Who Is Responsible for Your Cloud Security?
Today, one-third of U.S. businesses use the cloud, and the number of cloud consumers is expected to keep growing. According to research, the global cloud computing market size is expected to grow from USD 371.4 billion in 2020 to USD 832.1 billion by 2025, at a Compound Annual Growth Rate (CAGR) of 17.5% during the forecast period.
Security has traditionally been a barrier to cloud adoption. Nevertheless, clouds are becoming a major part of IT, so businesses must pay maximum attention to security issues, moving away from the typical security settings, which are often insufficient in the face of constantly changing requirements. While cloud vendors are working hard to ensure infrastructure reliability, that does not mean customers can ignore the security issues.
The more popular the use of cloud infrastructure, the more risks arise. They relate both to human factors and to the technological features of virtualization. Therefore, when moving from traditional on-premise systems to virtual, there is a need to improve the security of cloud services.
Cloud providers delivering IaaS virtual infrastructure must provide quality services with reliable protection and a high level of security. Security risks associated with enterprise IT systems and cloud technologies are the following:
Internet attacks. Every IT system, including cloud systems, is subject to threats coming from the network. This can be hacking, hacker attacks, DDoS, and others.
Isolation errors. Virtual servers from multiple clients are often hosted on the same physical machine, so there is a risk of data leakage if isolation is not properly configured.
Physical security. Reliable providers place the equipment only in certified data centers, which must meet the requirements of Tier, and have a high level of fault tolerance.
Compliance with existing security standards. In order to provide services to certain customers, a cloud provider must be certified and have a license to provide services. For example, this applies to personal data protection services. In this case, the cloud must be certified.
Malware. If one virtual server compromised, other machines may also be affected. For this reason, it is important to secure the operating system and isolate virtual servers not only for the customer but also for the cloud service provider.
Sensitive data leakage. Incorrectly configured security policies are the main reason for system hacks and hacker attacks. To protect data from leakage and theft, a provider must clearly prescribe all security policies and rules at every level. They also should use special tools and encrypt transmitted and stored data.
Server non-availability. The demand and popularity of cloud infrastructure are driven by the high availability of virtual machines, but sometimes this can be disrupted. IaaS providers must build a fault-tolerant architecture, otherwise, the reputation will suffer and it will lose customers.
Cloud security: who is responsible for it?
2020 was one of the darkest years for cybersecurity. Researchers recorded a huge spike in phishing attacks on the banking and medical sectors. The largest leak was at cosmetics company Estee Lauder, with 440 million records leaking into the hands of hackers.
Although cloud systems are not completely safe and the risks do exist, security professionals still trust IaaS providers. According to the research, more than 50% of organizations store customer personal data in the public cloud. Cloud provider initially creates a secure infrastructure, following recommendations and using best practices. Security is ensured at all levels of virtual infrastructure: physical, regulatory, network and application. In addition, they properly organize a disaster recovery strategy.
All security policies are supported by documents following a security audit by a third-party organization. This ensures the reliability of the IaaS provider's cloud infrastructure. System and security testing is a centralized process in which all components of the virtual infrastructure are tested.
Security control should be carried out with the establishment of responsibility levels – this allows all parties to participate in the protection of information. Customers are the only ones responsible for insider threats, and the provider cannot guarantee the mitigation of such risks. Some countries have recorded cases of data leaks by large companies, and often this is employees who hold the blame.
In the SaaS model, the provider is responsible for the security of the infrastructure, virtual platform, and software. The customer receives a safe, secure, and reliable service at no additional cost.
With PaaS, the customer is responsible for the risks of the application as well as its data. The provider is responsible for the protection of the operating system and hardware platform.
IaaS implies that the customer can use its own protection tools to secure individual virtual servers. This helps to control the security risks of not only the machine but also its data, including the underlying infrastructure. The service provider is responsible for data storage, the security of computing resources, and the network component.