With an increasing demand for flexible, mobile, and location-independent work environments, organisations have to adjust and take advantage of cloud computing. More and more confidential data is moving outside traditional network configurations. As a result, the risk for data breaches and consequently, the need for cloud data protection, is increasing at a rapid speed.
The most critical interface where breaches occur is the access points for data stored in the cloud. Many enterprises using cloud service models, such as IaaS, PaaS, and SaaS, are exposed to data loss because of misconfigured cloud environments.
What do Optus, the AFL, and Service NSW have in common?
Among many others, they appear on the 2020 Data Breach List of Webber Insurance Services. According to the 2018/19 BDO and AUSCERT Cyber Security Report, the average cost for a data breach climbed to almost $AU2 million in the past couple of years, and healthcare and education were two of the most attacked sectors.
Cloud security is a shared responsibility
For CIOs and IT departments, these facts raise many questions:
- How can we protect our team and organisation from cyber-attacks?
- How can we optimise the partnership with our cloud services provider?
- Who is responsible for what in the cloud environment?
Choosing an IT service provider and moving data, storage, and infrastructure to the cloud for reasons of flexibility, efficiency, and cost reduction does not relieve an organisation from its responsibility for data security.
The continuous challenge is to find a balance between being agile and flexible and being able to protect the organisation’s sensitive data, as cloud security is a shared responsibility between teams in the organisation and the cloud services provider.
Depending on the cloud vendor and the type of service a client is using, there can be different models in place. Here are some general guidelines:
1. IaaS (Infrastructure as a Service)
The cloud provider is typically responsible for the physical infrastructure, network interfaces, processing and hypervisors. The client manages the virtual network, virtual machines, operating systems, middleware, applications, interfaces and data.
2. PaaS (Platform as a Service)
In a PaaS model, all software and hardware are operated cloud-based, and the provider provides applications via the public Internet, VPN, or other networks. The client is responsible for the use of applications, interfaces and data.
3. SaaS (Software as a Service)
The provider is responsible for the security of the platform, including physical, infrastructure, and application security. The client who accesses the applications via the public Internet is responsible for the protection of interfaces and data.
Control of data access is still your duty
No matter which model you choose, as the client you will always be responsible for controlling the access of the data, the critical interface for malicious attacks, and putting respective cloud security measures in place to protect your organisation from data breaches.
To do this, it is fundamental to understand your specific business needs, such as your technical service, security, data governance, and service management requirements. This is particularly important for larger organisations, which are operating several cloud computing models at once. The more complex your requirements, the more security management you need.
When choosing your cloud provider, it is essential to consider the following security measures: security policies and infrastructure, data backup and retention, visibility, certifications and standards and governance and policies.
Need cloud advice?
If you are unsure about your cloud network security architecture and would like to have a conversation about how to implement a comprehensive cloud configuration plan and a safe data environment, talk to one of our security experts today!