Not long ago, security concerns were the number one reason IT executives were hesitant to move workloads to the cloud. A lot has changed since then. Security is now considered one of the great strengths of both cloud infrastructure and software-as-a-service (SaaS) platforms. But that does not mean that total security is assured. The world’s most rugged platforms are only as effective as the people who use them.
All cloud services operate under a shared responsibility model. Platform, software, and service providers commit to maintaining security at the network and physical infrastructure level, but none will shoulder the burden of protecting customer workloads and data.
“The shared responsibility model is critical to understanding how cloud security works,” says Thyaga Vasudevan, vice president of product management at Skyhigh Security.
In the case of cloud infrastructure, users are responsible for application security, identity and access management, client and endpoint protection, data classification, and user behavior. The same is true in a SaaS environment, although software and service providers take a somewhat larger role in application and access controls.
However, these distinctions seem to be poorly understood, especially in light of gartner prediction that “by 2025, 99% of cloud security failures will be the fault of the customer.” In fact, some of the most publicized data exposure incidents in recent years have been the result of misconfigurations that exposed sensitive data.
Overview with Security Service Edge
To gain control over an increasingly diverse environment, customers must take a holistic, data-aware approach that discards traditional device and perimeter protections in favor of policies, access controls, and data protection. That requires a disciplined approach to classifying and labeling data, after which protections such as encryption, multi-factor authentication, and identity and access management controls can be applied that are appropriate to the sensitivity levels of the data.
Device-level controls are ineffective in an environment where applications and data are distributed across multiple internal and external services. COVID-19 related lockdowns have made the situation even more challenging as security teams lost firewall protection.
But those obstacles have also given rise to new innovations such as security service edge. Redefine controls at the user level instead of at the device level. This allows IT organizations to “extend the same set of policies across endpoints all the way to the cloud, so they work consistently for all data, whether it’s in AWS S3 storage or in a Microsoft 365 folder.” Vasudevan says.
An SSE portfolio encompassing Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Cloud Data Loss Prevention (DLP), remote browser isolation technology, Cloud Firewall, and Cloud Native Application Protection Platform (CNAPP)) simplifies the security landscape by enabling security administrators to set policies that apply across the full range of on-premises and cloud services. Not only is this more efficient than traditional edge controls, it also offers a better user experience as administrators can go beyond data access and focus on data usage, so they can collaborate from anywhere. device and from anywhere without sacrificing your security.
Gaining access to company resources used to require remote users to tolerate the performance penalties of logging into a virtual private network. “Now that is not necessary,” says Vasudevan. “I can use single sign-on to access my application portal and access whatever I need under a zero-trust policy.”
Comprehensive cloud security is a shared responsibility. A holistic approach to data protection ensures that customers keep their end of the bargain.
Click here for more information on how to protect your clouds.