Cloud Providers, Users Share Security Responsibilities

While cloud computing services have been celebrated for enabling the digital transformation, their rapid assimilation has inadvertently created unique opportunities for cybercriminals to exploit. Protecting against these threats is a responsibility equally shared by the cloud provider and the customer, agreed industry experts.

“There are responsibilities of providers and of clients. Although the cloud is software-as-a-service (SaaS), about 85 percent of the settings to control it belong to customers and depend on them to be configured,” said Arnulfo Espinosa Domínguez, President of Tech and Cybersecurity, CT IMEF, and President, ARES Alliance.

Cloud security involves a broad set of technologies, policies, controls and services that protect cloud data, applications and infrastructure from threats. The security responsibilities that always belong to the cloud providers pertain to safeguarding the infrastructure itself. They also involve measures necessary while providing access, patching and configuring the physical hosts and networks on which the computer instances run, according to Checkpoint. The customer’s security responsibilities include managing users and their access privileges (identity and access management), safeguarding of cloud accounts from unauthorized access, encrypting and protecting cloud-based data assets and managing their security posture.

Under this model, each player is responsible for what is under their control. “If you can configure various privacy and security settings, you have to do it and also back up the data that is in the cloud because it can also be lost. Thus, it is important for companies to generate cyber resilience,” said Oscar Salgado, CIO, Grupo Mexicano de Seguros, and President, Tech Committee, AMIS.

Companies must also be aware that in the cloud there is no perimeter to protect like on a premise. “On-site systems allow companies to know the number of computer equipment present on premise, their configuration and the physical space they use, but in the cloud there is no perimeter, the infrastructure is shared with other users unless it is private,” said Salgado.

The new hybrid cloud model is causing further challenges. For that reason, a homogeneous strategy and a coherent infrastructure are fundamental and can be achieved by documenting each cloud a company has and developing a personalized treatment and approach for each, said Espinosa.

To have a clear sense of shared responsibility, companies must ensure they have clear control objectives, explained Francisco Carlos Martínez, Head of Security Architecture, Santander. “The cloud is an extension of the data center and it is also an infrastructure of different actors and services. Thus, assuming responsibility for safety is implied. Nonetheless, regulations still have to be clear on the responsibility between cloud provider and customer in case of breaches,” said Martínez.  Furthermore, contracts should include a clause with security requirements and compliance with standards, he added.

While a fast response is key, security should be implemented from the ground up. “We must not forget that there is a fundamental step that can set the ground for a much safer cloud and this is its configuration from the very beginning,” said Lorena Bravo, CTO, Oracle. Bravo said that 65 percent of breaches in cloud were caused by poor configuration, 43 percent of those by the use of unencrypted bases. “Companies do not identify the catalog of sensitive data, so they cannot create the perimeter to protect it nor create a security strategy to prevent [attacks],” said Bravo.

The Privacy by Design (PbD) concept holistically aims to embed privacy into the earliest phase of the development lifecycle. “Data protection through technology design will protect data processing procedures and will help these processes to best integrate to the technology,” said Juan Carlos Carrillo, Director Cybersecurity, Privacy & Forensic Services, PwC. However, in the worse-case scenario in which a company suffers from a data breach, transparency with its clients is the best policy, according to Carrillo.

Transparency with those affected will damage the final user’s confidence less than keeping the data breach secret, said Salgado. Preparedness is also key. “Companies will need to explain and recommend what to do with the leaked information. These companies should also have a crisis group ready to mitigate the impacts of the leak. Doing nothing greatly affects their image,” said Salgado. Also essential is reporting data breaches to other cybersecurity companies to avoid similar attacks, said Carrillo.

Many companies are unprepared and slow to react to cybersecurity attacks. “When a cyberattack is successful, it takes 2.5 weeks for the affected company to notice the breach and it takes it three more weeks to mitigate it,” said Bravo. This slow response calls for a more proactive approach to cybersecurity. “We can no longer have reactive cybersecurity models. Instead, we need continuity plans,” said Bravo.

For companies to have a safe cloud, “shared responsibility, transparency, best practices and sticking to regulatory processes are to be the fundamental steps to follow after a company has integrated PbD on its cloud,” said Martinez.