April 2, 2020
Cloud Security is Everyone’s Business

The global cloud security market is expected to grow to 13 billion US dollars by 2022, at an estimated CAGR of 17%, according to a recent report by MarketWatch.1 Many business leaders feel that once they have offloaded their on-premise workloads to the cloud, they do not need to focus on—or worry about—security. In fact, this is a primary topic of discussion among cybersecurity circles. Essentially, there is the perception that once you shift anything to the cloud, you have also shifted your risk. Unfortunately, this is almost never the case. There may be less risk, or fewer checks and balances for your IT department. However, getting to that point can be a challenge. As a savvy IT professional, you will want to author specific cybersecurity policies with your cloud platform developers and your IT staff, so you have clear boundaries around what responsibilities are handled on-prem or in the cloud. When making these decisions, you need to consider many factors, including how much of your workload do you want to move off-prem; do you need software-as-a-service, platform-as-a-service, infrastructure-as-a-service or a combination thereof?

Software as-a-service (SaaS) gives you the ability to leverage applications that run in the cloud.

When selecting SaaS vendors, you will want to inquire about their disaster plans and recovery methods, as well as their risk analyses and protocols. Find out if they have prior security breaches, and be sure to read terms and conditions carefully.

Platform as-a-service (PaaS) delivers a framework that your developers can use to build customized applications that are scalable and highly available. However, when your data resides in a third-party, vendor-controlled cloud server environment, that can pose specific security risks and data loss concerns.

Infrastructure as-a-service (IaaS) provides access to virtualized resources, such as CPUs, block storage and SQL databases, and offers total flexibility to run your own software on top of these resources. With this option, you remain in control of your applications, data, middleware, and your OS platform. However, security threats can still be sourced from the host or other virtual machines.

Looking at your options, you will also want to determine if it makes sense for your business to move to the cloud completely, or to establish a hybrid environment. When it comes to cybersecurity, you will need to ensure you clarify with your cloud provider upfront who will provide first-level or extended response.

Hybrid environments have their own unique complexities, because you will need to blend “what was” (legacy) with “what will be” (cloud). The idea that cloud allows you to “set it and forget it,” is misleading. Providers and software developers are constantly rolling out new feature sets. As the data owner, it is your responsibility to monitor the environment and software for any feature changes.

Important considerations for choosing a secure cloud provider

Whether your business is already in the cloud and you are successfully navigating the challenges of security there, or you are just beginning to move your workloads to cloud, these considerations are helpful ways to ensure a successful and robust cloud security platform.

Before moving to cloud, you will want to conduct an assessment to help identify which workloads are most appropriate for the cloud, and to determine how migration will impact your existing processes. Ideally, if your workloads are going to be in the cloud, they should be built for the cloud, meaning, you will want to architect your app(s) and workload(s) so they can handle the inherent risks within your cloud environment. When moving workload(s) to an off-premise location, think about how your identity and access management (IAM) will change. Make sure that the cloud provider you select is prepared to deliver an IAM system that includes authentication, authorization and verification. Essentially, you should be sure you can effectively manage access rights while in the cloud, so the right people with the right privileges are reaching your data.

AWS, Azure, GCP—What’s the Difference?

When evaluating third-party cloud providers such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP), understanding your third-party risk is critical. Quite often you hear about businesses that need to use a certain vendor to serve a specific set of business requirements. If this is the case for your business, you will not only want to understand what you have to protect, but also become familiar with the security benefits of each platform.

On AWS, most core security features are provided—from robust API activity monitoring to basic threat intel, DLP, vulnerability assessment, and security event triggers for automations. Two exceptional AWS security features are its implementation firewalls and IAM.

Microsoft Azure offers certain security advantages, such as the Azure Active Directory, which is known as the single source of truth for authorization and permissions management. However, this platform can be frustrating for users because of its lack of consistency, poor documentation capabilities and the fact that many services default to less secure configurations.

Overall, GCP is not as mature as AWS, but certain services are thought to be high-performing. GCP provides organization-wide logging, but is limited in terms of coverage. It has more granular IAM, but some aspects of custom policies are still in beta. One downside is the small number of security experts who have deep GCP experience, which translates to a less knowledge and tooling.  

You may find it helpful to work with a company that specializes in cybersecurity. Cybersecurity consultants are familiar with the security nuances between platforms, and can help you select the highest-performing, most secure platform to meet your business needs.    

Third-party cloud security

Today’s businesses are focusing more than ever on third-party risk in the supply chain. Third-party risk is a global issue across every domain, every type of organization, and every

business. As a cybersmart IT professional, you will want to check your supplier’s security protocols to identify if there are specific threats built into the hardware or software they provide—before they ever become components within your larger system.

For instance, if you are custom-building hardware, you need to look at your supply chain security and ensure that the lifecycle of your company’s data is covered. If a third-party supplier is breached, that could potentially cause disruption in your operations. These days, many factors can cause disruption in your supply chain, including geopolitical events, weather, natural disasters, ever-changing regulatory demands, etc.

Regardless, it can be helpful to engage a third-party risk management vendor to work with your IT, legal, and financial departments, and your businesses as a whole, to address, identify and mitigate any risks that can be introduced by third-party partnerships. Essentially, you want to establish a trust and verify relationship with your partners.

When it comes to cloud security—on any platform, with all of your data, and throughout your entire supply change—if you are vulnerable enough to admit where your vulnerabilities are, you can successfully partner to fix them.



  1. https://www.marketwatch.com/press-release/cloud-security-market-2019-statistics-growth-factors-opportunities-challenges-historical-analysis-emerging-technologies-competitive-analysis-and-regional-forecast-to-2023-2019-05-09
About the Author
CBI, A Converge Company
CBI Cybersecurity
CBI, A Converge Company, is a leading cybersecurity advisor to many of the world’s top tier organizations. Founded in 1991, CBI provides innovate, flexible and customizable solutions that help ensure data is secure, compliant and available. We engage in an advisory-led approach to safeguard our clients against the ever-changing threat landscape—giving them comprehensive visibility into their entire security program and helping them avoid cyber challenges before they can impact their data, business and brand. We are dedicated to the relentless pursuit of mitigating risks and elevating corporate security for a multitude of industries and companies of all sizes.
I Need To...