Is Your IaaS Provider Responsible for Data Breaches in the Cloud?

February 7, 2019 Eric Dosal Eric Dosal

To keep up with competitors and the pace of modern consumers, businesses need to continuously expand and upgrade their computing resources. Whether these resources are used to manage online transactions, deliver digital resources, control customer-facing apps, or simply provide employees with access to critical software, acquiring and maintaining the computing resources a business needs to to operate smoothly requires significant labor and capital.

Many small to midsize businesses (SMBs)—and even many larger organizations—have begun to heavily adopt cloud-based services to meet their infrastructure needs while saving time, effort, and money. Yet, just like their on-premises infrastructure, businesses need to be sure that their cloud-based “infrastructure-as-a-service” (IaaS) resources are well protected from cyberattacks.

Data breaches are a constant concern for businesses of all sizes and industries. When the network security a company uses is breached, the consequences can be extensive. In fact, according to data cited by Inc.com, “60 percent of small and midsized businesses that are hacked go out of business within six months.”

But, who is responsible for data breaches in the cloud—the IaaS provider, or the user?

Who is Responsible for Data Breaches in the Cloud?

While some business owners and managers might assume that their IaaS provider is responsible for cybersecurity in the “cloud,” the truth is that they are not. IaaS providers may provide physical security for the data centers holding their cloud computing infrastructure, but cybersecurity for the cloud environment is generally left to the user.

For example, according to Microsoft’s Security Best Practices for their Azure IaaS product, the following items are always the customer’s responsibility:

  1. Data governance & rights management;
  2. Client endpoints;
  3. Account and access management;
  4. Identity & directory infrastructure;
  5. Application;
  6. Network controls; and
  7. Operating system.

In general, an IaaS provider does not usually have enough control over how their customers assign user access credentials to guarantee endpoint security for their service infrastructure. They could have the best cybersecurity tools on the market, but if there’s an internal user who circumvents that security, the IaaS provider cannot prevent the cloud data breach that will occur.

So, when it comes to data breaches in the cloud, the responsibility is ultimately on the cloud service user, not the cloud service provider. Does this mean that businesses should avoid IaaS providers? Of course not. Cloud-based infrastructures are simply too valuable a resource for modern businesses to disregard.

The real question is: “How can companies of any size create strong cloud security with the budget they have available?”

How Can I Maximize Cloud Security to Prevent a Breach?

Tackling the challenge of creating strong security for an IaaS solution can be a bit different from creating strong internal network security for co-located computing resources. The fact that IaaS assets are accessed remotely adds a need to create secure connections and to enhance identity verification methods—in addition to establishing endpoint security on the cloud infrastructure itself.

Another challenge in cloud security is that not all endpoint security measures a company uses for internal computing resources will be compatible with an infrastructure-as-a-service solution. When integrating a cloud infrastructure, the company will have to check their endpoint security measures and see whether they are compatible with the new cloud solution. If current endpoint security tools are not compatible with the cloud solution, then new security tools should be acquired and implemented.

When using an IaaS solution for storing or processing information, it’s important to consider just what kinds of data will be handled on the cloud infrastructure. Like with any other network endpoint, the most sensitive data should only be stored on the most well-protected cloud environments or assets.

Furthermore, controlling who has permission to access the remote infrastructure is a must for preventing data breaches in the cloud. Like with an on-premises endpoint, enacting a policy of least privilege (POLP) for cloud-based resources can limit the damage that a compromised user account might do.

One way to make finding the ideal solution to maximize cloud security with a new IaaS solution is to leverage the support of a cybersecurity service provider such as Compuquip. Managed security service providers often have extensive experience dealing with different cyber threats, network environments, and network security solutions. Additionally, these security service providers are often more cost-effective than hiring internal IT security specialists to do the same work.

Compuquip is a Florida-based cybersecurity company that helps businesses of all sizes maximize their network security by identifying potential gaps and finding the best solutions for closing them. Speak with one of our cybersecurity experts today to help your company protect itself from cyber threats.

9-it-practices-putting-businesses-at-high-risk

Back to Cybersecurity Basics

Master the 8 basic elements of a strong cybersecurity posture.

Download Now