Securing applications and content in the cloud isn’t exactly difficult, but doing it correctly requires attention to detail. Granted, you can’t control what end users do, but you have a certain level of responsibility to protect your applications.
The security measures you’re responsible for depend on several factors. For example, cloud service providers are mostly responsible for securing PaaS and SaaS applications. IaaS security responsibilities are split down the middle. And customers are entirely responsible for securing applications hosted on-premises. If you’re not familiar with the shared responsibility model, Box has an in-depth guide to cloud security that includes a chart for determining responsibility.
What are your cloud security responsibilities?
Your security responsibilities depend on what service you’re providing. If you’re a developer providing a cloud-based application, you need to secure your application all the way to the user’s end. If you’re simply hired to develop applications and have nothing to do with hosting those applications, then you’re generally only responsible for securing the actual application.
Security responsibilities related to hosting an application in the cloud can get tricky. While your cloud vendor is technically responsible for securing the operating environment, you’re still responsible for ensuring you’re using a secure operating environment. If you fall victim to a security breach, and a court finds you were using an insecure cloud vendor, you could be held partially liable for the breach. More importantly, users are always responsible for access management.
Cloud technology is powerful, yet requires diligent security
No technology has connected mass numbers of people worldwide like the cloud. Cloud technology is the future of our world and the key to making remote teams successful. The cloud also enables software developers to keep applications secure with automatic updates rather than requiring users to download and update packages. However, like any technology, cloud security is vulnerable to human error, which makes cloud-based apps open to targeting by hackers.
In 2020, the Washington Post reported a data breach a smart home security product experienced that was tied to human error. Although the data of 2.4 million users was theoretically protected, the company says an employee in China accidentally removed the database protections, enabling the hack.
Database security isn’t the only security measure that can be easily stripped away by human error. Employees with access to security settings might click the wrong button, delete the wrong setting, or intentionally sabotage security.
Companies are almost always held responsible for employee actions when those actions are enabled by lax company security. Diligent security measures prevent accidents and malicious sabotage. Strong company security policies limit access to the network and include prompt enforcement of violations.
You can’t be held responsible for user error
When you meet your security responsibilities, being held accountable for a cyberattack is less likely. It’s still possible, however, because there’s no guarantee how courts will rule in a real case. However, if a security breach is obviously user error, you don’t need to worry. Distinguishing what constitutes “user error” is the tricky part.
The problem is that users rarely understand their security responsibilities. Developers aren’t responsible for making users understand their responsibilities, either. Many end users aren’t technically inclined and don’t have an IT security team to install and secure their cloud applications. Not surprisingly, these oversights have led to a massive increase in data breaches and cyberattacks where 80% of companies reported at least one cloud data breach within an 18-month period.
Hackers are always a threat, but user error is the number one threat to cloud security.
What does user error look like?
User error encompasses any oversight or mistake made by the user, with or without their awareness. For example, say you’re hosting a popular cloud-based CRM (customer relationship management) application, and multiple customer installations get hacked. Personal information is stored in an unencrypted way and is therefore exposed.
This breach may not be your fault. You aren’t responsible if the breach was caused by employees who used weak passwords, logged in over public Wi-Fi, or fell victim to a keystroke logger. You also can’t be held responsible if the breach was caused by a database misconfiguration during installation (unless you provided the installation as a service).
What is the solution to cloud security?
Securing apps in the cloud is easy when you know what steps to take. In addition to encrypting personal data, it’s imperative to focus on access management and require multi-factor authentication for logins. While not a complete solution, these security measures make cloud-based applications exponentially more secure.
