Using major cloud providers does not guarantee a company is secure from attacks.
At the start of the cloud era, there was anxiety about whether the cloud was more secure. Today, there is this extreme confidence in cloud security. Companies think being in the cloud means their security risks are mitigated. However, the reality is more nuanced.
Cloud technologies determine how digital systems function and how users can access those systems. Whether it’s through email and SharePoint, running server infrastructure, or using AI models, it’s all cloud. So are the many software management services, backup providers, and data intelligence platforms that companies rely on.
Is the cloud better for security?
Cloud services fall into three categories: software, platform, and infrastructure services.
Software is the most popular – companies pay to access something like Microsoft 365 or Salesforce online. Platform services are more robust, equipping companies with resources to develop services and applications. Infrastructure services are the most foundational, providing access to server, networking, and storage infrastructure. Companies also mix different cloud services, often alongside systems they host on their premises or third-party datacentres. These combinations create ‘hybrid cloud’ systems.
All this variety makes cloud security a complicated topic, says Gerhard Swart, Chief Technology Officer at cyber security company, Performanta.
“If you’re a one-person organisation with a single laptop, all you use is Microsoft 365, you have multi-factor authentication, and you know better than to click on links in strange emails, the cloud helps you be very secure. But if your company has a hundred employees and devices, you use dozens of cloud services, and you have integrations between those and other systems, you have a lot more to consider,” says Swart.
Sharing Responsibility
Cloud service providers tend to invest handsomely in security. Microsoft spends at least $1 billion annually on improving security and scans billions of files and emails for threats, vastly enriching its security intelligence. Amazon, Google, and other top cloud vendors have similar strategies, because they know that dropping the security ball will be devastating to their reputations and market shares.
However, there is also a clause they all have in common called shared responsibility.
“Shared responsibility means the cloud provider takes every effort to make their systems secure. But they do not take responsibility for making client systems secure. If someone hacks your cloud systems because you fell for a phishing attack and exposed your passwords, that’s your fault,” says Swart.
Using cloud systems can also introduce complexities. For example, companies use the cloud to integrate different services and data sources for in-depth, seamless, and even automated processes. But unless they are properly managed, integrations can create security gaps. System configurations are another example of such complexities. Administrative privileges can become lost in the many layers of a robust cloud environment. Cybercriminals often go looking for those oversights.
How to make the cloud more secure
The cloud is as secure as you make it, which is why leading security providers use business risk to simplify complexity.
“You reduce digital security complexity when you focus on the most crucial business risks,” says Swart. “A risk-guided approach motivates which tools and services provide the best visibility and makes security operations cost-effective. You strategically target your efforts on the biggest risks, then scale from there. It also encourages more cohesion between security and the business. We run a Risk Operations Centre that leads the strategy and blueprints for our customers’ security, which delivers much better security in the cloud and among their owned systems.”
Pre-cloud security was like a castle: raise the walls, dig the moat, and check everyone at the gates. Though effective, it also made IT services limited, expensive, and inflexible. The cloud era promises business agility and flexible costs, and enhances security if you can tame the inherent complexity it creates.
Is the cloud secure or not? If companies think they can offload security to cloud providers, they make their security much worse. But if they share in the responsibility with a risk-based approach supported by a skilled security service provider, they can enjoy the strongest and most cost-effective security they’ve ever experienced.
