• United States




Cloud security is not just the cloud vendor’s responsibility

Jan 16, 20186 mins
Cloud SecurityTechnology Industry

Somehow, many organizations seem to forget their own security practices and responsibilities once they start moving to the cloud.

network server cloud security telecommunications
Credit: Thinkstock

A lot has been said about the security risks of moving your data or systems to the cloud. Choosing trustworthy cloud vendors, preferably with the right security certifications or independent assurance reports, has become indispensable. However, somehow many organizations seem to forget their own security practices and responsibilities once they start moving to the cloud.

The rise of cloud services

The average organization today has multiple and very diverse cloud services in play. According to the Fortinet Threat Landscape Report for Q3 2017, organizations now use a median of 58 different cloud solutions.

This number will only increase in the future:

  • According to research by Computerworld, organizations that transition to Software as a Service (SaaS) subscriptions from capital-heavy, on-premise infrastructure installation, maintenance and upgrades enjoy an IT spending reduction of more than 15%.
  • Application landscapes in many business areas are moving gradually to 80% or more cloud based. Per Gartner, the acceleration in SaaS adoption can be explained by providers delivering nearly all application functional extensions and add-ons as a service.
  • Many organizations have, or plan to implement, some cloud-based infrastructure to make use of the scalability and elasticity of Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), or do things like consolidating datacenters.

Most organizations now have sensitive or otherwise critical data stored in the cloud. And of course, the ease of cloud adoption has also resulted in shadow IT; cloud applications and services that IT does not even know about, and it is a growing security concern.

Cloud security is not only the vendor’s responsibility

A lot has been said about the security risks of moving your data or systems to the cloud. Choosing trustworthy cloud vendors, preferably with the right security certifications or independent assurance reports has become indispensable.

However, somehow cloud service customers seem to forget their own security practices and responsibilities once they start moving to the cloud. Probably out of some misconception that all security related aspects will be handled by the vendor.

As a result, I have encountered quite some examples where a cloud service – whether PaaS, IaaS or SaaS – is insecure because of an insecure use or setup by its customer. I.e. while the cloud vendor offers all the means to securely set up or use his cloud service, the customer has not used or activated these security measures, or has misconfigured the service making it vulnerable.

Examples of what I have personally seen include:

  • Not activating data encryption for sensitive data even though the option existed and would not have hindered operations.
  • Working with end-user managed access control lists (ACL) even though a simple interface to the company’s Active Directory or IAM solution was possible.
  • End-users creating and using public share directories open to anyone on the Internet even though that option could have been disabled.

I am not the only one noticing this, recent security news is full of reported cloud vulnerabilities or worse, actual security breaches, due to wrong and insecure customer configuration:

What can you do about this?

Define your cloud security architecture

Define a security architecture baseline for different cloud scenarios. Predefining minimum baseline security architecture for the main cloud scenarios in your organization will help address some of the key security concerns from the start. It will ensure a minimum level control, taking into account aspects such as identity access management, integrating security alarms in an existing Security Operations Center (SOC), secure connections between the cloud service and the internal network, back-up and recovery, etc.

The security architecture will also help identify where security tools are needed to help protect against the cloud risks. Tools that can help secure dynamic and evolving cloud-based applications, platforms and infrastructure. Existing, traditional solutions may be unable to secure the distributed, diverse and dynamic cloud environment. That being said, you also don’t want separate security solutions for each different cloud environment or deploy specialized security tools that operate in isolation. Defining your security architecture in function of that will be key.

Identify your (new, dynamic) perimeter

Understand where the responsibilities of the cloud vendor end, and where your own security responsibilities begin. Organizations not only need to understand how data and workflows will move between their own network and the cloud services, but also how these move across and between different cloud services. They need to clearly articulate where risks exist and who is securing what, where and how.

Follow vendor security guidance

Reputable and mature cloud vendors offer security standards, baselines or similar guidance on how to securely set up and use their cloud service. Following their guidance during the design of your cloud solutions seems like a no-brainer, however unfortunately its often still ignored.

Just like on-premise applications and infrastructure, cloud service threats and vulnerabilities evolve. Therefore, as part of your standing threat and vulnerability management practices, you should also follow up on any updates and amendments to the security guidance of cloud vendors.

Include a security expert in the setup

Even though you’re not designing or building a system yourself, but buying an external cloud solution, you still need some level of security design. Including a security expert will help you identify how the cloud solution should integrate with your existing (security) architecture. He or she can also identify the security risks that are specific to the cloud service at hand and business processes it supports, as well as the counter measures needed to manage such risks.

Find that shadow IT

Cloud solutions have made it easy for the lines of business to circumvent their IT department and directly buy their own cloud-based IT solutions. This is often referred to as rogue or shadow IT. Circumventing IT more often than not implies circumventing security and other requirements (e.g. privacy, compliance, etc.). As such, shadow IT is a root cause of insecure (cloud) computing. Finding it and correcting it will be key. Analyzing your proxy logs or using a dedicated cloud security tool help you find what cloud solutions are being used on your network. A comparison with the authorized ones should provide plenty of insight.


Tim Wulgaert is a consultant, advisor, presenter and author in the field of information security and privacy. He has over 15 years of experience in developing, reviewing and improving information security strategies, policies, awareness campaigns, organizational design and other related security management topics. He has helped companies from 15 to +150.000 employees across the globe and in many different industries, including heavy regulated ones such as banking, telecommunications, healthcare and pharmaceuticals.

Currently, Tim is working on is an initiative to build a security management content platform that aims to provide security and privacy professionals with hands on security policy, process, awareness and other related security management content. In addition, Tim is supporting and advising CIOs, Chief Security Officers and Data Privacy Officers on selective projects and initiatives (via FJAM consulting).

Tim has worked for and with different big 4 audit firms, strategic management consultants as well as niche security consultants and integrators. Between 2012 and 2017 he also was the Operations Manager, Transition Lead and overall “right-hand” of the CISO of one of the largest pharmaceutical companies, managing a team of +300 security and risk people across the globe.

He can rely on extensive experience in discussing and presenting strategic IT and Information Security topics with / to C-level management of both SMEs and multinationals.

Tim is the author of “Security Awareness: Best Practices to Secure Your Enterprise”, ISACA, 2005 and co-author of the Belgian Cyber Security Guide (Dec 2013, ICC Belgium and FEB/VBO). He also co-authored EY Mobile Money 2011 and helped developing and writing EY’s 2008 Revenue Assurance Survey.

Tim is a regular guest speaker on topics such as security, privacy and social media. In the past, he also held presentations and wrote articles on mobile money, revenue assurance and fraud management, as well as on IT audit and business process modelling. Between 2006 and 2013, he was a guest professor at the Master in Computer Audit of the University of Antwerp Management School and the Executive Master in ICT audit & Security of the Solvay Business School.

The opinions expressed in this blog are those of Tim Wulgaert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.