Security Experts:

Why You Should Question These Most Common Cloud Assumptions

The Approach to Cloud Security Should be No Different From the Approach to Network or Endpoint Security

The dynamic and automated nature of the cloud brings many benefits to businesses, from easy setup and delivery of services to predictable maintenance costs. With users accessing data and collaborating from anywhere, whether they are in branch offices or working remotely, cloud-based services and applications have completely transformed how business is done. 

According to survey findings from 451 Research, 3 in 5 (60 percent) enterprise workloads will run in the cloud by mid-2018, up from 2 in 5 (41 percent) today. However, along with this new era of growth come certain assumptions about how the cloud operates, and how to secure it. Every security professional should question these assumptions and, perhaps more importantly, encourage others throughout their organizations to question them as well. In doing so, all parties involved will be doing their part to make sure their organizations – and the massive amounts of data and intellectual property (IP) the cloud stores for them – are secure. 

Common Cloud Assumptions 

1. The Cloud Is All About Quick Application and Service Deployments

The cloud has completely changed how new applications and services are developed and, in turn, delivered to their customers. Quick deployments and fast delivery are two assumptions that teams, in most cases, don’t question when choosing to deploy a cloud-based application or move data to the cloud. While cloud-based agility can deliver massive benefits, security must be considered and properly integrated into the cloud application development lifecycle from the very beginning to prevent data loss and business disruption. As more data, sensitive IP and business-critical applications migrate to the cloud, it is our responsibility as security professionals to instill a security-first mentality into the organization, such that any conversation about cloud includes security. 

2. The Cloud Is More Secure 

Public cloud providers typically offer some form of native security, which many individuals often assume is enough, but this couldn’t be further from the truth. In the past, organizations maintained complete responsibility for the security of their private cloud infrastructures, but that has entirely changed now with public cloud and SaaS-based applications. 

Now, the enterprise and the infrastructure provider share responsibility. The security of the data is the organization’s responsibility, and the security of the infrastructure is handled by the cloud provider. Within the public cloud, we continue to see data breaches, which are often the result of improper use, misconfigurations or advanced threats. Given this, it is important to remember that the cloud is not inherently more secure; it is equally as secure as anywhere data is stored. Organizations must approach the security of their data in a way this is consistent with their overall security approach – the cloud is no exception to this rule.   

3. Cloud Security Is Different From Network or Endpoint Security 

Although organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. This assumption results in deploying different solutions to secure the cloud, leaving security teams with complicated environments to manage and products that cannot speak to one another, especially for organizations with multiple cloud infrastructure providers.

The reality is that, even though the consumption of cloud security differs from the automation thereof, the approach to cloud security should be no different from the approach to network or endpoint security. It’s obviously not possible to put a physical firewall in the cloud, but security professionals must apply the same rigor to secure the cloud as they would the network or the endpoint. This rigor will ensure that organizations are protected against the same threats across all environments in the most efficient way possible. Put simply, consistency yields the best results.

view counter
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.