Some organizations have bought into the idea that workloads in the cloud are inherently more secure than those on premises. This idea is reinforced by the concept that the cloud service provider (CSP) assumes responsibility for security. However, while a secure cloud workload is possible, one should not automatically assume this as there are important steps to ensure its security.
Cloud security is a shared responsibility
Migrating to the cloud does not alleviate an organization’s cyber risk, nor does it transfer the risk to the CSP. Instead, it requires a shared security model where roles and responsibilities are clearly defined. While the shared security model does make some aspects of cloud security easier, managing the risk of exploitation by sophisticated cyber threat actors is not one of them.
For most security operations teams, monitoring on-premises workloads was easier. They could see what entered and left the environment, they owned the data, they had visibility into anomalies, and could triage them with a deeper investigation without involving a third party.
Doing this across a hybrid and multi-cloud environment is more complex. It requires a new approach beyond what is typically offered by a CSP, which is usually not robust or ideally suited for a security-first organization. Complicating the task of securing data in the cloud further is the emergence of zero-trust architectures (ZTA), as defined by NIST SP 800-171 Zero Trust Architectures.