Cloud Security Isn’t Just on Your Provider; It’s Your Job, Too

Cloud-enabled computing has emerged as an appealing alternative to organizations looking to move away from the considerable expense of internal infrastructure and hardware that would be otherwise necessary to store data or run mission-critical applications. It’s also abundantly clear that cybersecurity is an integral component of keeping those solutions safe and viable.

But what may be slightly more difficult to describe in any certain terms is where the lion’s share of the responsibility lies for upholding that cybersecurity: Is it with the cloud solution provider? The corporation’s IT department? Individual users? 

The short answer is probably all of the above. The longer answer is it’s a nuanced combination of technical design and institutional practices that can never be fully separated without jeopardizing an organization’s cyber health.

Cybersecurity

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson

February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data breach exposed the personal information of 2.5 million customers of the alcohol delivery service.

Read more

Here are five tips for ensuring that your organization is upholding its cybersecurity obligations.

Talk to your provider, but work internally, too

It’s true that all cybersecurity — or at least good cybersecurity — is a collaboration between you and your provider. While your cloud service provider absolutely holds a large share of the responsibility for protecting your data, you’ll need to carry some of that weight, too. All of that will be much easier if you know where their domain ends and yours begins.

A healthy business is an evolving organism, and your cybersecurity posture will need to account for each new growth spurt. And since a vendor can’t be expected to account for each personnel change a company undergoes over the course of its lifetime, it will largely fall to your organization’s IT team to stay on top of tasks like removing the user credentials of a departing employee or regulating access to sensitive data based on changing job roles.

It’s also not a bad idea to put other regular precautions in place to help eliminate human and technological weaknesses that pose a challenge to information security. Your cloud service vendor will have ideally addressed any internal software application vulnerabilities as part of their regular software development lifecycle, which should feature robust secure-by-design principles aimed at mitigating risk.

Regular stress tests can help an organization’s cybersecurity team detect or even predict potential threats before they manifest. Growing a culture of continuous employee learning around cybersecurity best practices and habits can also help well-intentioned employees avoid making costly mistakes.

Remember that compliance and cybersecurity walk hand-in-hand

Yes, a cloud service provider should be building the appropriate cybersecurity precautions into their products from the ground up. But the users of those solutions are under greater pressure than ever before to ensure that they are putting measures in place to maintain data safety, while also abiding with the mandates of an ever-expanding regulatory landscape. Accordingly, it’s a concern that has pushed its way into the upper echelons of senior executives and corporate boards.

The global patchwork of privacy and information security regulations is extensive, varied and potentially very expensive if organizations fail to take the proper steps to safeguard any sensitive or personal information in their care. While the particulars of may vary from jurisdiction to jurisdiction, privacy-centric regulations generally place a great deal of emphasis on the ways that organizations process any personal data they collect, as well as the implementation of adequate security measures.

More often than not, the cost of a data breach or other failure to meet those requirements extends beyond dollars and sense. Consumers have become increasingly vigilant about the way that business or other organizations collect and use their data — and a breach of that trust can damage relationships with clients and partners alike.

Make security invincible, yet invisible

It’s a catch-22. An organization’s cybersecurity posture must be as robust and impenetrable as possible — without inhibiting employee productivity or operations in general. One of the simplest and most effective ways for business to walk that tightrope is by streamlining access to sensitive data — or applications containing sensitive data — by job role. In other words, only the people who absolutely need access to those systems are provided with the credentials.

Meanwhile, companies that are debating the creation of their own cloud-based services or applications should consider embracing a “shift left” approach. In practice, this simply means integrating cybersecurity testing procedures into the earliest stages of the technology development process in order to detect any potential vulnerabilities as swiftly as possible — the very definition of secure-by-design products.

Make room for CISOs and CIOs at the executive table

If responsibility for cloud cybersecurity can’t be limited to one vendor, then it definitely shouldn’t be restricted to an organization’s IT department, either. Maintaining cybersecurity requires companies to make ongoing investments in infrastructure, training and employee engagement. Facilitating those resources necessitates buy-in at the highest levels from executive teams and board members.

Placing chief information officers (CIOs) and chief information security officers (CISOs) regularly within arm’s length of those most prominent of stakeholders helps to ensure that there are informed voices at the table who can eloquently — and authoritatively — speak to some of the cybersecurity demands facing the organization. This will become increasingly essential as businesses continue to try to reap the cost savings and efficiencies that come with digitizing their operations and workflows. Opportunities for improvement abound, but the larger a company’s digital footprint becomes, the greater the demand on cybersecurity.

Lead by example

It’s a company’s executives who set the culture of the organization, not its cloud provider. And culture is the most fundamental component toward ensuring strong cloud security.

The fastest way to secure employee buy-in around cybersecurity best practices is for corporate leadership to communicate — not only in words but in action — that superior data hygiene is a priority. That means walking-the-talk, whether it’s prioritizing multifactor authentication and devising increasingly strong passwords or proactive measures like drafting regular communications reiterating to employees how essential cybersecurity remains to the overall health of the business.

Cloud-based solutions can be an invaluable addition to an organization’s technology stack, fostering new efficiencies, reducing the expenses — and real estate — consumed by servers or other hardware, and providing critical protection for sensitive data. However, optimum cybersecurity will never be achieved by technology alone, no matter how sophisticated the product may be. Organizations must encourage leadership and employees from all walks of the corporate ecosystem to take responsibility for ensuring that the organization’s data remains secure.

Greg Tatham is senior vice president and CTO of platform technology at Wolters Kluwer, where he focuses on the development and operations of innovative and extensible platforms to enable global business units to deliver a wide breadth of customer products.

Anthony Oliveri is vice president of product software engineering at Wolters Kluwer and has extensive experience in guiding the development of complex software systems using leading edge technology.