Speaking recently in a Google webcast, U.S. CIO Tony Scott declared major cloud providers like Google, Amazon or Microsoft just as secure as the world’s largest financial institutions. He even implied that there’s no safer place to store data than in the cloud.
It’s wonderful to see federal agencies revitalizing their cybersecurity efforts by prioritizing a move to the cloud. But a slew of recent breaches at federal agencies like the Office of Personnel Management, the Department of Defense and the White House indicate that the answers to cybersecurity woes aren’t so cut-and-dry. A key component is being overlooked here: the ownership of cybersecurity in the cloud.
The problem is, Scott is assuming that all cloud service providers (CSPs) have the incentive and ability to provide end-to-end security services. However most CSPs operate under a shared responsibility model. That means that while these CSPs ensure the security of the cloud infrastructure itself, it’s the cloud customers’ responsibility to secure their own data.
The FBI’s Chief Information Security Officer, Arlette Hart, agrees that there’s an accountability issue here. In an interview last week, she described how CSPs often operate under a “trust me” model of cloud computing. And that’s simply unacceptable for organizations like the federal government that need to protect data that can literally be a matter of national security.
Hart’s recent statements beg an important question: why is there a lack of transparency from CSPs to begin with? The harsh reality may be that CSPs just don’t have an adequate answer to the question of whether they can truly meet certain security standards. There’s a clear lack of understanding of security of the cloud versus security in the cloud and CSPs are doing little to address this. Under the current policies of most CSPs, security in the cloud is the responsibility of the organization. And while some CSPs have been working to offer their cloud customers more security options, it still remains necessary to implement third party security solutions.
Yes, Scott’s enthusiasm for the cloud is commendable, but there’s more work to be done. Organizations — including the federal government — need deep visibility in order to identify insider threats and intrusions in their cloud technology. They need to be able to prevent data loss and meet ever-evolving compliance regulations. The good news is, third party security vendors can help by guaranteeing transparency and providing an “inside-out” approach to cybersecurity.