Security cannot be just the responsibility of technology vendors if organisations want to stay ahead of advanced persistent threats to cloud computing, according to endpoint and firewalling specialist Stormshield.
Matthieu Bonenfant, chief marketing officer at Stormshield, has warned that users also have a role to play as cloud services continue to advance — implying that for best results, a balancing of roles may be required.
“Outsourcing in the cloud does not work on any sort of ‘click and forget’ basis: customers need to remain alert and take on several safety responsibilities, or else serious incidents may occur,” Bonenfant says.
He notes that an increased need for online services during the pandemic has cemented the public cloud as a key tool when transforming business operations. However, as organisations move data and applications to the cloud, they also create a larger attack surface.
“Like it or not, the cloud does not offer the option of completely outsourcing the security of migrated IT assets,” Bonenfant says.
And when it comes to who secures what in the cloud, there is no single answer, he warns — not least because cybersecurity providers themselves can be attacked.
“It all depends on the model offered by the cloud provider. This is why the company needs to understand what its supplier is responsible for in terms of security, and what it is required to secure itself,” Bonenfant says.
With IaaS, the cloud provider is responsible only for the physical infrastructure underlying the cloud and its security — leaving the customer in charge of security at all other levels, he says.
PaaS adds virtual infrastructure security to the responsibilities of the provider, with the customer taking care of identities and data.
“Finally, in a SaaS model, the bulk of the responsibility for security rests with the supplier; however, the customer must always keep control over identities and their own data,” Bonenfant explains.
Customers should talk to every supplier about which other security responsibilities they have, in line with contract terms — especially when it comes to hybrid or multi-cloud strategies, he says.
According to the UK’s Department for Digital, Culture, Media and Sport, cybersecurity breaches remain a serious threat to all types of businesses and charities.
“Among those identifying breaches or attacks, their frequency is undiminished, and phishing remains the most common threat vector,” it said in its 2021 cybersecurity breaches survey.
“Four in ten businesses (39%) and a quarter of charities (26%) report having cybersecurity
breaches or attacks in the last 12 months.”