Where does the responsibility for cloud breaches lie?

The Cloud Security Alliance (CSA) has released a survey which discusses who should be taking responsibility for breaches in the cloud. It’s a good question. The advent of Hybrid IT, among other things, has done much to destroy our traditional notions of the perimeter, with its siloed networks and fortress-like mentality. By Scott Gordon (CSSP), CMO, Pulse Secure.

  • 5 years ago Posted in

The CSA’s findings did not leave an entirely clear picture as to where the buck stops. 60 percent of their survey respondents said that responsibility for breaches should lie with the cloud provider and 77 percent say that enterprises should take the blame for breaches in the cloud. Third parties, respondents believed, should largely be let off the hook with only a small number believing that they should bear responsibility.

 

Furthermore, concerns about the security of cloud providers are still holding enterprises back from cloud adoption. According to a recent survey from The Cloud Computing review, 86 percent of organisations hesitate to adopt the cloud for fear of data breaches and other security problems. It is understandable how moving much of an enterprise’s data outside of their immediate environment and entrusting it to an often opaque service provider might not sit well.

 

It's a complex situation. The outdated vision of the computer network as a castle - freestanding and isolated - is no longer applicable. Developments like Hybrid IT make it so. A modern business network is a myriad of connections and data-streams constantly flowing in and out of that “castle”. An enterprise might own all of that data, but it's being handled by a whole variety of parties and infrastructures.

 

Of course, when a breach happens through the cloud we can tell who the real victim is: The customer. But where does the buck really stop for those breaches?

 

The business involved might be entrusted with that data, so from one point of view (including that of many regulators) that business is responsible for the breach and should have taken the steps to prevent it - whether they happened in or outside of their environment. But if that breach comes through the cloud, the picture changes significantly.

 

What if the insecurity that allowed that breach to happen wasn't necessarily about the security of breached business itself, but the providers’. After all, it was their insufficient protections which allowed the breach to happen. The US based Surgical Dermatology group experienced just that when in 2017, a breach on its cloud provider TekLinks, exposed the medical records of their customers.

 

And then, you have third party services interacting with those businesses over that cloud provider’s infrastructure. It may just as well have been their insecurity which put that customer’s data at risk.

 

Verizon’s recent breach serves as an example of just that. When NICE systems, a third party of Verizon’s, created a cloud based file repository for caller data, they misconfigured an AWS S3 bucket. That misconfiguration - an oversight by one of NICE’s engineers - exposed the personal information of millions of Verizon’s US customers.

 

As it currently stands, enterprises take most of the effective responsibility. The public backlash for the breach will most easily fall at their feet, as will the attendant reputational damage and perhaps, the market’s faith in that company. 

 

The regulator will want its pound of flesh too. Under the General Data Protection Regulation, which came into effect last year, organisations will be held to account for the vulnerabilities of their third parties and providers. Infringement could warrant fines as high at four percent of global turnover.

 

There will always be some level of shared responsibility when it comes to Hybrid IT. Wherever legal responsibility ultimately lies, businesses should not be taking chances with their data. If organisations want to do that, then they need to take effective responsibility for their data being held in the cloud.

 

In business terms, that means performing thorough audits on your cloud providers, and third parties, that can be trusted to take your data as seriously as you do. On a technical level, the cloud presents a seeming conflict between access and security but there are plenty of technical measures that can be enable both.

 

If cyber-criminals find the path of least resistance then an environment is only as secure as its weakest element. So, first and foremost, every control, process and policy that an enterprise demands in your own environment must be mirrored in the cloud.

 

Being able to centrally manage these aspects is key, so enterprises should choose a Network Access Control solution that will allow an enterprise to tailor policies and manage their environment according to their requirements. It should allow an enterprise to effectively manage the access and policies of devices, users and third parties, so they can get to the things they need without endangering the things they don’t.

 

Similarly, that solution should also enable continuous, consistent, and constant visibility that extends right from the edge of the cloud to the tip of your endpoints, so you can stay on top of suspicious activities and attack behavior. 

 

Security, both in or out of the cloud, is all about giving access to the right people. Any stance that restricts too much will merely hamper business operation, not enable it. From that point of view, enterprises can consider solutions like Single Sign On which, when combined with strong authentication, can provide security and a frictionless user experience.

 

Furthermore, just as the Cloud is redefining the way we work, so is the rise of Bring Your Own Device schemes. While many once declared them a security hazard, an organisation is all the more secure with a BYOD scheme. Without one, enterprises merely ignore the rise of illicit shadow IT devices in their environment without any means to accommodate the risks they may pose. SSL VPNs can allow users to securely access the enterprise and data centre from their own devices directly through the cloud and to the data, application and services they need.

 

Many of the kinks of Hybrid IT have yet to be worked out. Enterprises have often been hesitant to fully embrace the cloud for fear of further endangering their own environments. Some of that fear is justified, but more often than not enterprise data is safer within the cloud. ISC2’s 2018 Cloud Security report showed that misconfiguration was the biggest threat to cloud security, with 62 percent of respondents labelling it as such. Most supposed cloud breaches happen because of misconfiguration mistakes on the part of the customer or one of their third parties, not the cloud provider.

 

Wherever responsibility lies, it will always be up to an enterprise to take account of their potential vulnerabilities and, ultimately, protect themselves. The cloud has brought us a level of flexibility, which is now often expected of an enterprise. A layered approach to security will provide enterprises with the strong secure access they require and permit the interconnectivity that a modern workplace demands.

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.