Who is responsible for cloud security? 

March 15, 2023

The widespread adoption of the cloud which skyrocketed during the pandemic widened the attack surface considerably and put businesses in every industry at risk. This is particularly true for smaller entities, who lack the massive security budgets needed to secure every potential weakness in their environments.

This year, most companies, including small to medium-sized enterprises (SMEs) have migrated at least a portion of their workloads to the cloud and are running hybrid environments. Unsurprisingly, as the uptake of cloud technologies increases, these environments become a more attractive target for attackers – after all, cybercriminals are like pickpockets, they go where the crowds are.

But it’s not just the cloud’s popularity that is seeing cloud attacks soar, many businesses are making it too easy for attackers. Misconfigurations and unpatched vulnerabilities are the top culprits when it comes to opening the gates for ransomware actors and other criminals to gain a foothold in a company’s network.

Without the security teams needed to manage every potential entry point, SMEs are especially vulnerable. They simply lack the resources to trace and pinpoint resource misconfigurations in their infrastructure-as-a-service (IaaS) and other cloud investments, and often do not routinely scan these systems to root out any software vulnerabilities. 

Another challenge that organisations face, and again, smaller businesses in particular, is a lack of visibility into their cloud environment configurations and resources. This is a major problem, because visibility is key to being able to detect compromises before they become a problem and mitigate them to prevent further damage. 

Again, while most entities realise the need for total visibility, a lack of resources is hampering their efforts. Only a handful of smaller businesses have the budgets and skills needed to continuously detect, investigate, and eliminate threats in their cloud environments. Sadly, even fewer are able to respond to security incidents on a 24/7 basis.

This is where having a managed service provider can help, as they have the know-how to implement strong cloud security practices and understand the attack surface well enough to know what technologies are needed to close some of the gaps in cloud security. 

Either way, businesses of all sizes and in every vertical have to start addressing cloud risks by taking several steps. Firstly, never assume the cloud provider is taking care of security. While they might have certain tools and measures in place, the buck ultimately stops with the business.

This happens, because not enough businesses understand the concept of shared responsibility, and think that moving everything to the cloud means it will all be secured by default. It doesn’t work like that. This is as dangerous a misconception as believing that the cloud is inherently risky and that on-premise environments are much safer. 

It is crucial to always read any cloud provider’s contract, as this will establish which elements of security are the purview of the customer, and which the cloud provider is responsible for. Never just assume security is handled by the provider.

Moreover, don’t assume the cloud is more secure than on-prem. Always approach principles of cloud security in the same manner as you would for in-house systems’ security. At the same time, understand that the risks and threats will differ in each environment, and allocate resources accordingly. 

Finally, address any gaps in visibility – you cannot secure what you cannot see, so this must become a priority. Once you know where your vulnerabilities lie, you can start to plug those holes.

Share Article