is different
06
Best practices for managing shared responsibilities
07
Don't go it alone: turn to the experts at OneNeck
Managing Risk While Moving to the Cloud
Long before the numbers supported the assertion, cloud promised to be the greatest technical business enabler of the 21st century. Given such a claim, it is no surprise that organizations looking to benefit from the increased business agility the cloud facilitates are flocking to cloud services in an effort to keep pace with today’s rapidly evolving digital economy. In fact, over 92% of surveyed business executives in the Flexera 2021 State of the Cloud Report have a multi-cloud strategy and 82% have a hybrid cloud strategy, combining the use of both public and private clouds.
But as more firms move their critical systems and applications to the cloud, they’re realizing the benefits of fast and easy scalability can be offset by the harmful impacts of security breaches. One out of four businesses will be affected by a data breach, which are becoming broader and more severe in scope. According to the IBM Security Cost of a Data Breach Report 2020, the average total cost of a data breach in the United States rose 5.3% to $8.64 Million. As cybersecurity risks become more numerous, sophisticated and expensive, businesses are scrambling to fortify their defenses and running into an important question: Who actually owns cloud security?
COVID-19 had a significant impact on cloud adoption in 2020, with 90% of enterprises reporting they expect cloud usage to exceed prior plans.
Flexera 2021 State of the Cloud Report
Data quality and sprawl
On average, enterprises use 2.2 public clouds and 2.2 private clouds and almost 1,300 cloud services, accounting for roughly 80% of an organization’s data stores. In traditional environments, that data resides in siloed environments, creating huge visibility gaps that limit its value and use. Worse, data tends to decay rapidly — at a rate of over 5% per month, or more than 70% per year — meaning that the longer data sits untouched or actively managed (which is the case when teams don’t even know it exists), the likelier it is that the accuracy, completeness, and usefulness of the information will rapidly decrease and undermine any value it had for business growth in the first place.
Spread-out infrastructure
IT infrastructure is no longer just in one data center or another. The march toward hybrid infrastructure, prioritized by nearly 75% of global enterprises, complicates data modernization efforts. The IT perimeter continues to expand at a breakneck pace, enabling data to live in a virtually limitless range of cloud or on-prem databases, cloud apps, and user endpoints. Combining all that data — usually manually or with limited automation — is both time-consuming and prone to error, leaving teams to choose between investing in data discovery and orchestration tools or simply trying to make due.
GO BACK
DOWNLOAD EBOOK
NEXT PAGE
Home
Don't go it alone
Keep reading >
The reality is that something as crucial to get right as cloud security must be a shared responsibility in which the cloud provider and the customer (or tenant) each have a valuable role to play. But customers are often not clear where their provider’s role ends and theirs begins. This lack of clarity not only creates shortages in the right resources and expertise on hand, it also introduces new attack vectors where breaches, hacks, and other threats can find their way in.
Clarity Is Key
In the words of Gartner: “CIOs must change their line of questioning from ‘Is the cloud secure?’ to ‘Am I using the cloud securely?’” Knowing the level of security controls your cloud vendor provides will allow your business to take proactive measures to secure your own cloud environment.
Through 2024, the majority of enterprises will continue to struggle with appropriately measuring cloud security risks.
Through 2025, 99% of cloud security failures will be the customer’s fault.
Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data.
Cloud Predictions
"Is the Cloud Secure?", Gartner, 2019
How You Define Security Determines How You Address It
Endpoint protection
Compliance
Network security
Physical security
Data governance
Identity & access management
“Security” is a catch-all term that applies to many different considerations and scenarios. But there are specific security issues you need to understand to determine if you’re already protected or where you could be caught off guard.
Here are six top security issues to address (click each icon to learn more)
End user devices are still the most common target of attackers trying to gain access to corporate systems. Regardless of whether a device is physically connected to the network like as a desktop PC, connected to the corporate wireless network, or connected remotely with a laptop or mobile device, each of those devices represent an increase to the organization’s attack surface — a.k.a. the sum of all the different points that an attacker can use to gain access to an organization. Without proper endpoint protection to secure against threats of all kinds from devices, the organization is dangerously exposed.
Identity and access management
As more organizations sanction the use of BYO (Bring Your Own) devices and applications — already, more than half of North American and European companies have BYO programs — employees are increasingly leveraging different cloud platforms and applications with devices that may or may not be managed by the organization. This presents significant challenges in regards to security event monitoring and data governance— particularly when it comes to eDiscovery and regulatory mandates, for which the security requirements and user permissions built into each disparate application is woefully inadequate and incapable of scaling to the levels that security and litigation support teams secretly know need to be addressed. Clearly the number and complexity of users, devices and the applications they use—whether sanctioned or not—make it increasingly difficult to apply suitable security controls regardless of market vertical.
Each industry has its own compliance standards, such as HIPAA in healthcare, GLBA in financial services, and PCI for ecommerce and retail. And there may be significant overlap in regulations for many businesses. Organizations that fail to follow each regulatory standard to the letter could leave customer and other data without proper protection, opening themselves up to expensive breaches, lawsuits and fines.
Effectively managing all systems, identities, access and compliance means businesses have to establish how, where and when data is stored and how it’s permitted to be used. Basic data governance is a necessary—but often underdeveloped—piece of the puzzle from which many other plans and tactics dovetail. Without it, internal teams will struggle to lock down sensitive applications, set and oversee user permissions, and meet compliance requirements.
Threats can come from anywhere— outside the network or inside the network caused by inadvertent (or possibly purposeful) mistakes from employees. In addition to preventative network security measures such as firewalling and IDPS, proactive monitoring and alerting provides an essential detective control in the event that endpoint protections fail. The absence of these additional safeguards makes it more likely for sophisticated hacks and malware to penetrate the network or go unnoticed for longer, doing untold damage in the meantime.
Storing and managing data off premises in other locations, like data centers, requires physical security — for example, cages, biometric card readers and external security around the building’s perimeter — to prevent, but also alert to, physical threats. Gaps at any level of security leave hardware and other equipment vulnerable.
A Shared Responsibility Model
Whether you use Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), your general expectation should be that you are responsible for your own security in the cloud. This means your IT team still owns and is in charge of securing hardware, platforms, networks, operating systems and customer data — anything you retain control of within your own domain. On the other hand, your cloud provider is responsible for the security of the cloud. That is, they’re tasked with securing the cloud-based infrastructure they provide to you consisting of databases, the region where you’re serviced, storage and networking, and compute equipment and systems.
RESPONSIBLE FOR SECURITY "IN" THE CLOUD
CUSTOMER
RESPONSIBLE FOR SECURITY "OF" THE CLOUD
CLOUD PLATFORM PROVIDER
(INFRASTRUCTURE)
CUSTOMER DATA PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT OPERATING SYSTEMS, NETWORK & FIREWALL CONFIGURATION NETWORK, TRAFFIC ENCRYPTION, SERVER-SIDE ENCRYPTION & DATA INTEGRITY
STORAGE
NETWORKING
COMPUTE
DATABASE
REGIONS
AVAILABILITY ZONES
EDGE LOCATIONS
of employees use non-approved apps for work.
of users use password duplicates.
of secuirty incidents are caused by credential theft — including weak passwords and phishing scams.
Why SaaS Is Different
SaaS poses new challenges for organizations because the conventional security controls, which were employed to address security on managed devices and applications, are largely incapable of protecting organizational data and workloads in SaaS environments. Often, employees will go off-script and begin using applications and technologies either to fill a work-related niche or for personal use. These sort of “shadow IT” uses are supported by third parties, but not by your IT department, and are not necessarily approved for use, which can create a whole new set of challenges and headaches. For your organization to be successful adopting SaaS applications, your business end users should be the ones driving that adoption, but with every additional application comes an increase in an organization’s attack surface and unique security controls that must be leveraged to mitigate these new exposures.
Instead of administering security for SaaS top to bottom, it’s now the job of IT to identify when SaaS applications are brought onboard, discover where and how your users are accessing them, and then give your business teams specific security recommendations based on their findings, including how to set their own parameters and security controls. In a nutshell, your IT team now has to operate in more of an advisory role, rather than a tactical one, when it comes to SaaS.
80%
73%
81%
“SaaS services in the cloud involve thousands of microservices changing daily and the data bounces around in many places. For the bad guy, all he has to do is find the weak link in the chain.” Jonathan Rosenberg, Cisco
There are some important steps your organization can take to help secure your cloud-based infrastructure, platforms and applications, and neutralize the concerns that come with shadow IT.
Best Practices for Managing Shared Responsibilities
Establish contractual roles upfront
Within your IT team and each business unit, clearly lay out who’s responsible for what and how to respond in various scenarios. Include a process for approving a new app integration to eliminate shadow IT and the risks that come with it — think of it as an emergency exit or evacuation plan for business departments. As well, review your cloud provider’s services agreement to make sure you understand their roles, responsibilities and guarantees and where there might be overlap with your strategy.
4
STEP
Define security requirements upfront
Take an inventory of endpoints and core infrastructure, and assess the most vulnerable points and parts of the infrastructure. Then create an overarching data governance policy for addressing those vulnerabilities and share it with the larger organization.
2
Define access and enable multi-factor authentication
Build an identity-based perimeter around your business by defining user access and creating an access/identity management plan. Your plan should involve multi-factor user authentication such as a phone number and security code for network and application access, and biometric or card scanners for physical locations.
3
Get visibility into your environment and corporate data
Find out who is using which app, how often, and whether or not to sanction its use further:
1
Click each step for more information:
Create a list of all users of all SaaS applications. Determine if each application is preferred by IT or if it was acquired by a rogue employee. Set up a centralized IT account to monitor all application logins, activities, data and security parameters across the organization.
Introduction
Data Modernization 101
A mindset, not a toolset
Stronger together: OneNeck and you
Modernize you data today, take on the world tomorrow
The bulk of security responsibility falls to business IT teams, which requires a huge portion of their time, the right level of know-how, and often investment in additional resources. But your organization doesn’t have to solely rely on your existing team to make sure no security stone goes unturned.
At OneNeck, we build security solutions specifically for your unique needs with every tedious, but critical, detail considered for security and risk implications. It’s this attention to detail that has made us a preferred managed IT service provider for companies of all sizes, in just about every industry from coast to coast. Everything we do for our customers is built and managed to strict best practices that provide a level of operational excellence achieved through rigorous ITIL process and procedure, best-in-class technology, top-tier certified data centers and truly exceptional engineering talent.
Don't Go It Alone
Keep Moving Forward. WE GOT YOUR BACK.
Contact OneNeck today to find out how our IT solutions can help secure your cloud-based infrastructure, platforms, and applications to reduce the threat of data breaches, hacks and malware.
