}

What Are The Cybersecurity Challenges Associated With Cloud Computing?

Several times recently, people have asked for suggestions or warnings I might have about cloud security. What cybersecurity threats should they worry about in the cloud? I'll share with you what I told them:

Compliance and complacency

No, those aren't high-tech attack techniques used by elite super-hackers. However, they will cause trouble for you.

Let me explain what I mean.

online cloud security risk management policy and methods

Cloud Security Is Not New Or Exotic


Cybersecurity technology is exactly the same, whether in-house or in the cloud. Cloud servers and in-house servers run the same operating systems. Therefore, they have the same configuration issues. Additionally, they speak the same network protocols. Finally, cryptography is the same math and logic wherever it runs. What's very different is control and visibility. Cloud compliance is tough.

Compliance Is The Big Problem


Cloud cybersecurity has a distinctive slogan:

You can transfer responsibility but you can't transfer accountability.

Yes, that's trite. That plays games with semantics. I think it's bad writing, because it relies on the reader interpreting near-synonyms in one precise way. But if you want to pass the ISC2 CCSP or Certified Cloud Security Professional exam, know that slogan! Furthermore, see Learning Tree's Certified Cloud Security Professional (CCSP) Training and Certification for more insights on passing that tough exam.

Let's break it down.

Transferring Responsibility


That's the whole point of cloud computing! At the very least, I don't want to run a data center. Make the building, power, cooling, and network connection be someone else's problem.

Maybe I don't want to maintain an operating system. Or, a software platform. Perhaps, not even the application.

Therefore, I pay a cloud provider to run the data center. Maybe they also maintain the OS and programming platform. Possibly, they're in control all the way up through the application.

It's their job, their responsibility, to do that.

We have a contract. But ...

I'm Still Accountable


The information is vitally important and sensitive to someone. Depending on the field, we might call them "customers" or "patients" or "citizens." There are expectations ...

No. Stop.

There are requirements. I must protect this information. In particular, I must protect its confidentiality (or privacy), integrity (or accuracy), and availability (or reliability).

I can contract out the work. However, I have to make sure it happens. If it doesn't, I'm the one in trouble. Ultimately, I am accountable.

Let's Make This Real


My parents own a small office building. They rent it to the state highway department. Four engineers work there, supervising nearby construction projects.

The lease promises that the owners will cut the grass, clear the snow, and maintain the building.

However, they pay a guy to do all that. He mows in the summer. In winter, he plows snow and spreads ice melter. Also, he fixes sticky door locks. He's responsible for that work.

My parents don't drive mowers or snow plows. But if the highway department couldn't get into their office because of snow in the parking lot or a sticking door, they wouldn't complain to the handyman. The owners are accountable.

It's The Same In The Cloud

conceptual illustration of digital cloud over a picture of a cloudy sky

The data owner is accountable. Owners may transfer responsibility for routine work to cloud providers, such as AWS, Google, Microsoft, etc.

In contrast, accountability doesn't transfer.

The Cloud Makes This Hard


When you transfer responsibility, you lose control and visibility. However, compliance may require you to know exactly how things are done. This can become impossible in the cloud. It depends on your service model.

With IaaS (or Infrastructure as a Service), it's much like a remote data center or a co-location facility. You control and see the patching and configuration.

With PaaS (or Platform as a Service), you have some visibility of the OS and software environment.

Then, with SaaS (or Software as a Service), well... Frankly, you have no idea what's really going on! You only have the cloud provider's description of what they're doing.

Compliance become harder as you move up the SPI stack. That is, from IaaS through PaaS to SaaS.

The Cloud Isn't Magic


Complacency is the other hurdle.

People fall into magical thinking. The cloud is enormous. And, it's enormously powerful. So, what could possibly go wrong?

Lots! To err is human. Although, to lose data at industrial scale, you need large computers out on the Internet.

green yellow and red icons simulating stoplight functionality

Some people seem to expect a cloud dashboard to include a "Secure Mode on" button. However, there won't be one. Ultimately, it's what I said in the beginning. Cloud computers and networks use the same technology we have in-house.

Therefore, they need the same careful attention. Unless it's SaaS (e.g., Gmail, Salesforce), you have to do some of this. Later, it's easy to overlook cloud systems during routing patching and testing because they're "out there" in the cloud.

And So, We Can Do This


We know how to harden servers. What's more, we know how to control and protect network traffic. Therefore, we have the tools we need.

First, we must plan to use the same defensive technology. Next, decide whose job it is. Ours, or perhaps the cloud provider's?

Finally, we must remember that we are accountable. If compliance requires us to be in full control, then it may not be a job for the cloud.