Shared responsibility: What it means for your cloud data and apps

Read time 2min 40sec
Andrew Potgieter, director, Security Solutions at Westcon.
Andrew Potgieter, director, Security Solutions at Westcon.

Most cloud providers work on a shared responsibility model when it comes to security.

Most security officers understand this, as well as where their responsibility starts and where their cloud service provider's ends. But not everyone understands this and therein lies the problem, warns Andrew Potgieter, director of Security Solutions at Westcon.

"A shared responsibility model is a 'cloud security framework' that defines where the security obligations of a cloud computing provider as well as a user's begin and end, and has been designed to ensure accountability, " says Potgieter.

A disconnect, he adds, occurs because users often believe that the security component is carried by their cloud provider. "In the case of public cloud hosting, with the likes of Amazon, Azure and even Google, these providers protect their infrastructure, but the security of the data and applications is the responsibility of the client."

In a nutshell, he says cloud security is not an easier option where you can simply outsource responsibility; it comes with the same complexity as securing a local data centre's data and applications.

Facing the reality

This is where using a managed service provider (MSP) as part of a strategy that integrates cyber security best practices with cloud-based systems could be beneficial, he says.

An Accenture report revealed that last year, organisations around the world spent nearly 23% more on cyber crime measures than in 2016, averaging $11.7 million. In addition, this year's Black Hat conference showed that the cloud has become the main driver for accelerating the adoption of cyber security practices as organisations become reliant on hosted environments for everything from emails to documents and other mission-critical data.

"Given how there is a shortage of skilled IT security experts globally, decision-makers must understand that they cannot hope to appoint a graduate and think that their security processes are taken care of," says Potgieter.

He advises businesses to focus their resources on a comprehensive end-point cyber security approach that incorporates mobile devices, connected SIM cards, data warehouses, cloud providers, and suchlike.

"These resources point to raising awareness of addressing all spheres of cloud security, whether it is on the business side or on that of the provider."

Education is key

Key to raising awareness, he says, is educating staff about the importance of a security-centric approach to their work. Using consumer solutions for sharing sensitive corporate data is a massive risk, one that businesses cannot afford to take.

"Fortunately, some organisations are realising they have to accept responsibility in order to address cloud security requirements. They are not leaving it up to only the cloud service provider. Instead, they are working with MSPs to approach ICT security more comprehensively."

See also