Cloud Compliance and Security: The Truth Behind 5 Cloud Computing Myths
Cloud computing myths have occupied the IT world since the cloud became a viable infrastructure hosting option a decade and a half ago. Those of us who worked in IT at the time remember the many misconceptions about what the cloud was and whether it was possible to host business-critical services in the cloud while maintaining security and regulatory compliance.
The IT industry and the cloud have evolved beyond all recognition since those early days, and few people today doubt the value and power of the cloud computing model. In 2022, 67% of enterprise infrastructure and 83% of business workloads are hosted on a cloud platform.
Yet cloud myths persist, particularly cloud security myths, although their nature has evolved along with the cloud. In the past, cloud security myths were unduly pessimistic. Today, they are just as likely to be unduly optimistic about cloud security and compliance.
Myth 1: Cloud Platforms Are Insecure
This is the original cloud security myth, founded on the belief that businesses can’t trust infrastructure they don’t control. However, if we look at the pattern of security incidents involving cloud platforms, it becomes clear that they are rarely caused by vulnerabilities in the platform itself. They are almost always the result of cloud users’ misconfigurations and mistakes; 70% of cloud security challenges arise from configuration errors.
Myth 2: Vendors Take Care of Cloud Security
The opposite of our first cloud security myth is the mistaken belief that the cloud is inherently secure. Believers operate under the misconception that hosting software and data in the cloud is a shortcut to improved security. In reality, all cloud providers use a shared responsibility model for security.
The provider takes responsibility for some security aspects—the physical infrastructure at a minimum, but often other aspects depending on the service. The user is then responsible for using those services securely. For example, connecting an unencrypted AWS elastic block storage device to an EC2 instance creates a potential data leak vulnerability. Amazon provides secure encrypted block storage, but it won’t stop the user from deploying an insecure configuration.
Cloud users must understand which security aspects they are responsible for and how to configure their cloud environment to meet security and compliance requirements. If you’re worried that your business has cloud misconfigurations, consider a cloud security configuration assessment.
Myth 3: Compliant Services Guarantee Regulatory Compliance
Many cloud providers advertise that their services are compliant with information security regulations. For example, Amazon’s S3 storage service is certified compliant with SOC, PCI DSS, HIPAA, and other regulatory standards. But what does that mean? Most importantly, it doesn’t mean that an S3-based data storage system automatically complies with those standards.
This is something cloud vendors go to some lengths to communicate. For example, Amazon’s PCI DSS compliance documentation states that “AWS establishes itself as a PCI DSS Service Provider to enable, upon further configuration, the compliance of our customers.” The “upon further configuration” part is critical. S3’s PCI compliance means it can be used as part of a PCI-compliant system, but it needs to be configured correctly to do so. A simple configuration error may render any system non-compliant that is built on S3, and it’s the user’s responsibility to make sure that doesn’t happen.
Myth 4: Bad Actors Don’t Target the Cloud
It might be tempting to think that moving to a cloud platform will solve your business’s security problems. You’re at the end of your tether with the constant bombardment of malware, ransomware, phishing attacks, and bad bots. You want a secure infrastructure solution that is immune to the attention of cybercriminals. But the cloud can’t give you what you are looking for. Many of the biggest security breaches and data leaks of the last few years happened on the cloud.
Criminals go where the data is, and they have become skilled at exploiting cloud vulnerabilities. As we established earlier in this article, most of those vulnerabilities are caused by cloud user mistakes. Does that mean cloud platforms can’t help you solve your security and compliance issues? In fact, they can, but you may need the help of an experienced cloud expert.
Myth 5: You Don’t Need A Cloud Security Audit
A cloud security audit based on the Center for Information Security Benchmarks will help your business avoid the security and compliance risks we’ve highlighted in this article. Experienced information security experts will examine your AWS, Microsoft Azure, or Google Cloud Platform environment for configuration mistakes, security vulnerabilities, and data breach risks. An audit ensures you have the information to operate a secure and compliant cloud environment. To learn more, contact a cloud security specialist at KirkpatrickPrice today.