Who’s Responsible for a Cloud Breach? It Depends

The Cloud Security Alliance (CSA) released a survey earlier this year that focuses on who should take responsibility for breaches in the cloud. It’s a good question. The advent of hybrid IT, among other things, has done much to destroy our traditional notions of the perimeter, with its siloed networks and fortress-like mentality.

The CSA’s findings did not leave an entirely clear picture as to where the buck stops. Of the survey respondents, 60% said that responsibility for breaches should lie with the cloud provider and 77% said that enterprises should take the blame for breaches in the cloud. Third parties, respondents believed, should largely be let off the hook, with only a small number believing that they should bear responsibility.

Furthermore, concerns about the security of cloud providers are still holding enterprises back from cloud adoption. According to a recent survey from The Cloud Computing review, 86% of organizations hesitate to adopt the cloud for fear of data breaches and other security problems. It is understandable how moving much of an enterprise’s data outside of their immediate environment and entrusting it to an often opaque service provider might not sit well.

It’s a complex situation. The outdated vision of the computer network as a castle—freestanding and isolated—is no longer applicable. Hybrid IT and other developments make it so. A modern business network is myriad connections and data-streams constantly flowing in and out of that “castle.” An enterprise might own all of that data, but it’s being handled by a whole variety of parties and infrastructures.

Of course, when a breach happens through the cloud we can tell who the real victim is: the customer. But where does the buck really stop for those breaches?

The business involved might be entrusted with that data, so from one point of view (including that of many regulators) that business is responsible for the breach and should have taken the steps to prevent it—whether it happened in or outside of their environment. But if that breach comes through the cloud, the picture changes significantly.

What if the insecurity that allowed that breach to happen wasn’t necessarily about the security of breached business itself, but the providers’? After all, it was their insufficient protections which allowed the breach to happen. The U.S.-based Surgical Dermatology group experienced just that when in 2017, a breach on its cloud provider TekLinks exposed the medical records of its customers.

And then, you have third-party services interacting with those businesses over that cloud provider’s infrastructure. It may just as well have been their insecurity that put that customer’s data at risk.

Verizon’s recent breach serves as an example of just that. When NICE systems, a third party of Verizon’s, created a cloud-based file repository for caller data, the company misconfigured an AWS S3 bucket. That misconfiguration—an oversight by one of NICE’s engineers—exposed the personal information of millions of Verizon’s U.S. customers.

As it currently stands, enterprises take most of the effective responsibility. The public backlash for the breach will most easily fall at their feet, as will the attendant reputational damage and perhaps the market’s faith in that company.

The regulator will want its pound of flesh, too. Under the General Data Protection Regulation, which came into effect last year, organizations will be held to account for the vulnerabilities of their third parties and providers. Infringement could warrant fines as high as 4% of global turnover.

There will always be some level of shared responsibility when it comes to hybrid IT. Wherever legal responsibility ultimately lies, businesses should not be taking chances with their data. If organizations want to do that, then they need to take effective responsibility for their data being held in the cloud.

In business terms, that means performing thorough audits on your cloud providers, and third parties that can be trusted to take your data as seriously as you do. On a technical level, the cloud presents a seeming conflict between access and security, but there are plenty of technical measures that can enable both.

If cybercriminals find the path of least resistance, then an environment is only as secure as its weakest element. So, every control, process and policy that an enterprise demands in your own environment must be mirrored in the cloud.

Being able to centrally manage these aspects is key, so enterprises should choose a network access control solution that will allow an enterprise to tailor policies and manage their environment according to their requirements. It should allow an enterprise to effectively manage the access and policies of devices, users and third parties, so they can get to the things they need without endangering the things they don’t.

Similarly, that solution should also enable continuous, consistent and constant visibility that extends right from the edge of the cloud to the tip of your endpoints, so you can stay on top of suspicious activities and attack behavior.

Security, both in or out of the cloud, is all about giving access to the right people. Any stance that restricts too much will merely hamper business operation, not enable it. From that point of view, enterprises can consider solutions such as single sign on, which, when combined with strong authentication, can provide security and a frictionless user experience.

Furthermore, just as the cloud is redefining the way we work, so is the rise of bring your own device (BYOD) schemes. While many once declared them a security hazard, today an organization is all the more secure with a BYOD scheme. Without one, enterprises merely ignore the rise of illicit shadow IT devices in their environment without any means to accommodate the risks they may pose. SSL VPNs can allow users to securely access the enterprise and data center from their own devices directly through the cloud and to the data, application and services they need.

Many of the kinks of hybrid IT have yet to be worked out. Enterprises have often been hesitant to fully embrace the cloud for fear of further endangering their own environments. Some of that fear is justified, but more often than not enterprise data is safer within the cloud. ISC2’s “2018 Cloud Security Report” showed that misconfiguration was the biggest threat to cloud security, with 62% of respondents labelling it as such. Most supposed cloud breaches happen because of misconfiguration mistakes on the part of the customer or one of their third parties, not the cloud provider.

Wherever responsibility lies, it will always be up to an enterprise to take account of their potential vulnerabilities and, ultimately, protect themselves. The cloud has brought us a level of flexibility, which is now often expected of an enterprise. A layered approach to security will provide enterprises with the strong secure access they require and permit the interconnectivity that a modern workplace demands.

Featured eBook
The State of DevSecOps

The State of DevSecOps

For years now, IT’s mantra has been “move quickly and break things.” To increase agility, companies adopted innovative and quick development practices. Great redesigns took place in the wake of DevOps. However, in this rush to implement forward-thinking practices, many teams eschewed security. No longer can institutions disregard security requirements within their DevOps environment. The ... Read More
Security Boulevard
Scott Gordon

Scott Gordon

Scott Gordon is the chief marketing officer at Pulse Secure, responsible for global marketing strategy, communications, operations, channel and sales enablement. He possesses over 20 years’ experience contributing to security management, network, endpoint and data security, and risk assessment technologies at innovative startups and large organizations across SaaS, hardware and enterprise software platforms. Previously, Scott was CMO at RiskIQ and ForeScout (FSCT). He has also held executive and management roles at AccelOps (acq by Fortinet), Protego (acq by Cisco), Axent (acq by Symantec) and McAfee.

scott-gordon has 1 posts and counting.See all posts by scott-gordon