Why aren’t the cloud solution providers the ones responsible for security failures?
The reason cloud solution providers aren’t held responsible for security failures comes down to some unique things.
1. Shared responsibility model
If you are on Microsoft 365, you’ve agreed to their shared responsibility model whether you realize it or not. If you look at all the fine print, shared responsibility is one of the sections. Microsoft explains to you, right up front, the areas they are responsible for and anything else is your responsibility. So, where do those lines get drawn?
2. Cloud Provider only responsible for facilities, utilities, cables, hardware, etc.
At the very base level a cloud provider, in our example, Microsoft is responsible for the facilities where they have all the servers, pieces of actual hardware – nuts, bolts, etc., the utilities that feed those, the internet connection, heating and cooling, power, the people who take care of the facilities. All that responsibility is on them as you have no way of taking care of it. That is why you are paying them.
3. Customers are often responsible for everything other than facilities, utilities, cables, hardware, etc.
Cloud solution customers are generally responsible for everything on top of facilities, utilities, cables, hardware, etc., although that comes down to differences between the solution levels. There are three really common types of solutions: IaaS – Infrastructure as a Service, PaaS – Platform as a Service and SaaS – Software as a Service.
IaaS – Infrastructure as a service. This is the base level any cloud provider is responsible for and includes the things that there would be no way for you to be able to do. They are only responsible for things like facilities, utilities, cables, hardware, etc. They are providing those resources, but as soon as you do anything on top of that, it is your responsibility. So as soon as you install a server or workstation operating system, everything from that point on is on you.
PaaS – Platform as a service. At this level, they are responsible for the operating system. They will make sure to complete patches, security updates, and other related activities. Keep in mind this example is specific to Microsoft, some PaaS solutions are a little different from Microsoft’s, but they have a lot of commonalities.
SaaS, Software as a service. QuickBooks online is an example of a SaaS solution which is very popular among QuickBooks users. They keep everything up to date for you. They are responsible for the QuickBooks install, the version and any updates that come out, patches, and security.
4. Customer is responsible for identity and access management, application configurations and data
We as consumers are responsible for identity and access management – which is the biggest one, application configurations, and data. If you look at each of these it makes sense. Just as we cannot be responsible for the hardware, cables, nuts, and bolts, they cannot be responsible for identity and access management.
They cannot make you create specific users with a specific password, and we wouldn’t want them to. If you create a user with a super easy-to-guess password and cut them loose that is your responsibility if there is a breach. The same with application configurations, they can lock them down to an extent, but this is one of the first things people complain about when they move from an on-site application to a cloud application. You’ll hear complaints that the cloud application is so locked down that they cannot do everything they want to do. A lot of times it is because of this, if they totally open it up there can be some misconfigurations which would create security holes.
Then the last thing of course is data, they cannot control what you put on those servers. Personal information, client stuff, and things that would be at risk are your responsibility to protect.
Cloud Solution Security Threats
Below we’ve listed a few of the actual IT security threats themselves. Keep in mind these are broad topics.
- Insufficient identity management, credentials, and access management – If any of these are not secure it is a security problem.
- Insecure interfaces and APIs – One of the first things people want to do when they move to a cloud application is to get it to talk to another application. Whether it is another cloud application, something on-site, or a piece of equipment, if the app is opened up it can create security issues if it is not done properly.
- Unsecured third-party resources – Many companies use third party resources to conduct business. For example, DWD uses Datto for backup and remote monitoring and management. It is extremely important to verify the security of any third parties you are working with. They should be able to provide you with detailed documentation of their security practices.
How do you Protect Yourself?
Require Secure Passwords whenever you are setting up users – It’s important to require users to set up secure passwords. In the past, this meant 8 characters in length with 2-4 different requirements such as uppercase, numbers, or special characters. Password security changed considerably over the last year or so, with a lot of companies, Microsoft included, suggesting that users make passwords really strong and not change them often. To do this, it can be helpful to use tools like LastPass or other password management tools to create super strong passwords.
This approach goes against what we were taught in the past – change your passwords often. The reason for this change is they are finding when employees change passwords often, they try to get creative by adding 1, 2, 3, or ! to the end of the same password they were using. This happens because people are tired of changing their passwords every month.
Deploy MFA – MFA or Multifactor Authentication has gotten more user friendly. Not as many MFA products are asking you to receive and enter a special code which can be painful. They are now just asking if the login attempt is you – click “yes” or “no”. With Multifactor Authentication, even if your password is compromised, they would not be able to get in.
Create Least Privilege Roles – This is one security option often overlooked. Let’s say you have 20 users in your network only 3 of which need access to financials to do their job. The other 17 users should not have access to financials. You only want to give users rights to things they need to do their jobs.
Disable Inactive Accounts – Every 3-6 months you should go through your users and make sure accounts have been disabled for anyone that is no longer with your company. Many usernames are now just email addresses, so they can be easy to guess. If a former employee is using the same password in multiple places, it can get compromised and pose a security risk for your company. You want to be vigilant about closing inactive accounts.
Provide Anti-Phishing Training for Employees on a Regular Basis – KnowBe4 is probably the biggest Cybersecurity Awareness training tool in the field and is what DWD uses to help educate its employees. Anti-Phishing providers offer training that actually sends out test phishing emails. The tools randomly send emails to your employees to try to get them to click or open something they should not.
Depending on the provider, it will let the employee know they clicked on something they should not have and tells the employee why it was a potential security threat. The employee may also be required to watch a short training video or a read through a warning to help educate them more.
Backups – Backups for cloud products are really important because of the shared responsibility model discussed above. Cloud solution providers do not complete backups for you. They have a robust system that rarely goes down; when it does, it is not down for very long. However, they do not keep long-term data and information for you. They generally state that they will keep a 30-day backup of your information.
There are cloud to cloud backup solutions available, including Datto which has been mentioned above and is a very affordable option. Cloud providers are getting very good at blocking encryption. Instead of traditional ransomware approaches, the bad guys are now copying data that is not encrypted. They will slowly and quietly gain access and copy part or all of your data, then threaten to publish it. Unlike the traditional data encryption ransomware approach where they send you a key to decrypt, they can keep copying your data and threatening to publish it.
Strong Antimalware/Antivirus/EDR – When you have multiple applications in the cloud, access or the gateway to your data and applications is now through endpoints. Because of this, you have to create really strong, tough-to-get-through, endpoint security. Antimalware/Antivirus solutions like Trend Micro and Bitdefender are excellent options.
An even higher level of protection is available called Endpoint Detect and Response (EDR). EDR is more robust and provides some failback features such as SentinelOne. If SentinelOnce detects a breach it has the ability to shut that computer off from the network, while others continue to have access. This option is a little bit more expensive than standard antimalware/antivirus but contains a higher level of security features.
If you have questions or would like to discuss IT security for your business, please reach out to our Network team. We have a team of experts that offer a variety of IT security solutions including Managed Security Solutions.
Register for our IT/Network newsletter today!