Managing security for cloud-based software-as-a-service (SaaS) applications or for your own applications in the cloud is placing different, more complex demands on cybersecurity teams. While cybersecurity skills remain in short supply, the availability of people with both cloud and on-premises security skills is even more constrained, particularly for small to midsize organizations.
With the rise of popular SaaS applications like Microsoft 365, Google Workspace, Salesforce, Slack, Box, and Zoom, your IT team needs to understand what security components you are responsible for with each SaaS provider you use. The same holds true for enterprise resource planning, HR, and other applications when you move them to cloud infrastructure provided by Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
Why is this important? Because any cloud environment, SaaS or otherwise, becomes part of your total attack surface, and misconfiguration of cloud resources remains a leading cause of data leakage.
Introducing Shared Responsibility
Cloud providers, both SaaS and infrastructure providers, have made very clear what they are responsible for in the way of security. According to the Center for Internet Security, a SaaS provider is solely responsible for physical security, host infrastructure security, and network controls. However, for application-level controls, identity and access management, and endpoint protection, the provider and the customer share security responsibility. That's where the confusion — and the need for cloud security expertise — comes into play.
Consider, for example, securing Microsoft 365 SaaS applications, which are mission critical. Microsoft has published where its responsibilities lie. It falls to you, the customer, to configure user and device access; monitor user, application, and data behavior; and respond to incidents. This includes the actions of partners that access your data or apps in the public cloud.
Plus, whether in the cloud or on-premises, your email users remain a leading source of risk from human error. From their PCs, laptops, and mobile devices, they can still click on a malicious link or open an attachment and introduce malware to that endpoint.
This is where we are seeing a shift in what happens next. Once hackers penetrate the endpoint, they are no longer content to pivot sideways on the network to penetrate on-premises resources. Instead, they move through the endpoint to the cloud to access your data, which is often lower-hanging fruit.
Securing Workloads in the Cloud
COVID-19 has accelerated the migration of traditionally on-premises applications and workloads to cloud infrastructure-as-a-service (IaaS), where the configuration of cloud resources such as storage and databases can be even more complex.
One of our healthcare customers, for example, was primarily operating on-premises at its own HIPAA-compliant data center. Due to COVID-19, the company had to quickly migrate its practitioner workplace environment from PCs and laptops to tablets that could be used for at-home patient care. This also meant moving data to the cloud to make it accessible from anywhere. It quickly found that configuring cloud infrastructure and storage required skills it did not have in-house, creating a potential cybersecurity and compliance gap.
What's different in the shared responsibility model in this example? For companies using IaaS to run applications on cloud servers and place data into cloud storage, the cloud provider is wholly responsible only for physical host, network, and data center security. Everything else is your responsibility. That includes application-level controls, identity and access management, client and endpoint protection, and data classification and accountability. Responsibilities for platform-as-a-service (PaaS) offerings such as Windows Azure fall in between IaaS and SaaS.
Options for Acquiring Cloud Security Skills
The primary takeaway is that whether you are using Microsoft 365, running your Windows applications on Windows Azure, replicating enterprise data to a cloud data lake, or running custom enterprise applications on bare metal servers, you are responsible for the security of your data. What's more, any security breaches in the cloud can put your remaining on-premises resources at risk.
While cloud offerings are not new, expertise on cloud computing — and specifically cloud security — is hard to come by. Industry reports indicate that demand for cloud security skills is second only to demand for application security expertise. Businesses of all sizes, including small and midsize organizations, cannot afford to neglect cloud security when moving workloads and data away from on-premises resources.
Even though cloud security skills are in short supply, companies can grow their own skills through training existing in-house staff. Alternately, they face hiring cloud experts in today's highly competitive salary and recruitment environment. By offering remote work arrangements, companies can extend their reach and hire from anywhere, making it easier to acquire the skilled workers they need.
Whatever your approach, evaluate your cloud security posture and cloud cybersecurity skills gap. Your data security depends on it.