The answer to cloud security is shared responsibility

Public cloud providers are serious about their security. Frankly, they have no choice. Initially there were countless concerns about the security of data in multi-tenant architectures and on infrastructures not directly under the enterprise’s thumb. Since then, cloud providers have worked hard to assure users that their infrastructures-for-rent are just as secure as on-premise data centres – perhaps even more so. In fact, as more and more highly-regulated sectors, such as healthcare, finance and defence, deepen and broaden their public cloud profiles, it’s clear that the industry’s largest cloud providers have appeared convincing.

With this in mind, it’s easy to overlook the fact that these companies are cloud vendors, not security vendors. This is largely why they’ve tried to make it obvious that their security and compliance goes only so far, and that responsibility for the rest of it falls on customers, as the shared security model outlines.  

This hasn’t stopped public cloud providers from pitching cloud-native security solutions as add-ons to their services. At first blush, purchasing cloud-native security seems like it has advantages. Let’s break them down.

  • User Experience: For users accustomed to a particular platform, this is perhaps the accidental selling point. The console is familiar, the functionality is straightforward, and the user experience is reasonably curated.
  • Speed: One of the drivers for cloud adoption is time-to-market, and native solutions offer very rapid time-to-functionality.
  • Turn-Key: When data is retained in one place, there’s no need to exit the platform to retrieve information being housed outside the platform.
  • Scale: Because it is built into the platform – or appears to be, anyway -, native tooling should operate at similar scale to other cloud services.

Those are definitely some out-of-the-box positives, but what’s under the hood? Cloud-native security products all do their machine learning based on log data. That means that for solutions that rely on logs, the insights are largely surface-level and not based on behavioural patterns. They are not going to detect everything–including unreported rogue instances. The result is a sea of data points that require human interpretation.

Additionally, with public cloud providers only securing the cloud infrastructure, the unpleasant results of any misconfigurations, encryption failures, or other vulnerabilities above the hypervisor level are the responsibility of the security team alone. The best way to reassure your organisation that data and workload will be safe is to invest in hybrid security solutions that deliver complete visibility across your cloud-first enterprise, detect suspicious traffic patterns across the application delivery chain, and provide one-click investigation for each threat detection on-prem and on the public cloud. Network detection and response tools give cloud security teams the power to easily monitor and immediately remediate incidents most likely to impact the business in the hybrid cloud.

Although Asia lagged behind the United States and Europe in cloud services adoption before, the region is catching up. IDC anticipates that spending on public cloud services and infrastructure in the Asia-Pacific region, excluding Japan, will grow at a CAGR of about 27 percent by 2021 – faster than any other region. In Singapore, the IMDA recently launched a series of initiatives including Services 4.0, which puts cloud native architecture at the centre of the evolving infocommunicatons and media ecosystem, and GoCloud, to help the country’s small-and medium-sized businesses move to the cloud. As more and more companies migrate business-critical applications to the cloud to take advantage of greater scale and efficiency, the pressure is on security teams to maintain the same level of protection. 

Gartner predicts that by 2022, at least 95 percent of cloud security failures will have occurred somewhere in the customer’s portion of the shared responsibility model. If anything, that figure is proof that cloud providers are doing their part. The rest is up to you.