Security continues to be a major source of concern as organizations move more workloads and applications into the cloud. This situation was exacerbated by COVID-19 and the expansion of remote work, as well as adoption of multicloud strategies by a large percentage of organizations.
Digging deeper into possible causes for this concern, lack of confidence in the security postures and capabilities of the leading public cloud providers is not necessarily the biggest factor. Rather, it is lack of clarity about who is responsible for what in the shared responsibility model and the potential that gray areas could lead to undetected security gaps and misconfigurations.
Basically, in the shared responsibility model, the cloud service provider is responsible for protecting the hardware, software, networking and facilities that run on its services. The customer is responsible for functions such as information and data, devices, accounts, identities and access, as well as platform and resource configurations.
However, that leaves potential gaps in the middle—operating systems, network controls, applications and directory infrastructure, to name just a few. Responsibilities also vary based on the types of services the customer uses, whether software as a service, platform as a service, infrastructure as a service or some combination of these.
If you feel like your organization may not have a clear understanding of the shared responsibility model and how to manage it in multicloud environments, you are not alone. According to a study by Hewlett Packard Enterprise, 43% of respondents said public cloud increases risk because the company is primarily responsible for securing data in the cloud. Even the Cloud Security Alliance recognizes the potential for—and reality of—confusion when it comes to cloud security. As noted by the CSA:
The key to a successful security implementation in a cloud environment is understanding where your provider’s responsibility ends and where yours begins. The answer isn’t always clear-cut, and definitions of the shared responsibility security model can vary between service providers. … In a multi-cloud environment, these variations introduce complexity and risk. … Your overall security posture is defined by your weakest link. If you have a gap in coverage in any one system, you increase vulnerability across the entire stack and out to any connected systems.
Closing the cloud security gap
These concerns are leading many organizations to turn to end-to-end security services solutions to help them manage security and compliance across operating models—with the goal of embedding security as an organization-wide imperative to ensure that security automation, intelligence, protections and policies are built into IT rather than bolted on.
The potential for confusion about the shared responsibility model is also a reason why many organizations are embracing hybrid cloud as a way to maintain control and visibility from the data center to the edge to multiple public clouds. According to the HPE study, about 20% of companies are creating a hybrid cloud experience with on-premises as the lead estate.
What are the benefits of working with a security services provider, and what should you look for in choosing the right partner? Here are key factors to consider:
- A full suite of advisory and professional services that lets you simplify, unify and integrate security and compliance with adaptive, next-generation security architectures such as zero trust.
- Ability to innovate with automation and intelligence, particularly during a time in which cybersecurity professionals are in short supply and adversaries are increasing their use of machine learning and automation to launch more aggressive and sophisticated attacks.
- Securing the digital enterprise with security controls and compliance, vulnerability analysis and remediation, as well as business continuity and other services that provide consistency and visibility from edge to core to cloud.
- Secure and resilient hybrid IT to enable security and continuity on premises and in the public cloud, with features including security containerization, data protection and recovery, and IT automation service for platform lockdown and compliance.
- Secure intelligent edge to control and protect users, devices and interactions at the edge, including identity and access management, digital workplace security and compliance, and vulnerability analysis for Internet of Things devices.
Taking the next step
When it comes to cloud security, what you don’t know can hurt you. Working with a security services provider that truly understands the hybrid cloud experience will not only reduce risk and close security and compliance gaps—it will also give you the peace of mind to know that security is embedded as part of your overall IT and business strategy, and not just an add-on.
For more information on how you can take the next step in cloud security, please visit HPE.