Data Security and the Cloud

what the heck is the cloud

It is a mystery! How does it work? Is it secure? Can I trust it?! 

So many questions are rising about the cloud and we are here to try to help you get an answer or at least a clear idea about it. Then again if you are still not using it... I mean.. IT’S 2020!! It’s about TIME. The cloud is everywhere. The rise of cloud computing is an ever-evolving technology that brings with it a number of opportunities and challenges.

As shown in this very explicit graph and mentioned in our last blog post about the cloud, it is growing very very fast and shows no signs of slowing down. Cloud computing offers tremendous potential benefits. It is here to stay. Migrating to a cloud computing platform means your responsibility for data security goes up considerably. Data with various levels of sensitivity is moving out of the confines of your firewall but it does not mean that you lose complete control. It also does not mean that the security of your data is the responsibility of the cloud provider only. Cloud service providers treat cloud security risks as a shared responsibility.

cloud responsability

Think of it this way: Cloud computing is a shared technology model where different organizations are frequently responsible for implementing and managing different parts of the stack. As a result, security responsibilities are also distributed across the stack, and thus across the organizations involved. This is commonly referred to as the shared responsibility model. And YOU are a part of this model! 

But before tackling all these shared responsibilities, let’s take a look at the problems the cloud faces. Most security risks are related to data security. Whether a lack of visibility to data, inability to control data, or theft of data in the cloud, most issues come back to the data customers put in the cloud.

Data security issues experienced with software-as-a-service (Saas), infrastructure-as-a-service (IaaS) and private clouds come down to the same thing: 

  1. Lack of visibility into what data is within cloud applications
  2. Theft of data from a cloud application by a malicious actor
  3. Incomplete control over who can access sensitive data
  4. Inability to monitor data in transit to and from cloud application
  5. Lack of staff with the skills to manage security for cloud applications
  6. Inability to prevent malicious insider theft or misuse of data
  7. Inability to maintain regulatory compliance
  8. Lack of consistent security controls over multi-cloud and on-premises environments
  9. Advanced threats and attacks against cloud infrastructure

 

responsibility model for security in the cloud according to mcafee

 

  • Software as a Service: The cloud provider is responsible for nearly all security, since the cloud user can only access and manage their use of the application, and can not alter how the application works. For example, a SaaS provider is responsible for perimeter security, logging/monitoring/auditing, and application security, while the consumer may only be able to manage authorization and entitlements.
  •  Platform as a Service: The cloud provider is responsible for the security of the platform, while the consumer is responsible for everything they implement on the platform, including how they configure any offered security features. The responsibilities are thus more evenly split. For example, when using a Database as a Service, the provider manages fundamental security, patching, and core configuration, while the cloud user is responsible for everything else, including which security features of the database to use, managing accounts, or even authentication methods.
  • Infrastructure as a Service: Just like PaaS, the provider is responsible for foundational security, while the cloud user is responsible for everything they build on the infrastructure. Unlike PaaS, this places far more responsibility on the client. For example, the IaaS provider will likely monitor their perimeter for attacks, but the consumer is fully responsible for how they define and implement their virtual network security, based on the tools available on the service.

Issues experienced with SaaS applications, for example, are naturally centered around data and access because most shared security responsibility models leave those two as the sole responsibility for SaaS customers. Just because the providers offer compliance does not give customers the right to abdicate their responsibilities. They have some measure of responsibility as well, which creates a significant cloud computing challenge. The most important security consideration is knowing exactly who is responsible for what in any given cloud project. And that is what we try to do here at VR-on with our Stage cloud. We are very proud of what we have already achieved and we are striving to get even better. The Munich Prestige award 2020 for data security company of the year for our stage cloud, just got us more motivated to keep going down this road.