With COVID-19, many organizations rushed into cloud solutions in order to transition to work-from-home. Cloud certainly makes it easier for employees to access documents, applications, and corporate email, but who is responsible for security in the cloud? Is it up to the cloud services provider, or the owner of the data? The reality is most cloud providers use some type of shared responsibility when it comes to security. For instance, if you are using Amazon Web Services (AWS), all that Amazon is responsible for is: “AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.” They make very clear that customers “are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.” Simply put, if a hacker can steal your password and access your data in the cloud, it is your problem, not the cloud provider’s. So, what can you do to protect your organization’s cloud data? The same cyber security policies you would have used for on-premises data also apply to cloud.
- Enforcement of password policies and multi-factor authentication
- Cyber awareness training for all staff
- Regular patching and updating of your OS and Applications
- Consider partnering with a MSSP to manage and deploy a cloud security solution