Cloud vendors and users share a lot of things: control of cloud services, privacy and the pathological desire to reduce downtime. There’s also a shared responsibility for security when using cloud vendors.
“Cloud vendors specifically say that you have a shared responsibility for security, and either many companies ignore it or simply don’t understand what that means,” said Tina Gravel, senior vice president of Global Channels and Alliances for Cyxtera Technologies. “We saw some of the risk of that with Capital One. They have things like security groups that assist you in setting up rules for roles within your firm and external, but that's not enough either. You have to take it a step further.”
It’s everyone’s responsibility to keep machines from being compromised. On the cybersecurity side, the teams implementing operating systems need to do hardening and other due diligence.
Cloud vendors are responsible for defending the physical server racks – some up to the O/S, some not that far, just up to the hypervisor. Together, everyone in the cloud and technology ecosystem needs to work together
“It's very important that we put aside our competitive differences and try to help each other because this is bigger than any one of us,” Gravel said. Here are some things you can do to protect yourself when working with the hyperscale cloud vendors.
3 Security Tips for Working with Cloud Vendors
1. Zero Trust
Zero trust, a term originally coined by John Kindervag, means what it says: trust no one. That means no users have access to anything until the cybersecurity team sets up entitlements that allow them to do so.
“Zero trust on the user side looks like this: If you’re traveling outside of a zone you normally are located in and the system is set up to check where you are, you may be restricted until things check out or you may have a tad more latency until the system truly sees you are you,” Gravel said. “If you’re not approved to access certain files, you can’t, or if you’re on public Wi-Fi instead of the company VPN, you might be restricted from certain areas of the network. Doing that means you’re putting an extra security layer on the mobile workforce who’s accessing the cloud.”
Gravel’s company, Cyxtera, has more than 60 data centers around the world combined with four types of innovative security augmentation software. They use solutions like zero trust to identify each user who wants access, what they’re trying to access and if their role or entitlement provides them access to certain files, devices and processes.
There are also aspects of artificial intelligence (AI) in some of the systems that will mimic human decision making and cut down the noise that those monitoring the networks might experience.
Zero trust is the type of practice included in CompTIA Security+, which validates the baseline skills needed to perform core security functions and pursue a cybersecurity career.
“Limiting risk is everyone’s responsibility,” Gravel said.
2. Shared Knowledge
Cybersecurity is so multifaceted that no one can solve it alone. Sharing information is important in security, and since the odds are high that companies are going to get hacked, it’s important to share security responsibility all around. The knowledge someone gains after going through a hack is valuable to the IT security ecosystem. Working together means everyone sharing the knowledge of their mistakes.
“When the Equifax breech happened, we all wondered if the chief information security officer (CISO) would be able to get a job,” Gravel said. “Now, when you've been hacked, you’re more attractive to employers.”
Bug bounties are also becoming more collaborative, as pen testers relax their grip on solo discoveries.
“In order to keep getting better and stay ahead of the bad guys, we need to share information with each other,” she said.
3. Open Platforms
Part of the shared responsibility involves creating an environment where everyone working in the business of technology is invested in good security practices and understand why they need to follow certain protocols.
“We use a training called KnowBe4 that keeps all our employees up to speed on the latest hacks and methods,” Gravel said.
Put people on a journey to get better, and get everyone involved in the security conversation.
“Your CISO should be on your board or meeting with your board,” Gravel said. “Cybersecurity and the risks involved with being hacked should be at the top of everyone’s concern at your company.”
Get people to understand the story around security and get emotionally invested in the process through regular conversations. The more we talk about it, the more it becomes the norm.
Sharing knowledge goes beyond other companies. We teach kids not to talk to strangers, and we should teach them to be safe online, too. Same goes for adults.
“Educate your grandmothers, your parents. Help them get there because they will be taken advantage of,” Gravel said. “Cybersecurity goes beyond the tech industry. We need to make security mainstream like learning the alphabet.”
For security awareness tips you can implement right now and share with others to keep the hackers at bay, download our free guide, 7 Security Hacks to Use Now.
—Michelle Lange is a writer and designer living in Chicago.