Who Bears the Responsibility for Security in Public Clouds?

read -
Published 11-Jan-2018 11:52:47

We all know public cloud adoption is on the rise, with many organisations reaping the undeniable benefits of greater IT efficiency, business agility, scalability and cost savings.

Yet for many, security remains the key barrier to adoption and a substantial concern. This might not seem too surprising given the range of threats that face firms today – from data stealing malware to ransomware and spear phishing attacks.

In fact, new Barracuda Networks research reveals 60% of EMEA organisations have already been targeted by a cyber attack, and a quarter (26%) expect it will happen in the future – so the stakes couldn’t be higher.

However, as the survey also reveals, the core problem for all stakeholders is the sheer depth of confusion over whose responsibility cloud security is, with plenty of unfounded assumptions made on the part of IT buyers. These security misconceptions may not only be the reason so many organisations are holding back on public cloud adoption, but in a worst case scenario could leave organisations dangerously exposed to attacks.

Security concerns restrict growth, especially in the UK

The poll of 550 EMEA IT decision makers projected an increase in the amount of their infrastructure in the cloud, with a rise from 35% currently to 63% in the next five years, although the UK is notably in last place with current adoption (29%). Most run a mix of mainly external facing (60%) and some internal facing (38%) apps, covering everything from data storage and recovery to analytics, CRM systems and testing.

However, less than half (43%) feel totally confident that their organisation’s move to the public cloud was secure, with the figure dropping to less than a third (31%) in the UK. As a result, two thirds (64%) of EMEA respondents claimed that security concerns are restricting their migration to the public cloud, a figure rising to 70% in the ultra-cautious UK.

The impact of cyber attacks isn’t the only consideration here. Organisations are also concerned about regulatory compliance – especially ahead of the GDPR deadline next May – and the lack of an expert security partner.

So where do the responsibilities lie?

The root cause of many public cloud concerns is lack of clarity over the shared responsibility model. Many IT buyers assume that because they’re effectively outsourcing the running of their infrastructure to a trusted third party, the provider takes care of everything. This was backed up by the Barracuda survey results, as the vast majority of IT leaders claimed their public IaaS provider is responsible for securing customer data in the public cloud (64%), securing applications (61%) and operating systems (60%).

This simply isn’t the case. Amazon Web Services is very clear, stating that it will address security “of” the cloud – compute, storage, database, networking, and global infrastructure including edge location and availability zones. But the customer is 100% responsible for security “in” the cloud – data, apps, identity management, OS, network and firewall configuration, network traffic, server-side encryption, and client-side data.

The fact that 61% across EMEA claim to fully understand their cloud obligations further underlines the dangerous disconnect between perception and reality when it comes to public cloud security, exposing countless organisations to unnecessary risk.

Responsibility starts here

Despite this misunderstanding about roles and responsibilities, over half of respondents (57%) already invest in additional cloud security. But the truth is that IT decision makers need to think about the whole gamut of security controls.

Overall, you need ensure you have a 360 protection: detect, protect and recover, which should be the three pillars to ensure your most important assets are protected. A combination of solutions, encompassing web application firewalls, next generation firewalls, DDoS mitigation, strong data encryption, identity and access controls, SIEM, IDS/IPS, endpoint protection and data protection and archiving should put you in good stead to protect against the bad guys.

Vohkus partner with Barracuda to offer security products and services, that are engineered to protect all your users, appications and data – regardless of what your infrastructure looks like. Have a chat with us today to discuss how together we can make sure you aren’t exposed to uneccessary risk.

Run Free Email Threat Scan


security public cloud gdpr barracuda