Security IN the Cloud vs Security OF the Cloud

I like to correct persons who say that Cloud Services is tomorrow’s reality, I think it’s already yesterday’s or at least today’s’ reality. Actually, by the year 2019 90% of companies were on the cloud (Source: 451research.com) whether one-foot there and all-in.

Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, and other public cloud platforms provide many benefits to organisations, allowing them to be more responsive, available, cost-efficient, and to have much quicker time-to-market. Cloud also provides many new security capabilities (strong identity and access management, policy enforcement, layered security, threat protection), but that doesn’t mean organisations shouldn’t worry about security in their AWS, Azure, GCP, or other platform’s environment.

Gartner estimates that through 2025, 99% of cloud security failures will be the customer’s fault. This is a kind of shocking fact. AWS even invented the now-famous shared responsibility model to educate customers on these risks and their role in protecting their workloads, but it looks like most organisations still don’t get it and still don’t get the difference between “Security OF the Cloud” and “Security IN the Cloud”. The latter one is the one we should understand better and master to show by the year 2025 that Gartner was wrong 😎

What’s the Difference and Why Should You Care?

“Security IN the Cloud” and “Security OF the Cloud” sound like both could be just different ways of saying the same thing, but they are two separate forms of security. They also represent the undergoing shift in the mindset of modern IT security practitioners.

Security OF the Cloud:

• refers to the safety of the cloud itself for running applications, storing data and processing transactions,
• involves the procedures and technology that secure cloud computing environments against both external and insider cybersecurity threats,
• when using a public cloud, data and applications are hosted with a third party, while in traditional IT most data was held within a self-controlled network.

Security IN the cloud:

• refers to the safety and awareness of the users that use cloud computing to store, process, and exchange data,
• like when using Gmail, Microsoft Office 365, and other applications operating in the cloud, no vendor can secure your account if you give your password to a stranger,
• organisation as the application/ product owner is responsible for securing applications, web-services, storage access, OS, supporting infrastructure, and other assets running IN the cloud,
• organisations that rely solely on a cloud vendor’s built-in security are exposing their organisation to unnecessary risk.

Shift from traditional perimeter-based security to data-based security

The main reason organisations still face security breaches and, especially, the ones caused by simply cloud misconfiguration, is that IT security practitioners lag behind the shift from traditional IT to cloud & mobility driven IT.

What is driving the change?

In most organisations life before cloud, BYOD and mobility looked like this:

Organisations’ IT had a well-defined perimeter, which could be properly guarded

• organisation resources were accessed via managed devices and networks only,
• only sanctioned apps were installed by IT,
• IT had layers of defences protecting internal infrastructure, resources, and business applications,
• IT had a known security perimeter and full visibility.

These days, a typical organisation with cloud and mobility-empowered users look like this:

Organisations’ IT perimeter is blurry and its data is scattered in many different locations

• user now can (and needs to) access data from anywhere,
• user now can (and wants to) chooses apps, which sometimes brings to unsanctioned/ shadow IT,
• data is heavily shared by users and cloud apps (users decide how to share data),
• IT has pretty limited visibility and protection of organisation’s data.

Focus shifts from the perimeter to the data that needs to be protected

Above mentioned extinction of organisation’s clear IT perimeter forces the shift of focus from perimeter-based security to data-focused security.

Shared responsibility model

Ok, now we know that we need to take care of our data in the cloud, but the next important thing to understand is the level of responsibility organisation shares with its cloud vendor.

It’s not a secret, but most organisations don’t understand the level security responsibility they keep on their own while in the cloud

I already mentioned the shared responsibility model, which is pretty well defined by AWS and now all public cloud providers. To make it even easier to understand, I always like the famous comparison with “Pizza as a Service”, you can find in many forms over the internet.

Cloud’s shared responsibility model simplified

Strongly recommend having a look at shared responsibility models provided by the most popular public cloud providers:

• AWS: https://aws.amazon.com/compliance/shared-responsibility-model/
• Microsoft: https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
• Google: https://services.google.com/fh/files/misc/gcp_pci_srm__apr_2019.pdf

Few upcoming related articles

If you found this article interesting, you might want to come back here later, because I am going to post few related articles on:

1. Key security risks IN the Cloud — In a nutshell, just to better understand what security risks organisation can expect to face in the cloud, the following article will cover a few of the key security risks IN the Cloud.
2. Top 5 competencies IT security specialist needs to have in a modern organisation — there will also be an article which will cover most important new competencies of modern IT security specialist.