Companies benefit from cloud computing in many ways: It makes employees and business processes more productive, efficient, and flexible. However, this also means that security-related challenges find their way into the company network and must be mastered. Security is not a matter for loners. Ensuring safe environments shouldn’t be left to just one party. Instead, the entire responsibility should be shared among all actors involved.
For example, if you look at the context of a car rental company – from the factory to the tenant – it becomes clear how important it is that each instance knows and makes its contribution to the level of security: The car manufacturer must ensure that its car is drivable and safe – brakes and airbags must therefore meet the specified safety standards. The company that rents the car cannot influence this but bears its responsibility elsewhere. It must ensure that individual components of the trolley are regularly checked for wear and functionality.
In addition, the landlord must ensure that his customers meet the legal requirements to rent and drive a car. Although the manufacturer provides seat belts installed ex-works, it is up to the driver himself to put them on while driving and behave following the provisions of the StVO – neither the manufacturer nor the rental company has any influence on these two aspects. As in this example with security in the context of a car rental, it is with security in the Cloud. Also, weaknesses and security gaps arise as soon as a party fails to meet its responsibility.
Data leaks, compliance violations, related fines, and reputational damage are just a few of the dangerous consequences of such negligence. This problem is counteracted with the help of the 360 Shared Responsibility Model: It provides for the equal distribution of all areas of responsibility in the Cloud and includes all actors – from the provider to the purchasing company to each cloud user.
Stumbling Blocks That Put Cloud Security At Risk
The advantages described above represent some fundamental reasons why more and more companies are deciding to use cloud technologies. In addition, the openness to market expansion and shorter product launch times make the Cloud an excellent addition to traditional, local networks. A majority of the IT managers surveyed also associate it with an increased level of security, as they assume that providers ensure the protection of their customers from the outset. But appearances are deceptive because the offerings of the providers do not automatically cover all elements and services.
One of the most significant security risks, which only falls within the provider’s scope to a minimal extent, is the amount of sensitive and company-critical data stored on cloud servers and sent – primarily via unprotected cloud links. Around 21 percent of this type of data is on cloud servers. And the trend is increasing: 61 percent of the IT managers surveyed estimate that over half of the data consists of sensitive content that moves within their corporate cloud applications. Ninety-six percent even plan to store even more of this content in the Cloud in the future.
For cybercriminals, this is a hit: They know the loopholes that result from neglecting security in the form of so-called shadow IT or from careless employees who, for example, open infected email attachments. They give you access to corporate networks – both locally and in the Cloud. In such cases, it becomes evident that companies cannot rely solely on cloud providers but must recognize that they have to take on the part of the responsibility for protecting their IT landscape and their data using a shared responsibility approach.
360 ° Shared Responsibility: Once The Complete Program, Please
IT managers act as an interface between the IT landscape and the rest of the company and ensure compliance. Therefore, it is all the more critical that they know where possible gaps could arise and who has which type of security responsibility. The providers’ primary responsibility is primarily divided into two areas: on the one hand, protecting components – such as cabling, data storage, and servers – from physical damage and harmful interference, and, on the other, securing the network and hosting infrastructure.
The latter mainly includes data centers, server hardware, and network connectivity. Neglecting this aspect leads to the fact that communication between individual cloud services suffers weak points that cybercriminals can exploit in a targeted manner, for example, using DDoS attacks (Distributed Denial-of-Service). The provider’s customers – i.e Companies that integrate cloud technology into their IT landscape – are responsible for the functionality of individual applications, their protection against threats, and identity and access management .
By granting usage privileges, they regulate which employees enter which areas of the Cloud and which data they are allowed to download or upload. They need to provide tools that IT staff can use to check, assign, block and monitor access rights. The IT department also needs solutions to manage all devices that are authorized to connect to the network – whether from the office or the home office. Just as the rental car driver has to pay attention to the rules in road traffic and a safe driving style, including safety goods, every user in the company is responsible for a “safe driving style” in the Cloud.
Since the data in the Cloud is constantly in motion through downloading, uploading, and sending, all devices such as laptops and smartphones that have access to the network must be secured. In addition, the Shared Responsibility Model addresses the problem of careless employees directly. These are called upon to use data more carefully. Through training courses organized by the company, they should learn to develop a heightened awareness of safety.
When a security gap arises in the car rental business because nobody considers themselves responsible for their area, it can end tragically. In the case of the Cloud, there are IT landscapes, business-critical documents, and sensitive personal data, as well as business results and -reputation at stake. The 360 ° Shared Responsibility Model is intended to ensure that all actors are aware of their responsibility in the context of cloud security, that they are aware of it, and that all actors pull together. Because it is best to “drive” it.