NEW YORK -- When enterprises move data to the cloud, they surrender at least some control to their cloud service...
provider. But when they brush their hands of all responsibility -- especially when it comes to data security in the cloud -- it's a risky move.
To fully secure their data in the cloud, enterprise IT teams should never solely rely on their cloud provider. Instead, that responsibility should always be shared, said Vinay Patel, director and global head of information security at Citi Technology Infrastructure, the technology arm of New York-based banking and financial services firm Citigroup, Inc.
"Relinquishing control does not equate to relinquishing accountability or responsibility," Patel said at the Cloud Security Alliance (CSA) Summit 2015 here this week. "If you think about some of the expectations of your business' management [team], your regulators and your auditors … they expect you to be accountable."
To ensure a shared responsibility model for cloud -- or an approach by which both the cloud provider and its customers are accountable for certain aspects of security -- enterprises must clearly define their own responsibilities, along with those of the cloud provider. A distinct line should be drawn that indicates which party is accountable not only for certain aspects of data security, but the security of applications, virtual machines, interfaces, service configurations and more in the cloud.
Most major cloud providers, such as Amazon Web Services (AWS), detail their shared responsibility models on their websites. AWS, for its part, says its customers are responsible for "security 'in' the cloud," which includes the security of data, applications, operating systems, and network and firewall configurations.
On the other hand, AWS assumes responsibility for the "security 'of' the cloud," meaning compute and storage resources, as well as databases, networking and other components of the AWS global infrastructure.
Still, the lines can easily become blurred -- especially with a provider who has a cloud services footprint the size of AWS' -- which means enterprises must clearly define security roles with their provider upfront, ideally before signing a contract.
"You have to be able to articulate [your expectations] when you are negotiating that agreement with them," Patel said.
Because the dividing line between a cloud provider's security responsibilities and those of an enterprise isn't always clear, it's crucial to have that conversation before signing on with a provider, said Peter Keenan, chief information security officer at Lazard, a financial advisory and asset management firm in New York.
"[It's] going to be contract-dependent, but it's on us, as the enterprise, to make sure that it's very clearly spelled out in the contract where that line is," Keenan said. "I think it's going to be a case-by-case, service-by-service basis."
Know what makes your cloud provider's security strategy tick
To create a successful shared responsibility model, enterprises need visibility into their cloud provider's security controls, Patel said. And IT organizations can gain that visibility in a number of ways. For example, they can review independent assessments of their cloud provider's security model, such as attestations from the CSA's Security, Trust and Assurance Registry (STAR). They may also want to check that their provider holds certain cloud security certifications, such as ISO 27001.
But because they only reflect the state of a provider's security environment during a given period of time, certifications shouldn't be the only way an enterprise assesses a potential provider, according to Patel.
"[A provider], generally speaking, brought in an independent body that said, 'We are going to follow a certain script, look for certain things, ask certain questions and make sure you meet certain requirements,'" Patel said. "But then they walk away, and the next day, you don't necessarily have the assurance that everything is fine."
Dustin VanWinklemanager of converged security architecture at ADP
To gain full and ongoing visibility into your provider's security controls, it's crucial to ask your provider for that capability, while explaining your unique security requirements, during the negotiation phase. For some organizations, and particularly those in highly regulated industries like financial services, it might also be necessary to ensure you have continuous monitoring of your provider's environment.
"There is a lot of information out there now, but there's nothing more important than meeting with the vendor that you plan on using and having those in-depth discussions to figure that out, because things change on a daily basis," said Dustin VanWinkle, manager of converged security architecture at ADP, a payroll and HR management services provider based in Roseland, N.J.
In addition to having a face-to-face conversation with your provider, call on another powerful resource to gain insight into your provider's security controls: other customers.
"Some of it is just kind of sitting across the table from [a provider], looking him in the eye, and asking him these questions and seeing if he blinks," Lazard's Keenan said. "But look around you -- [there are] folks in the room here that you can call and say, 'Are you using this guy? How's it been?' That's probably more valuable than anything else I've seen."
Kristin Knapp is site editor for SearchCloudComputing. Contact her at firstname.lastname@example.org or follow @kknapp86 on Twitter.
Seven cloud security risks to avoid at all costs
A solid cloud security strategy can come at a cost
Overcome these five hybrid cloud security issues