Maksim Kabakou - Fotolia

Security Think Tank: In the cloud, the buck stops with you

Misconfigured cloud environments are increasingly identified as the source of damaging data breaches and leaks, raising serious questions for enterprises. Where does responsibility for data security in the cloud lie, and how can security professionals best work with their teams and cloud providers to resolve the problem?

The cloud conversation has been going on for a very long time, as has the legion of misunderstandings and assumptions about it.

Having at one time achieved almost mythical status as a cost-saver and problem-solver, the current vast range of offerings and of varying quality that now fall within this area means we are never really talking about the same thing unless we have clearly defined and agreed it.

So, take the word “cloud” out of this for a moment and instead let us talk about misconfigured IT environments, whether self-hosted, third party hosted or within the mythical cloud. 

Misconfigured environments have long been identified as a source of data breaches. But the failure to effectively manage, patch and secure infrastructure comes second only to user error.

The root cause of both is a lack of due diligence, oversight, education and effective audit, often compounded by a lack of effective audit of supply chain overall – which we will discuss later.

These deficiencies are compounded in the technical world by the preposterous continuing approach of performing annual testing, instead of testing that is intrinsically embedded within the change and configuration control process. This, in turn, continues to allow vulnerabilities to go unidentified, sometimes for months on end.

When we talk about cloud, security has always been a shady area. Understanding of the concept of cloud remains low, and much of the resulting confusion and breaches are therefore not a huge surprise.

Consider cloud within the context of supply chain assurance – did you buy from a broker or go direct? What exactly have you bought and what assurance have you bought along with it? What does your service-level agreement (SLA) say? Do you know what onward subcontracting is going to take place, thereby extending your supply chain?

Research out of the Ponemon Institute would indicate that only 35% of businesses keep any kind of list of who they share sensitive data assets with, and only 18% of that group are aware of who those businesses share those assets with – whether that’s ongoing or extended supply chain. How often does anyone ask their cloud provider for the results of their assurance testing?

Far from acting like a grateful supplier, some cloud service providers expect the customer to be grateful to them. This is not a new attitude; we have seen it for years in datacentres (just try asking one if you can audit their security).

This history of looking the wrong way down the telescope has caused the continuation of some risky assumptions and business practice. It has left much of this area with a lack of governance, and from this the security issues fall.

We know from the National Cyber Security Centre (NCSC) that most successful incursions into networks exploit vulnerabilities that have been known about for more than a year.

Why are we so focused on zero-day exploits when our digital front door is wide open? This applies to cloud as it does to every other environment, but our lack of oversight and the lack of desire to take control of auditing for assurance of this environment is what has allowed the proliferation of breaches through it.

If your own IT professionals are not able to manage and maintain a secure environment, why do you blindly believe that someone else’s can?

Ultimately, while we can make service providers responsible for keeping our data safe, we have to acknowledge that the accountability remains ours and ours alone.

Read more on Cloud security

Data Center
Data Management