In 2023, many businesses will be migrating their data and applications to the cloud, with Gartner predicting that global cloud spend will approach $600 billion in the coming year. If you’ve read our previous blog post about managed hosting services, you’ll know we consider this a good thing: among other things, cloud is easy to deploy, flexible and low cost compared to alternatives.
But we also said that cloud was more secure – and this is a point some companies might get caught up on. It’s reasonable to worry about where your data is stored: in 2022, the average cost of data breaches approached $10 million – and cloud platforms have seen their fair share of data breaches. According to one report, almost half of organizations reported a cloud-based breach within the past 12 months.
So how can we say that cloud is more secure than on-premise or managed hosting? Why move business to the cloud? The short answer is this: the vast majority of cloud-based data breaches are really the fault of the customer – not the service provider. In this article, we’ll explain why this is the case, and what organizations can do to keep their cloud deployments safer.
Understanding shared responsibility
When organizations adopt an Infrastructure-as-a-Service (IaaS) solution, they are paying for the right to host virtual machines and applications on physical infrastructure operated by a cloud service provider (CSP). While the CSP controls the infrastructure and basic software components underlying it, the customer has total control of the virtual machines and applications – that is the whole point of IaaS.
Today, all major CSPs – including Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP) – have adopted some form of “shared responsibility” model for cybersecurity. While the details vary between providers, the underlying principle is consistent: CSPs are responsible for protecting infrastructure, and customers are responsible for protecting their virtual environments.
When we understand the shared responsibility model, it becomes easier to understand how cloud environments can be relatively secure despite an increased number of cloud-based data breaches: today, vanishingly few breaches in cloud environments can be traced to security breaches on the part of CSPs, and almost all are caused by customer misconfigurations.
According to a recent study by IBM, two-thirds of cloud breaches are caused by application programming interfaces (APIs) left exposed by developers. And according to Gartner, 99% of all cloud breaches will be attributable to customers by 2025. If that sounds incredible, just consider the security controls provided by major CSPs.
How cloud providers protect your data
All major CSPs follow rigorous security protocols to protect their customer’s data in storage and in transit. For instance, the following security controls are shared by AWS, Azure and GCP:
1. Physical Isolation – the server racks that store your data reside in protected facilities with limited access for trusted personnel and technicians.
2. Data Encryption (in Transit and At Rest) – customers have the option to access data through secure, Transport Security Layer (TLS) mechanisms (encryption in transit) – they can also keep data encrypted while it remains in storage (at rest).
3. Firewalls – firewall rules apply to any traffic entering a network, and safely block access to any unauthorized IP addresses. Firewall misconfigurations that open databases to public IP addresses are a major factor in cloud breaches.
4. Distributed Denial of Service (DDoS) Protection – CSPs utilize threat intelligence to detect and block DDoS attacks, preventing malicious traffic from reaching data or applications.
5. Consistent Security Updates – with the help of AI that is constantly monitoring infrastructure for vulnerabilities, CSPs are constantly updating backend software and infrastructure to address the latest cybersecurity threats. Most CSPs also employ third-party testing to ensure that nothing is missed.
Meanwhile, for businesses who need an even more rigorous level of cybersecurity to comply with federal cybersecurity legislation, options are available thanks to the Federal Risk and Authorization Management Program (FedRAMP).
How FedRAMP enhances cloud security
Government contractors who handle controlled unclassified information (CUI) are required to abide by the National Institute of Standards and Technology (NIST) special publication (SP) 800-171.
CSPs authorized under FedRAMP offer out-of-the-box cybersecurity controls that comply with NIST 800-171 requirements. These controls span many categories and domains, including:
- Access Control
- Incident Response
- Media Protection
- Risk Assessment
- Personnel Security
And much more. Ultimately, moderate-level FedRAMP authorization includes 325 controls that are verified by a third party, providing high confidence in their safety and compliance. By transferring all or most of their infrastructure to a CSP authorized at this level, government contractors can cover many of their NIST 800-171 requirements at once.
Why cloud breaches happen
Meta, Cognyte and Accenture: these are three companies that suffered from large cloud-based data breaches in the past few years. One of them (Cognyte) involved an insecure database – the other two (Meta and Accenture) were caused by a misconfigured AWS bucket.
While API misconfigurations is the single largest cause of cloud-based data breaches, there are others: organizations can install vulnerable third-party software in their cloud environment – they can also deploy virtual machine images (VMIs) that are infected with malware.
The complexity of multi-cloud configurations can also contribute to data breaches: trying to combine multiple cloud platforms brings a lack of shared security standards that can create gaps and security holes without careful evaluation by IT experts. According to one report, 57% of organizations have difficulty securing data in multi-cloud environments thanks to vendor inconsistencies.
Bring IT experts to your cloud migration
By now it should be clear that CSPs can be trusted to protect your data – at least at the level of infrastructure and backend software. But configuring your virtual cloud environment is a complex task that can lead to data breaches without attention to details and IT expertise.
In today’s rapidly changing landscape, IT talent can be hard to find – 73% of IT leaders stated that filling open tech positions was a major difficulty in 2022. With the help of a world-class managed service provider (MSP) and outsourced IT expertise, you can fill that gap with a partner that puts your success first and knows how to execute your cloud migration safely.
MainSpring is your go-to for IT strategy and support. Our award-winning managed services are handled by a diverse team of experts on the cutting edge of business technology, with decades of combined experience serving small-to-medium sized businesses. We adopt a proactive mindset to every customer, taking ownership of your results and working diligently to exceed your business needs. To learn more, contact us today.
