Trusting the cloud: It's a two-way street (Pt.1)

Clarisse Ilustre Medallo
Conversation Designer @ Human Managed
October 7, 2020

You're probably wondering why a Conversation Designer is concerned about Cloud Security. Pre-HM, I would say I can't be bothered with these matters. But sitting in Security Awareness meetings and seeing how cyber attacks are executed these days made me confirm the fact that Security is not just IT's business: it's everybody's business.  

I had second thoughts writing about this knowing that it's a "basic" topic among security practitioners. However, as I observed during our Cyber Security Platform (CSP) demo to a board of directors, the resounding question was, "Is our data safe in the cloud?" As leaders of the organization, it's important for them to get such assurance if they're subscribing to a service that's hosted in the cloud. As for me, an employee of a platform company, I believed it was worth understanding why we're doing what we're doing in the cloud.

Many companies, especially those creating data at an astonishing rate, are predicted to move their operations to the cloud in the coming years (see Gartner, 2019). But there are still those who remain critical about the confidentiality and integrity of data once stored in the cloud. It guess it is natural to challenge the intentions of cloud providers when there's so much at stake and maturity is low. I remember asking myself how I can entrust something (i.e. my data) to a concept – one that I could not see or touch (I know you’re thinking it: yes, there was a time I did not know that the cloud is simply a remote server, sitting in the provider’s facility).

Buy-in is withheld due to the view that cloud security is the provider’s responsibility and that they lose control upon migration. Awareness then needs to be raised so they’ll understand that control is not fully lost, rather, a portion of that control is assigned to the cloud provider, giving businesses the option to focus its resources on something more valuable like innovating and competing in a dynamic environment.

...as I observed during our Cyber Security Platform (CSP) demo to a board of directors, the resounding question was, "Is our data safe in the cloud?"

What then is delegated to the cloud provider? This is answered by the Shared Responsibility Model. These models go down to the very detail of which security tasks are assumed by the provider and the customer. These are illustrated further in Figure 1 where we can see the responsibility split. The Shared Responsibility Model is an outline of what a cloud serviced provider provides to a consumer in terms of security, and what they expect the consumer to own. It can be gleaned that the cloud service provider provides a certain level of security:

Figure 1: The shared responsibility model

Major cloud providers have made their respective versions of the responsibility model publicly available (e.g. AWS, Azure, and GCP), but AWS simplified this by saying that:

the customer is responsible for security in the cloud

the provider is responsible for security of the cloud

What this basically means is that regardless of the service consumed (i.e. either SaaS, PaaS, or Iaas) from the cloud provider, these two facts remain:

(1)   the customer is always responsible for its data

(2)   the cloud provider is responsible for the availability of workloads

We read about successful companies who have harnessed the agility and scalability features of the cloud to address customer demand. A popular example is how Netflix has been able to provide seamless streaming of content daily to its users around the globe, accounting for 15% of the world’s bandwidth (Sandvine, 2018).

Success stories such as the aforementioned one give us the impression that risks inherent to moving applications and workloads to the cloud are being managed. Cloud security shouldn’t hinder organizations from moving skywards if it means teams are optimized, more value is created, and business goals are achieved. Fortunately, we are not left with two extreme options: to cloud or not to cloud. Going hybrid is another route if that is more aligned with the organization’s objectives and maturity level.

Thanks for reading. Stay tuned for Part 2!

References:

Gartner. (2019). Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5 Percent in 2019. Retrieved from https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-forecasts-worldwide-public-cloud-revenue-to-g

Microsoft Azure (2019, October 16). Shared responsibility in the cloud. Retrieved from https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

Sandvine (2018). The global internet phenomena report. Retrieved from https://www.sandvine.com/hubfs/downloads/phenomena/2018-phenomena-report.pdf