Move me to the cloud, so I don't have to take care of security!

I love the cloud, I guess you do as well if you heard that security in the cloud is automated! That is very bold claim and might be a bit misleading. In the past couple of years, cloud adoption have been a cool trend, and very economical for businesses in saving money when comes to running IT infrastructure (may be we should do another post on the reality of cost saving of cloud vs on-premises). While cost saving is one of the main drivers, it should be noted there are other drivers such as fast way of go to market, testing new ideas, being able to expand or reduce (elasticity) of the resources on a will, and also security being the other big factor.

One thing to be clear here, cloud security is a shared model, which is embraced by all the big Cloud Security Providers (CSP) such as Amazon, Microsoft and Google just to name a few. What this means is, the CSP provide security for the cloud physical infrastructure e.g. data centre, hypervisors, networking tools, and the customer is responsible for the data. This is the simplest view, however it is more complicated to this depends on the deployment model such as IaaS, PaaS, SaaS or other Cloud-As-Service (see diagrams below). Hence the famous phrase “CSP will be providing security of the cloud and the customer will be providing security in the cloud”.

Organisations should understand these differences in terms of their core responsibilities when comes to the managing security in the cloud. The model below from AWS, illustrates this more clearly and the logical step is for organisation to map these responsibilities to the right roles/people within the organisation.

Image result for cloud shared responsibility model
Source: AWS – https://aws.amazon.com/compliance/shared-responsibility-model/
Image result for cloud shared responsibility model
Source: https://www.synopsys.com/blogs/software-security/shared-responsibility-model-cloud-security/

So the next time you hear, let’s move to the cloud, security is automated and taken care for us, remember it is a shared responsibility and you have large part to play as well, at the end the data is yours, YOUR RESPONSIBLE!

Author: kinyoka

A certified Information Security professional, with demonstrated experience spanned more than 10 years in financial, banking, consulting, and payment card industries in managing Information Security System Management ISMS. A post graduate degree holder in Information Security Management (M.Sc); Certified Information Security Manager (CISM), Payment Card Industry Qualified Security Assessor (PCI QSA), SABSA Chartered Security Architect (SCF), ISO 27001 Lead Auditor, CREST Registered Technical Security Architect (TSA), CREST Registered Penetration Tester (CRT), and a member of ISACA. Demonstrated to be reliable, trustworthy, and meticulous person; working in a controls-focused environment, multinational, and multicultural organisation over the years and gained a good understanding of what is required of the Information Security professional. . Specialties: ISMS based on ISO/IEC 27001/2 Payment Card Industry (PCI) DSS - QSA led services - PCI Scoping, Gap Analysis and Formal Assessment (RoC) IT Governance, Risk and Compliance (GRC) Management Cyber Security Penetration Testing Enterprise Security Architecture Technical Security Architecture

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s