One of the biggest advantages of cloud adoption for businesses large and small is that it helps to reduce the time, labor, and capital spent on managing IT infrastructure. Responsibility for managing and maintaining hardware is offloaded from the business and picked up by the cloud service provider.
Some SMBs might assume that their cloud provider is responsible for every aspect of their cloud, including all aspects of security. However, this assumption is not typically true. Even a secure cloud provider has limits on which aspects of cloud security that they can assume responsibility for.
This is because there are some aspects of security that are beyond the cloud provider’s control, such as who you give user account credentials to and how much access you allow specific user accounts.
With this in mind, just what aspects of security is a cloud service provider responsible for, and what would your own organization be responsible for?
The answer may vary from one service provider to the next.
Security Measures Your Cloud Service Provider Should Be Responsible for
While cloud service providers cannot be responsible for everything, examples of security aspects they may shoulder the responsibility for include:
- Physical Security for Hardware. The cloud provider will typically assume full responsibility for providing security for the physical hardware that runs their cloud environments. In the case of WHOA.com, we partner with high-security Tier IV data centers that use biometric access controls, armed security patrols, and 24/7 CCTV monitoring to protect cloud environment hardware from being illicitly accessed.
- Providing Perimeter Firewall. A true secure cloud provider should have a strong firewall solution for preventing outside traffic from getting in. WHOA uses firewalls from Palo Alto Networks, the industry leader, to provide top-notch security at the edge.
- Providing Per Tenant Firewalls. Some malicious users might try to launch an attack against other tenants on the same cloud. Per-tenant firewalls help to thwart these attacks the same way that perimeter firewalls thwart external attacks.
In short, a cloud provider will typically be able to assume responsibility for providing a secure framework from which to run your cloud. This also means that the cloud provider you use should run regular security updates to patch known issues with the programs and APIs that they use.
What Are You Responsible for?
There are many aspects of cloud security that SMBs will be responsible for, even when they use a secure cloud.
Examples of cloud cyber security elements that SMBs are responsible for may include:
- Enforcing Strong User Account Security Measures. From enforcing the use of strong passwords, to preventing the sharing of user account credentials, to ensuring that employees are cognizant of how to avoid phishing attempts, individual businesses are almost always responsible for user account security.
- Revoking Access for Ex-Employees. When an employee becomes an ex-employee, it’s typically the responsibility of the business to revoke that employee’s access privileges.
- Controlling Which Business Partners Have Access to Your Cloud. Companies that allow vendors and other business partners access to their cloud have to do so carefully, as the cloud service provider cannot assume responsibility for the actions of a third party with access credentials.
Basically, SMBs will almost always assume responsibility for controlling user account security.
What About Everything Else?
What about things like data encryption, host firewalls, antivirus, activity monitoring/logging, and the countless other aspects of cyber security that contribute to keeping your data safe on the cloud?
This is where you need to evaluate your cloud service provider. Many security measures may use a shared responsibility model, where both your business and the cloud provider assume responsibility for deployment/management.
Some cloud providers offer specific protection measures as an add-on service for an extra charge, while others may include them out of the box. Other cloud providers might not offer specific security measures at all, pushing the responsibility for deploying and managing these solutions onto individual SMBs.
So, the question is: “Do you KNOW who’s responsible for security in your cloud environment?”