Three Naïve Cloud Consumer Security Expectations

Talking to industrial client executives about their security expectations for cloud services can be enlightening. There are three areas where the assumptions and expectations are often wrong:

  1. They think security will be delivered by the cloud provider and there is nothing for the cloud consumer to do.
  2. They believe security is a technical topic only.
  3. They think the service, including security, will be delivered to them with no additional costs.

We should have a look at each of these false expectations and set the record straight:

Know your sensitive data

First, the cloud consumer should be aware of what data it owns. In particular, the definition of what sensitive personal information is to be protected according to existing regulations is crucial. The sensitive information will be put into the cloud later.

The cloud consumer should think about sensitive data at rest and processing workflow encryption. The consumer should also host the encryption server and the encryption keys on premises. The sensitive data and the virtual machines in that case can be anywhere in the world, but the encryption keys will be known only to the industrial cloud service consumer. This way, if a data leakage happens, nobody can do anything valuable with the data.

– Jim Webster, Lead Developer for iDevAffiliate affiliate management software.

There’s more to security than technical tools

Second, it is wrong to assume that security can be addressed by technical tools only. From an end-to-end perspective, the security tools implemented in the cloud can detect activity such as attempts to access protected data or to change file permissions, and will be logging all user activity.

Will this be sufficient to comply with regulations on protecting sensitive data such as credit card, health and insurance information? It will not: an authorized person working with sensitive data may still leak this information to the public.

Technical tools can help to address some kinds of attacks, both internal and external, but they will not prevent authorized persons, such as employees who have enough criminal energy to benefit from the sensitive data.

Security is not free

Third and finally, it is an incorrect cloud consumer expectation to think that security is always “built in.” It is definitely not! A cloud service provider will protect its own service and environment as much as possible in order to protect its own brand and reputation. Nevertheless, security is not free. The cloud service consumer should analyze its needed security level by determining, for example, what sensitive data it hosts or its core business information. This data will need a high level of protection. Other things, such as publicly available information about the cloud consumer, can be protected at a lower level. Here, the cloud consumer will consider taking a risk-based approach to avoid exponential cost explosion by trying to secure everything it owns.

False expectations of industrial cloud consumers can lead them to ask inappropriate questions of the cloud service provider. If the framework for cloud security is not set correctly, sometimes the conversation starts off poorly. A customer expectation in a sentence that begins with “Can you guarantee me that…” implies an expectation that the cloud service provider will do everything and the customer sensitive data will be safe. This is not realistic. Both the cloud service consumer and the provider have to work to ensure the protection of sensitive data and information end-to-end. The cloud service consumer, for example, is responsible for employee education, awareness creation and compliance testing activities.

Have you had C-level management conversations in which you had to correct unrealistic expectations about cloud security? Is your business ready for the security challenges 2021 brings in?