Who Is Responsible for Cloud Security and Compliance?

Mitigating the Risks of Unauthorized Access and Data Breaches

Cloud computing has become a global, indispensable asset for 97% of businesses and governments to open up collaboration, lower costs, and accelerate innovation.

Despite the advantages of cloud adoption, one McAfee study found that a quarter of organizations using public cloud services have undergone data theft by malicious actors and 20% have been breached by advanced attackers. Yet 83% of organizations continue storing sensitive data in the cloud.

As the complexity and frequency of attacks increases, public and private organizations must assess their cloud security effort. It’s necessary to develop a strong data protection strategy to prevent unauthorized access and secure cloud computing environments against external and internal cybersecurity threats. This effort begins with organizations understanding their own role and responsibility in their cloud security.

This post covers who is responsible for cloud security and regulatory compliance, the common cybersecurity issues in cloud computing, and how to mitigate them—especially when working with a third party.

The Shared Responsibility of Cloud Security and Compliance

Although most cloud service providers (CSPs) do their best to create a secure cloud environment for their customers, CSPs cannot control how an organization uses its service.

Many organizations assume that security falls solely on the CSP and therefore create weak access controls, lax policies, poor configurations, and also store sensitive data in the cloud—unknowingly engendering their own cybersecurity vulnerabilities.

The level of cloud security an organization is responsible for varies depending on the category of cloud computing they use: private, public, or hybrid. Based on the type of cloud service, the organization may be responsible for securing its applications, virtual network traffic, and operating systems. No matter the cloud service, the organization and its users are always responsible for securing their own data and access.

In other words, every organization must understand what data they have put in the cloud, who has access to it, what level of protection they have applied, and what level of protection their CSP provides.

Similarly, those using the cloud often mistakenly believe the cloud service provider (CSP) carries the sole responsibility for the compliance of data stored there.

Although cloud providers strive to provide compliant services and platforms, organizations are ultimately responsible for the compliance of the data they store, their applications, the infrastructure their applications require, and the services provided by third parties.

Additionally, many compliance regulations require continuous monitoring, periodic auditing, and regular testing of operations.

An enterprise, therefore, must understand its role in regulatory cloud compliance and know exactly how its data and processes in the cloud (data storage, retention policies, user access, password policies, etc) are affected by government and industry regulations.

 

Common Cloud Security Concerns

The most common cloud security concerns centered around data and access are the following:

  1. Poor visibility into the data stored in cloud applications
  2. Malicious actors (internal or external) stealing data from a cloud application
  3. Inadequate control over access to sensitive data
  4. No ability to monitor data in motion, to and from, cloud applications
  5. Shortage of expert staff able to properly manage cloud application security and security tools
  6. Inability to prevent the unintentional misuse of data by insiders
  7. Failure to maintain regulatory compliance

Mitigating Cloud Security Issues

Whether cloud services are a primary part of the business strategy or not, if a business is using cloud services, action must be taken to mitigate vulnerabilities.

To protect an organization and its data, the organization can:

  1. Scrutinize the CSP’s security initiatives
  2. Conduct third-party auditing with shared reports
  3. Integrate security into the development life cycle instead of relying on a separate security team by using DevSecOps processes. DevSecOps improves code quality and reduces vulnerabilities
  4. Help security professionals keep pace with the increasing volume and complexity of security threats. Free up their time where possible. Make use of management tools and automate mundane tasks
  5. Unify security with a centralized management system across all services and providers. Using several management tools makes it easy for details to fall through the cracks. A centralized management system will curb complexity
  6. Consider security an everyone issue and prioritize security education programs for every member of the organization
  7. Prioritize robust security systems and training for personnel when selecting a third-party service provider
For more information about the technologies and frameworks that prevent security breaches and data loss, download Encora’s eBook, Cybersecurity: Challenges and Solutions for Fast-Growing Companies.

Avoiding the Risks of Cloud Noncompliance

Although it’s the organization’s responsibility to comply with laws and standards, it isn’t necessary to navigate the complexities of compliance alone. Compliance software and third-party service providers can help businesses meet full compliance.

A few things to keep in mind, even when working with a third party, are:

  1. Remember certified compliant cloud service providers do not make a business compliant by default. An IT team must use the service in a compliant manner and ensure the provider maintains its initial compliance
  2. Ensure proper data access control is in place. This includes properly configured endpoint controls. During an audit, businesses must know who has access to what data in the system and will need to prove the level of each user’s access as well as how they maintain this system. If an enterprise has allowed unauthorized access to information on a private cloud unintentionally, a security compliance audit can uncover this non-compliance issue, putting the organization at risk of heavy fines, penalties, and lawsuits.
  3. Read the fine print. Never assume a cloud service provider’s terms and conditions meet an organization’s specific requirements. The SLA should include clearly defined roles and responsibilities around data breach remediation and incidence response execution.

 

Filtering for Security-Minded Vendors

Many organizations collaborate with external teams for cloud services: Cloud application development, migration of on-premise cloud applications, on-demand SaaS product engineering, cloud architecture, implementation, management, and support.

Even though these cloud services are not directly security services, it’s important to scrutinize the vendor’s security and compliance practices during the selection process, before collaborating.

When selecting a secure vendor for cloud enablement, filter for:

  1. The steps they take to prevent data loss, unauthorized access, and IP-related risks
  2. How they handle data privacy and regulatory compliance
  3. The data security and compliance training their specialists receive
  4. The secure software development frameworks they use
  5. Their experience in secure product development
  6. Their internal security policies and how often those are revisited

 

Key Takeaways

  • The level of cloud security an organization is responsible for varies depending on the category of cloud computing they use: private, public, or hybrid. the organization may be responsible for securing its applications, virtual network traffic, and operating systems, but no matter the cloud service, the organization and its users are always responsible for securing their own data and access
  • There are many tools and frameworks available to control access and prevent data loss, including DevSecOps. You can read about them in, Cybersecurity: Challenges and Solutions for Fast-Growing Companies. One of the critical recommended pieces is a centralized management system across all services and providers
  • The organization, and not the CSP, is ultimately responsible for the regulatory compliance of the data they store, their applications, the infrastructure their applications require, and the services provided by third parties
    When selecting a third-party vendor for cloud enablement services, it’s important to scrutinize their security and compliance practices

 

About Encora

Fast-growing companies trust Encora as a cloud enablement partner because Encora strives to prevent data loss and unauthorized access while also adhering to data privacy laws and regulatory compliance policies.

Encora’s approach to identity & access management (IAM) and cybersecurity is holistic. That means we incorporate the people, processes, and technology—expert specialists, agile frameworks, and leading-edge tools. Encora offers custom, comprehensive cloud solutions that drive transformational outcomes for our clients. Whether developing in the cloud, implementing cloud architectures, or providing cloud management, Encora can help.

Share this post

Table of Contents