This is the newest installment of a recurring monthly guest column by Envision's COO, Jason Albuquerque, featured on Providence Business News. In this article, Jason shares his thoughts about the challenges of cloud security.
As the influence of digital transformation takes hold, we have seen widespread and global adoption of cloud-based technology services. Forrester Research recently cited in its “The State of The Cloud In The US, 2022” report that on average, technology decision-makers have migrated 45% of their total application portfolio to a public cloud. They also anticipate an additional 13% will move by 2023.
While the advantages of migrating to cloud technologies have had extraordinary impacts on our businesses, including lowered costs, rapid innovation and streamlined operations, leaders must be diligent as they migrate and manage these environments. They must have strategies in place so that they can attain those critical outcomes, without adding a tremendous amount of additional risk.
Just as clouds in the sky don’t automatically protect us from harmful UV rays – despite what we were told growing up – don’t assume there’s less risk in cloud-based technology services.
Cloud cybersecurity risk has exponentially grown into a monumental problem over the last few years, because of the high rates of adoption of these technologies. Barely a day goes by without the headlines calling out a security incident that involves some type of cloud platform. Just last year, cybersecurity researchers found that a local Massachusetts company exposed over 1.6 million files from dozens of municipalities in the United States. This was the result of 80 misconfigured cloud storage container services in the Amazon cloud.
With businesses now relying so heavily on cloud solutions, of course cybercriminals are quickly taking advantage of weaknesses of these architectures. So, it is critical that businesses take a more detailed approach to their cloud migration strategies so that they can proactively mitigate business risk. To realize the best outcomes from your cloud strategy, business leaders must understand the most common risks, and how to avoid them.
A common misconception of migrating to the cloud is the mistaken belief that cloud platforms and services are fundamentally secure. Many customers work under the false impression that storing data, hosting software, or using platforms in the cloud is an easy button to an improved security posture. The unfortunate reality is that there is no short cut to securing your cloud environments. When it comes to cybersecurity accountability and liability, every cloud provider leverages a “shared responsibility” model.
"A common misconception of migrating to the cloud is the mistaken belief that cloud platforms and services are fundamentally secure."
- Envision's COO Jason Albuquerque
Now cloud providers do take some responsibility for certain security aspects. Typically, it is the physical infrastructure as a baseline, but additional security measures most often depend on the subscription you purchase and/or the service you consume. The customer is always responsible for properly configuring and using the services securely. Consumers of cloud services must understand in detail what security features they are responsible for. Having the know-how, to appropriately configure and maintain a strong security posture in their cloud environment to meet businesses' specific security and compliance requirements, is a must.
Business leaders must also recognize that simply because a provider is certified or compliant with regulatory standards like PCI DSS, HIPAA, etc., that compliance is not guaranteed. Many cloud providers promote at length that their services comply with information security standards and regulations – but know that does not mean that the platform automatically conforms with those best practices.
The terms of many cloud providers state that compliance is “enabled upon additional configuration,” meaning that it is the consumer’s responsibility to ensure that configurations are set correctly and are compliant. One minor misconfiguration could deem a platform noncompliant and add an enormous amount of risk to the business.
Organizations must periodically assess their risks in a cloud environment as well. The thought that you eliminate or lessen the need to assess risk in a cloud environment is 100% myth. Auditing your cloud environments, based on industry best practices, will ensure proper visibility into vulnerabilities, misconfigurations, and other cybersecurity and compliance risks, so that they can be remediated in a timely fashion. Periodic assessments ensure that your organization has the information needed to manage a secure and compliant cloud strategy.
Cloud platforms can impact our organizations in innovative and positive ways but know that even while under the umbrella of cloud cover, we still need to protect our organizations from the risks.