It’s been 15 years since Amazon Web Services launched the first cloud infrastructure platform. At the flip of a switch, you could fire up a data center without having to buy any hardware or bury capital. But initially many companies eyed the cloud with suspicion. Leery of losing control, they held tight to running their own data centers. They thought the cloud was risky. And it was.
In this blog post — the first of two — we’ll explore false assumptions about cloud security that make the cloud riskier than it needs to be.
The cloud: just too compelling to ignore
Despite the risks, over time, the value of the cloud proved too compelling to ignore. Today, nearly every business uses the cloud to one degree or another. And many organizations rely on the cloud to host critical operations — unthinkable a decade ago.
While the cloud has provided far-reaching benefits, its risks and challenges remain. Enforcing comprehensive, Zero Trust security in the cloud is just as important as it is for any other part of your digital infrastructure.
The biggest problem? Organizations often do not fully understand the ways their cloud infrastructure exposes them to cyberattacks and ransomware.
Assumption #1: Your cloud provider is responsible for the security of your applications.
If not your cloud provider, then who is responsible for cloud security?
The truth is, security is a shared responsibility.
Whether you’re working with Amazon, Microsoft, Google or any other cloud vendor, if you look at the fine print, you’ll see their security responsibility is limited to protecting just the network fabric — that’s everything that makes up their hosting environment.
Application security is still your responsibility. As soon as you deploy an application instance with an operating system on top of the cloud network, protecting it is your job, not theirs.
Further, cloud security support from vendors uses a “best effort” model, not service-level agreements (SLAs). This means they need only promise to do their best to protect you from network-born threats like distributed denial of service (DDoS) attacks. But if one gets through, well, they tried their best. As for protecting your workloads, that’s always on you.
Also, while cloud providers will patch systems such as Linux servers that host applications, that doesn’t address your potential application vulnerabilities. Without visibility at the application layer, you can’t know whether an application has been deployed or configured properly.
Assumption #2: Cloud security is easy to manage.
The cloud’s benefits — speed, agility and elasticity — actually make cloud security more difficult. That’s because the cloud lets virtually anyone in your organization spin up a new application or resource with just a few clicks of their mouse.
Making things even more difficult, few organizations centrally manage cloud services within their IT and security teams. Instead, various business units and groups can independently set up new cloud accounts.
In other words, any user or developer with access rights can create applications that have open ports to the Internet, where anything can communicate with anything. And this all can happen without IT or security even knowing these applications exist, let alone securing them.
Moreover, large companies often have hundreds of cloud accounts on AWS, Microsoft Azure, Google Cloud and other cloud platforms. Each of these accounts may have many virtual private clouds with their own security groups.
All this makes managing those groups and understanding their security exposure increasingly difficult. It would help to have tools for visualizing the application traffic to and from cloud environments, but typically, cloud providers don’t offer them.
The cloud is here to stay and so are its security risks
As organizations large and small consider moving workloads to the cloud, they too often leave security out of the discussion. Why? Because some teams may view security as an inhibitor that slows the business down, not as an enabler that can accelerate the business.
This creates a tough dilemma for CIOs, security executives and other technology leaders. If you can’t support initiatives and applications that drive the business, you’re not helping the business grow. But if you aren’t managing the potential security risks the cloud presents, you’re exposing the business to serious threats.
Stay tuned for the next blog post in which I'll unpack additional cloud security assumptions that may be putting your business at risk.
In the meantime, learn how Illumio can help you build stronger digital security for your multi-cloud and hybrid cloud environments. Or have one of our experts explain how Illumio can strengthen your digital defenses against ransomware and cyberattacks.