View from above tall city skyscraper with clouds circling

Ensuring Data Security When Moving Workloads to the Cloud

14 Jun 2018 by Jason Rader

The cloud continues to change everything in corporate IT, including cybersecurity.

Any organization moving workloads to the public cloud or planning to do so needs to understand the roles and responsibilities regarding the protection of those workloads and the associated data. They also need to know that these roles and responsibilities differ depending on the type of cloud service the organization is using.

The fact is, there’s still lots of confusion about who is responsible for which aspects of cybersecurity when a company adopts cloud services. Companies often rush to deploy these services for competitive reasons, without giving enough thought to the security and privacy implications.

In many cases, business executives or departments are the drivers for moving workloads to the cloud, and security sometimes gets lost in the shuffle. Much of this stems from the shadow IT movement of recent years, in which business users deploy cloud services without central IT even knowing about it.

Industry research confirms there are a number of misconceptions about security and data management when it comes to the cloud.

Who’s responsible for cybersecurity?

Meanwhile, even many IT executives assume cloud service providers are responsible for ensuring the continuous security of all data and applications in the cloud. The thinking is that the comprehensive security offered by cloud providers, combined with the existing provisions of the company using a cloud provider, are more than enough to stop data breaches from happening. This creates a false sense of security when leveraging the public cloud.

Industry research confirms there are a number of misconceptions about security and data management when it comes to the cloud.

Furthermore, the assumption that an organization’s current governance model and security controls will suffice for all cloud-based workloads is shortsighted. Governance models need to be updated to include cloud considerations. Current methods of authentication, access control, encryption and monitoring all must be reviewed to ensure compatibility and compliance with cloud initiatives.

The differences in security responsibilities by cloud service type can also be a source of confusion. Understanding these differences is key to ensuring proper security provisions are in place.

In general, with Infrastructure as a Service (IaaS) offerings, internal IT is responsible for administration, applications, data, runtime and middleware, while the service provider is responsible for operating systems, virtualization, servers, storage and networking.

With Platform as a Service (PaaS), internal IT is responsible for administration, applications and data, and the service provider handles runtime, middleware, operating systems, virtualization, servers, storage and networking. And for applications as a service, internal IT is responsible for administration and the service provider handles all other functions.

Taking ownership

Moving to the cloud certainly removes some of the burdens of IT management from companies. But it doesn’t mean abdicating all responsibilities to service providers. That’s especially true of security, and internal IT must take ownership to ensure the protection of data and workloads.

The stakes are high when it comes to cybersecurity. Data breaches and other incidents can end up costing millions of dollars in lost or stolen data, lawsuits from customers and business partners that have been impacted, lost business, damaged brand and reputation, etc.

It’s not a question of cloud providers being lax in protecting their own infrastructure. The leading cloud providers have built some of the most secure environments possible, because much of their business model depends on having strong security and reliability in their IT infrastructure.

It’s more a question of cloud customers doing their part to protect the privacy and security of their own data — whether it resides on premises or in the cloud.

To learn more about security considerations when moving to the cloud, check out our whitepaper.

Headshot of Jason Rader

About Jason Rader
Director, Network and Cloud Security

As part of Insight’s Cloud + Data Center Transformation team, Jason leads the charge to help organizations develop solutions that encompass the latest skills, tools and methodologies to mitigate the risk of cyberthreats.

Read more posts by Jason
Connect with Jason on LinkedIn