You are Responsible for Data Security in the Cloud

cloud security shared responsibility

Cloud computing is the fuel powering modern digital transformation. Across the globe, organizations invested heavily during the pandemic to adapt to new market conditions, drive more efficient business processes and support mass home working. It’s estimated that 60% of corporate data globally is now stored in the cloud, and much of this will be in public cloud data centres.

Yet while many IT leaders cite security concerns as a top roadblock to public cloud projects, the truth is that those who do invest, often unwittingly expose their organization by misunderstanding where security responsibilities lie. The best way to mitigate these risks is to adopt a data-centric security approach which will keep sensitive data safe no matter how complex the environment.

Concerns in the cloud

So much positive is written about migrating data and workloads to the cloud. It can drive enhanced IT agility, scalability, redundancy, and cost savings, to name but a few benefits. But this positivity often masks another reality: cloud computing often equals complexity, and complexity is the enemy of security. This is especially true when organizations invest in multiple cloud service providers (CSPs) and blend public and private clouds with on-premises deployments in a hybrid approach. Research shows that 92% of enterprises have a multi-cloud strategy, while 80% favour a hybrid cloud approach.

This can lead to potentially critical mistakes, including misconfigurations and unpatched vulnerabilities. Last year, a cybersecurity study found that 96% of organizations are moderately to extremely concerned about cloud security. Data loss or leakage (64%), data privacy (62%) and accidental credential exposure (46%) were their top three concerns.

Complicating matters further is that many organizations believe their CSP will take care of all their security needs. One study found that two-fifths of IT professionals thought the cloud provider would protect their applications and data. In fact, the truth is far more nuanced. Both provider and customer have a shared responsibility for security. Failing to recognize this could leave organizations exposed. In 2019, Gartner predicted that “at least 95% of cloud security failures will be the customer’s fault” over the next three years. In that case, “shared” responsibility is a bit of a misnomer.

 

What CSPs say about cloud security

To add further complexity, not all CSPs define shared responsibility in the same way. The Cloud Security Alliance has a handy guide explaining the grey areas. For example:

Microsoft Azure: In IaaS environments, the CSP takes care of only three areas: securing physical hosts, the physical network, and the physical data centre. For SaaS, PaaS, and IaaS, the customer is responsible for securing all data, devices, accounts, and identities.

Amazon Web Services: The CSP is responsible for all infrastructure (hardware, software, networking, and facilities) that runs its cloud services. However, customers will be responsible for all their data, applications, operating systems, network and firewall configurations, and more. This includes client-server and network-level encryption.

Salesforce has an additional data protection product called Shield Encryption Platform, which also has its limitations.

How to secure data in the cloud

This complexity can make consistent security policy enforcement a challenge across multiple CSPs and types of cloud environments (SaaS, PaaS, and IaaS). Adding to the challenge is the fact that many organizations are struggling with cybersecurity skills shortages, meaning they often have crucial gaps in technical expertise relating to specific platforms. Frequently, the business leads cloud adoption, leaving IT teams playing catch-up. It’s also true that CSPs are constantly innovating, which increases the complexity and opportunity to make configuration mistakes.

The answer is to adopt a data-centric security approach to ensure the organization’s most critical assets remain protected no matter where they reside—on-premises, in private clouds, or across multiple public CSPs environments. The right provider should deliver:

  • Detailed and automated data discovery and classification capabilities
  • Highly scalable and fault-tolerant protection of that data via data tokenization, encryption, data masking, and hashing
  • Data protection across any hybrid, multi- and cloud-native environment

With data-centric security, organizations can simplify risk and compliance management in the cloud and focus more of their efforts on growing the business.

Does this apply to HPE NonStop?

High Availability generally aims to prevent problems from occurring in the first place, and NonStop Availability does that too but assumes that anything can fail at any time and allows for that eventuality. We can pay for the best security possible to protect our data. However, if we assume that someone will eventually gain access to our data, the HPE NonStop philosophy tells us to render the data useless before they do.

HPE’s NonStop SQL Cloud Edition users enjoy the near-instantaneous failover benefits of high availability (IDC Availability Level 4) with the uncomplicated inherent HPE NonStop data integrity. However, customers still need to be cautious about managing their data in the cloud. As mentioned above, security is a shared responsibility of the provider and customer. The responsibility for the data and applications is with the customer. Therefore, a data-centric security approach applies to all Enterprise platforms, including HPE NonStop.

Secure all your sensitive data intended for AWS, Azure, Salesforce, and many more.

Read our cloud security fact sheet to learn more:

Download Fact Sheet

Author

  • Thomas Gloerfeld

    Thomas Gloerfeld is Director of Partner Development & Marketing NonStop Solutions at comforte and has been associated with the NonStop community for 25 years. Before joining comforte, he held various management positions at ACI Worldwide in Germany and the UK. In his role at comforte he closely monitors topics such as data security, risk and compliance.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.