The idea of using a third-party provider for IT infrastructure services -- a cloud provider -- is attractive to many enterprises. But who's responsible for monitoring and maintaining the security of an enterprise's data while it resides in the cloud? The answer sometimes comes as a surprise to many cloud services customers.
The CISO and other security professionals may be the last to know they’re now responsible for sensitive data living in the cloud. Unfortunately, they’re also the ones left holding the bag when there’s a security incident. Why didn’t they prevent the exposure? Why didn’t the firewall they implemented protect against the attack? Why weren’t the systems being monitored?
The problem is that enterprises are flying blind unless they adapt their security monitoring, incident response, and digital forensic policies and procedures to the cloud.
Concerns about security are a major reason why many companies still have not embraced cloud technology. Half of the respondents to the InformationWeek GRC survey cited security of their data, security of their customers’ data, and concern over security defects in the technology as reasons they do not use cloud services.
The root issue is not the security of the data, but who is responsible for protecting it. It’s similar to a business’ relationship with an Internet service provider: Security beyond the connection provided is up to you.
The cloud provider is typically responsible for the security of the underlying infrastructure, so subscribers need to ask if that security meets their requirements: Does the cloud provider have a well-staffed security operations center? Does it monitor the logs and intrusion detection systems 24x7x365? What incident response procedures does it have in place?
Even if companies are satisfied that a provider is meeting its security obligations, it usually comes as a surprise when they realize they’re responsible for securing their own data in the cloud.
Depending on the type of cloud services they consume, companies are responsible for the security of the data they put in, the applications they build, and the operating systems they set up.
Consequently, enterprises used to dealing with security monitoring and incident response in a physical environment now have to rethink their approaches in order to adapt to cloud computing because their data is no longer under their physical control and may, in fact, be distributed among their provider’s data centers in multitenant environments around the world. And the level of control and visibility into those systems depends largely on the type of services they use -- software-as-a-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS).
It’s critical that companies understand how each of these different cloud service models impacts visibility into systems and operations involving sensitive data, and affects their ability to perform standard security monitoring and respond to security incidents for these environments.
To find out more about the different types of cloud services and get detailed recommendations on how to do security monitoring in each cloud environment, download the free report.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.