With an increasing number of organisations moving their infrastructure and services to the cloud, many are adopting multi-cloud strategies, meaning that a host of different cloud computing and storage services are used in one heterogenous architecture. While there are many benefits of distributing cloud assets, software, and applications across several cloud-hosting environments – including agility, flexibility, competitive pricing, scalability, and reliance – this also creates several challenges that need to be addressed.
For instance, organisations often find it difficult to secure a range of different clouds, due to a lack of visibility across hosts and services, making it easier for bad actors to find vulnerabilities that can be exploited within the corporate infrastructure. Because the cloud doesn’t have defined perimeters, it makes securing it a fundamentally different prospect to an on-premises environment. As such, a popular myth is that an on-premises environment is more secure than the cloud, but the truth is that cloud security is not more or less effective than on-premises.
What makes most sense
There is a need to start changing users’ viewpoint around cloud security and the discussion should rather focus on the pros and cons of each, instead of it being good versus bad. Essentially, both offer equal levels of security, and it really comes down to what makes most sense for a customer in terms of meeting their security requirements.
Another commonly asked question is who is ultimately responsible for security in the cloud. Hyperscalers that provide cloud services and infrastructure are very vocal about the fact that it is a shared responsibility.
The platform provider is responsible for the network security and the hardening of the platform, but they are not responsible for the securitisation of the data. This remains the responsibility of the user or application owner, who must ensure that the relevant security protocols are in place and that they are following a zero-trust process to secure their data. So, while cloud service providers will do everything in their power to prevent bad actors from entering the environment, the onus rests on the client to protect their data.
Due to the nature of the cloud environment, it is necessary for organisations to control the access of a myriad of users on the platform, which starts with putting in place a zero-trust policy and applying the principle of least privilege across every access point. As such, companies must typically look at their access control strategies and how they associate permission levels.
They should then follow processes such as managing access control, introduce rule-based access controls, or even role-based access control, and find the right mix that provides them with the level of security that they need.
At the same time, companies also want to ensure the safety and privacy of critical enterprise data in the cloud without disrupting operations and for this there are many storage and enterprise options to choose from. It comes down to choosing solutions that can restrict access, monitor activity, and respond to threats as quickly as possible, ultimately safeguarding an enterprise’s reputation.
A commonly used practice that enterprises typically employ to ensure they are secure, and that the privacy of their data is protected, involves several steps. The first being data discovery, followed by the implementation of data loss prevention tools and firewalls. Some cloud users also deploy storage solutions with built-in data protection, followed by choosing the right backup vendor for their environment.
Securing your environment should never be a discussion about whether cloud or on-premises offers the best security, it is about finding the right solutions for your business and managing user access. Enterprises must have the right technology in place to detect intruders, while also ensuring that employees – most often the biggest threat to an organisation – have adequate knowledge and training to follow security protocols.
By Gerhard Fourie, Channel Lead at Commvault Africa