The good news is that increasing numbers of customers are moving to the cloud to take advantage of all the benefits it provides, including around security. The not-so-good news is that against a backdrop of highly complex software supply chains, enterprises who don’t understand that security is a shared responsibility might risk leaving aspects of their cloud services vulnerable to unauthorised access.
It’s helpful here to understand the different pieces of the software supply chain to pin down who’s responsible for which elements.
A strong, secure foundation
Microsoft Azure or AWS provides the cloud infrastructure that a specific application vendor leverages and builds on top of to deliver a cloud application to the market. Customers will want to ensure that any application provider they’re engaging with has a strong partnership with a well-established cloud service provider, since the latter provides the foundational layer of any cloud offering.
Things to look for in a cloud service provider include global datacenters (to comply with any geo-specific data protection requirements) and compliance with the latest security and quality ISO standards, as well as the requisite level of performance, reliability, and scalability.
The application itself
The application provider, meanwhile, needs to ensure that the application itself is designed and architected in a way that ensures the highest levels of security and governance. This includes incorporating frameworks like zero trust architecture, which – by default – assumes that no user, device, or system should be implicitly trusted, but instead should be continuously verified and validated.
It is also up to the application provider to regularly patch and update the application on an ongoing basis, making sure customers always have the latest version of the service.
Customers are the final piece of the puzzle
The cloud service provider and the application provider create a secure foundation – but customers add one more piece to the puzzle. And even the most securely architected application can be vulnerable to breaches if it isn’t properly configured and administered.
Start with user accounts. The application provider isn’t in a position to know who within the organisation should have access to the application and what level of access they should have. For example: who should be a power user or an administrator, with broad access? Who should be a read-only user, with limited access? It’s a customer’s responsibility to determine who needs to have what level of access.
There’s also responsibility around managing those user accounts over time. For example, if someone leaves the company, that account needs to be deactivated. This requires ensuring that user information is synchronized with other directory management tools within the organisation, such as Active Directory. Oftentimes, companies will assume that these different applications and services “automatically” work together. The reality is that things can change after the initial configuration so regular monitoring is required to ensure all systems are working with the most accurate and up-to-date information.
Careful with that configuration
Aside from user accounts and access levels, there are other areas that customers need to pay careful attention to, particularly when it comes to configuring the application.
Most cloud services come with a set of security features that need to be toggled on and adjusted to properly protect the data within the application. Imagine a scenario, however, where a cloud application has been purchased by a non-technical member of the organisation, i.e. a business user.
For that individual – who’s probably just looking to get up and running with the application as quickly as possible so that they can roll it out to a few other members of their team or department – the tendency is to accept whatever the default security settings are and leave them as is rather than tinkering around with them. As a result, the organisation might be totally unaware that certain ports were left open by default, or that an important data backup setting wasn’t turned on.
Involving the IT team early on in the process of introducing a new cloud application into an organisation is a way to prevent these accidental missteps and ensure the application is properly configured according to internal policies. The application vendor should also provide plenty of guidance, documentation, and technical support as needed to customers who have configuration questions, as a way of heading off any problems before they arise.
It’s a team effort
None of these responsibilities should be seen as insurmountable, nor should they overshadow the value of moving to the cloud. On the contrary, it’s a way for organisations to ensure that they attain full business value from their cloud investments by eliminating security vulnerabilities.
By demystifying the responsibilities between cloud service provider, application provider, and customer – and then making sure that these are well documented and well understood by internal stakeholders – the phrase “Isn’t security just the vendor’s responsibility?” will be consigned to the dustbin of history, replaced by an understanding that it is a shared responsibility.
As an Information Security & Compliance Specialist at iManage, Manuel works with customers, internal stakeholders, and industry experts, to help security professionals understand the risks of an evolving threat landscape.
With over 20 years of experience working on B2B enterprise software solutions and services across many industries, Manuel has dedicated the past seven years to building broad expertise in information security, data privacy, and information governance in the legal sector.
Manuel is a regular speaker and commentator on current trends and how security professionals can leverage technology to defend against new threats.