As more organisations move their workloads to the cloud, security remains both a priority and concern for them. While cloud providers do offer some safeguarding, businesses are still spoilt for choices on picking the right cloud provider for their data and workloads. Some organisations prefer using a private cloud due to the sensitivity of their data and regulations while others opt for a multi-cloud or hybrid cloud approach.
The public cloud offers services such as SaaS, PaaS and IaaS to multiple customers. The nature of the public cloud is that their services run on remote servers that a provider manages – just like any cloud. However, as the public cloud is available to multiple customers, some businesses tend to be sceptical of the security of their data on the public cloud.
At the RSA Conference 2020, three public cloud providers explained how the public cloud ensures the safeguarding of data and services on their cloud. Representing AWS was Myles Hosford, Head of Security Architecture ASEAN, while Google Cloud was represented by Mark Johnston, APAC Head of Security and Microsoft’s Abbas Kudrati, Chief Security Officer, APJ was the final representative.
All three speakers agreed that the public cloud is indeed a cheaper option when it comes to cloud services and provides about the same amount of security via data encryption. At the same time, they also feel that while public cloud providers offer cloud security, customers are still mainly responsible for their data.
According to Myles, when it comes to encryption in the cloud, public cloud providers ensure data is encrypted as it moves and is stored. Customers, however, have the option to add their own encryption capabilities on top of that.
Myles added that customers using the public cloud also have a higher level of visibility and can determine who makes any changes to their data or workloads on the cloud. As the cloud is a collection of APIs, he said that automation in security will allow a more reactive approach towards any incidents. This means CISOs will be able to remediate any security incidents as they happen, unlike the traditional methods on-premises.
Mark concurred with Myles saying automation is key and should be built in from the beginning. For example, he said when developers are testing new programs in production, automation comes in handy as its able to detect and inform any anomalies during the testing phase.
For Microsoft, Abbas said that businesses need to understand the importance of shared responsibility when using cloud services. He explained that although cloud service providers are responsible for the security of your data, they are not accountable for it. Meaning, organisations need to know how they classify their data and what they want to use it for. They determine the value of their data and all the cloud does is store it, implementing any actions requested by the owner.
With that said, all three presenters agreed that CISOs need to be fully sure of how they classify their data and who has access to them. Visibility is key in cloud security. The public cloud provides the services but at the end of the day, organisations themselves have to be accountable for the security of their data as well.