Home Cloud Cloud Computing Models Why is cloud security a shared responsibility among CXOs?

Why is cloud security a shared responsibility among CXOs?

-

In recent years, “The cloud” as a term has gained much significant prominence. It’s a popular buzzword, but its real meaning and value may not be understood despite being spoken of and written about every day. The cloud is more than a contemporary fad; and a fundamental element that has to influence the forward IT strategy of any company.

As per the latest reports of PWC; Only 56% of companies have an overall strategy for information security, while 53% of CXOs agreed that their employees need training for privacy policy and practices.

Companies are turning to cloud services providers like Amazon Web Services, Azure, and Google’s cloud. To unload their IT infrastructure and computer needs; as they seek to achieve more efficiency and competitive advantage. Benefits gained by disposing of the data centers to favor the move to AWS are too many and too compelling to ignore. Despite losing the partial control over the data and the accompanying security risks. In the meanwhile, cloud service providers like AWS or Azure continue to make significant investments in the security of their services. It allows CXOs to argue that the public cloud is safer than what they can achieve on-premises.

Responsibilities that need to be taken care of

Cloud Service Providers are software and infrastructures experts with dedicated teams responsible for the security of their product within assigned budgets. Microsoft, for instance, spends $1billion a year on the safety of its products. Even the most prominent companies cannot match this level of investment in cybersecurity. It is unfair to compare the security of AWS with that of an on-premises IT infrastructure.

Shared responsibility 2

On the contrary, cloud adopters (specifical decision-makers) of the organization like CFOs, CTOs, and CIOs must understand their interfaces and applications. To determine how they can provide functionality, resilience, and security for the applications that they have deployed over the cloud. Due diligence must be carried out throughout the lifecycle of cloud-based applications and systems; that includes planning, development and deployment, operations, and decommissioning.

Once the customer onboard the AWS cloud, Amazon shares the burden of securing data with its customers. This concept, known as the shared responsibility model of cloud security, was created to accommodate and proliferate cloud services for the IT security teams.

In practice, it means Amazon takes the responsibility to secure the underlying infrastructure from vulnerabilities, intrusions, frauds, and abuses. Moreover, it accommodates its customers with the necessary security capabilities that they can configure as per their needs. For instance, Amazon has developed one of the most advanced Identity and Access Management (IAM) service. It provides control over the granular level of functionality and authenticated access to its infrastructure. Amazon urges its customers to follow all the security best practices made by AWS around IAM. Now, it’s incumbent on the user to make the most of AWS services like IAM.

Gartner emphasized the importance of the shared responsibility when they stated, “Through 2022, 95% of cloud security failures will be the customer’s fault.” Gartner’s prediction means that the vast majority of organizations using cloud services might be unsuccessful to uphold their responsibilities for the security of their data in the cloud.

Through 2022, 95% of cloud security failures will be the customer’s fault.

Division of Responsibility

Shared responsibility is built to relieve the customer from the operational burden. Since AWS operates, manages, and controls the components from the host operating system and brings virtualization down to the physical security level of the service. The customers are unacquainted with their responsibility towards their cloud infrastructure. In general, they assume that,
The management of the guest operating system (including updates and security patches),
Other associated application software and
The configuration of AWS as well as their only responsibility.

Customers should consider the services carefully while selecting since responsibilities depend on the service you used; the integration of the chosen service into your IT environment and the applicable laws and regulations. The nature of this shared responsibility also offers flexibility and customer control to promote deployment — security “of” the Cloud and security “in” the Cloud are two part of the responsibility.

“Security of the cloud” – AWS is responsible for securing the infrastructure that runs all of its services. This infrastructure comprised of hardware, software, networking, and facilities that run AWS cloud services.

“Security in the cloud” – This responsibility comes down to the shoulders of the customer. However, it is determined based on AWS cloud Service that the customer selects since liability depends on the type of service and the configuration that is required by the customer.

shared responsibility model

To illustrate:

A service like Amazon Elastic Compute Cloud (Amazon EC2) is pigeonholed as infrastructure as a Service (IaaS). It requires the customer to perform all the inevitable security configuration and management tasks. The Amazon EC2 instance that you deploy will make you liable for the management of the guest operating system (including updates and security patches). Any application software or utilities installed by you on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.

AWS operates the infrastructure layer, operating system, platforms, and customers access endpoints to store and retrieve data for abstracted services; such as the Amazon S3 and the Amazon DynamoDB. You are accountable for managing your data (including encryption options); classifying your assets and applying for appropriate permissions using IAM tools.

How the CXOs’ role defines the shared responsibility model?

In this already complex cloud ecosystem, the relationship of CXOs has to be closely aligned; which ought to go beyond just an agreement on the budget.

If we divide the responsibility based on role functions; then CIOs and CFOs have to work together as two strong pillars. They need to ensure that the organization meets every demand that is placed by the regulators, shareholders, customers, partners, and employees.

Traditionally CTOs select the applications and deploy them. Their team has to accept whatever CTO offers them since the cloud offers consumerization and mobile technology that works together.
If the IT department of a company is not able to work efficiently, then the C-level technical executives and their team need to figure out;
How to manage all the new demand and,
Devices to monitor and maintain the infrastructure.

When other C-level executives are determining how they can operate their infrastructure of the organization on the cloud; to make it more responsive to corporate needs. On the other hand, CEOs care less about the cloud. They want to live in a world where IT won’t stop the way of making great ideas to happen.

shared-responsibility-3

In many aspects, CTOs solve most of the problems that occur. Whether it be managing data, applications, and the IT ecosystem in the cloud that helps their teams to take advantage of the technologies that drive innovation and better serves the business. CTO’s team can also work closely with the business stakeholders on strategy instead of tinkering with servers and old technologies. It is called digital transformation, and it is a benefit at both the business and technology level.

It is essential for business leaders to understand that cloud options don’t replace internal infrastructure completely. As a result, business needs more significant development expertise across a broader range of skill sets.

Conclusion

CEOs always want to know about the spending. The cost of buying equipment and licenses is substantial, with on-site and private cloud set-ups. The public cloud is dramatically downsizing the expenditure on internal hardware and the associated costs of management and maintenance; that’s music to the CEO’s ears.

The CIO needs to be able to articulate risk in terms of finance; whether it be data or cybersecurity threats to the CFO. It is important because any of the problems that cause risk should have a technical and operational impact and solution. If the company opts to delay investment in infrastructure, business continuity can affect. That directly impacts the customer experience. The CIO must understand the organization’s financial system exceptionally well and should be able to calculate risks accurately so that CFO can find a way through it. Together, they should be able to take the assessments for the audit, or peril, committee, and on the board.

However, CTO’s leadership is responsible for maintaining awareness of the technological climate in general for business and in particular outside their industry. It will determine the type of technology and information access is needed and what is strategically available. It will enhance the efficiency and competitiveness of every part of the company.

 

Cloud Evangelist
Cloud Evangelist
Cloud Evangelists are CMI's in house ambassadors for the entire Cloud ecosystem. They are responsible for propagating the doctrine of cloud computing and help community members make informed decisions.

Cloud

Cloud Management