Enterprises of all sizes are getting more comfortable moving company data into the cloud. However, moving data from on-premises to off-premises requires a delicate balancing act of shared security responsibilities between enterprise and the cloud service providers they employ.
While enterprises and cloud service providers do share responsibility for cloud security, when it comes to a breach, it's the business and its IT and security departments that must shoulder the ultimately responsibility and answer to customers
These and other observations concerning cloud security are part of a new report -- "The Shared Responsibility of Securing the Cloud" -- conducted by NSS Labs Inc. , an independent, information security research and testing organization.
The report, which is based on interviews with 205 US-based security professionals, looks at the notion of shared responsibility between enterprises and cloud service providers, which are typically created through a service-level agreement (SLA).
In the era of cloud computing, the report finds that:
Moving enterprise data off premises requires that both the enterprise and the cloud service provider manage security controls to ensure the confidentiality, integrity, availability, and non-repudiation of the enterprise’s data. This approach, often referred to as shared responsibility, requires enterprises and cloud service providers to agree upon specific management roles for each component of the cloud computing infrastructure.
Digging into the numbers, about 71.5% of those surveyed were familiar with the concept of shared responsibility between an enterprise and a cloud service provider, while three out four noted that they were "comfortable" with their role in that agreement.
However, 46% believe that cloud service provider is responsible in case of a breach.
The NSS report concludes that it's ultimately the responsibility of the enterprise to secure data.
"Enterprises that migrate workloads to the cloud cannot exempt themselves from being primarily responsible for securing their data," the report finds.
This not to say enterprises are wholly on their own. In fact, businesses and their IT department and security staff need the help of their cloud service provider counterparts, and much of this should be spelled out in the SLA.
For example, if a company is using software-as-a-service (SaaS) -- right now the most popular cloud model, according to the report -- the enterprise should maintain responsibility for the for identity and access management policies. The SaaS provider, however, needs to patch the operating system and virtual machines that serve the application.
In the case of infrastructure-as-a-service (IaaS), enterprise must bare most of the responsibility, but providers such as Amazon Web Services Inc. are adding additional layers of security on their end. (See AWS Adds Security Management to Growing Portfolio.)
As part of its recommendations, NSS suggests enterprises, especially those struggling to fill key security positions with in the IT department, use a managed security services provider (MSSP) to help close the gap.
"In our study, 21.7% of respondents reported that skill shortage was an inhibitor for adopting cloud security products at their organization," according to the report.
Another way to close the security gap is to use a traditional hosting provider to shoulder some of the additional burn. Players in this space include Hosting.com , Rackspace and Armor (formerly FireHost).
These hosting providers can perform a range of duties from managing security control to helping manage database applications. In the study, about a third of all respondents reported having a relationship with a hosting provider.
Still, the most important part of cloud security is to get any agreement in writing, whether it’s a an MPPS, a cloud service provider, a hosting firm or one of the big web-scale providers.
"SLAs should be meticulously reviewed both by an enterprise’s technical leadership and by its legal resources to ensure that the roles and responsibilities of the cloud service provider and the enterprise are clearly defined. Where necessary, the terms of these documents should be negotiated to suit enterprise requirements," according to the report.
— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.