Flevy Blog is an online business magazine covering Business Strategies, Business Theories, & Business Stories.

The Value of Cloud-Focused Security

Cloud computing is growing rapidly, with almost every business either currently using some form of cloud resources or actively planning to do so in the near future. However, many organizations are struggling to secure their cloud deployments, as demonstrated by the large number of cloud data breaches in recent years. The cloud offers multiple security challenges, but many of them can be overcome by deploying focused, cloud-based cybersecurity protections, such as a cloud-based web application firewall (WAF).

Challenges of Cloud Security

Organizations move to the cloud for a variety of different reasons, including the cost and scalability benefits that it offers. However, an increasing number of organizations are “unclouding” based upon their inability to achieve the benefits that they desired.

One of the biggest reasons that organizations cite for their move from the cloud to on-premises deployments is security. In fact, almost a quarter of businesses (24%) say that they were not able to adequately protect their applications and data in the cloud. Theoretically, the cloud is just as secure as an on-premises deployment, if not more so. Any infrastructure not under the direct control of the customer is managed and secured by their cloud service provider (CSP), which likely has a larger and more experienced security team.

However, securing the cloud can be challenging. Common issues include the location of the organization’s cloud deployment (outside the network perimeter), a lack of understanding of the cloud shared responsibility model, and the unfamiliarity of the cloud ecosystem.

Outside the Perimeter

Many organizations operate on a perimeter-based security model. This model assumes that everything within the organization’s network is legitimate and benign, and the goal of cybersecurity is to keep all potential threats from breaching the network perimeter. Since the enterprise network typically only has a single point of contact to the public Internet, this goal can be accomplished by deploying monitoring and defensive solutions at this point to block threats before they can enter.

While this model has a number of issues, one of the main ones when it comes to cloud computing is that the organization’s cloud deployment (which is “trusted”) is outside the network perimeter. Additionally, these cloud-based resources are accessible directly via the public Internet, meaning that traffic to and from them is not forced to pass through an organization’s existing cybersecurity infrastructure.

Protecting cloud-based resources requires a new security model, which is not reliant on a strong, impenetrable perimeter. Since many organizations are not prepared to operate using such a model, their cloud deployments are left insecure.

Shared Responsibility Model

The cloud shared responsibility model is a core component of securing cloud-based systems. This model is designed to inform cloud customers of their responsibilities in securing their cloud-based resources.

The need for this shared responsibility model arises from the fact that cloud customers do not own the infrastructure that their cloud deployment runs on. Instead, their CSP owns the infrastructure and invisibly provides services below a certain level (that varies based upon the type of deployment). Since neither the CSP nor the cloud customer have full control of the cloud infrastructure, they need to share responsibilities for securing and maintaining it.

The shared responsibility model is designed to tell a cloud customer where their CSP’s responsibilities for security stop and theirs begins. However, only 27% of security professionals claim that the shared responsibility model is “very clear”. The other 73% of security professionals are likely leaving security gaps that open up their organization’s cloud deployment to attack.

Unfamiliar Ecosystem

Many organizations try to “lift” their existing applications to the cloud with little or no modification. However, cloud deployments are very different than on-premises ones and require different approaches to management and security. One of the major differences between on-premises and cloud-based deployments is that the organization does not own their infrastructure in the cloud. In fact, many CSPs will not even allow an organization to audit their infrastructure and low-level security practices.

To secure their cloud-based deployments, security teams must rely upon a collection of configuration controls and application programming interfaces (APIs) provided by their CSP. While these tools are often well-documented, they are also unfamiliar and vary from CSP to CSP. Since many organizations have adopted multi-cloud infrastructures to meet their specific business needs, the learning curve for cloud security can be extremely steep, and a single mistake can leave an organization open to attack.

Security Built for the Cloud

For most organizations, attempting to secure their deployment infrastructure using CSP-provided tools is a losing proposition. Most organizations have adopted a multi-cloud deployment for business purposes, and the CSP-provided security controls for each individual deployment are siloed and non-integrated. As a result, security teams must manually configure and monitor a number of completely distinct security controls and environments, making it difficult to maintain visibility and enforce consistent security policies across the organization’s infrastructure. As a result, the organization is more likely to be vulnerable to attack and will respond more slowly to incidents, increasing the damage and cost to the organization.

In order to scale to secure multi-cloud environments, organizations must select security solutions that are built for the cloud and solve specific security problems. For example, a common use of cloud computing is to host an organization’s web applications. Deploying a WAF capable of operating on any major CSP’s platform and securing an organization’s web presence on that platform enables the organization to deploy consistent security regardless of the underlying infrastructure.

About Shane Avron

Shane Avron is a freelance writer, specializing in business, general management, enterprise software, and digital technologies. In addition to Flevy, Shane's articles have appeared in Huffington Post, Forbes Magazine, among other business journals.

Complimentary Business Training Guides

Many companies develop robust strategies, but struggle with operationalizing their strategies into implementable steps. This presentation from flevy introduces 12 powerful business frameworks spanning both Strategy Development and Strategy Execution. [Learn more]   This 48-page whitepaper, authored by consultancy Envisioning, provides the frameworks, tools, and insights needed to manage serious Change—under the backdrop of the business lifecycle. These lifecycle stages are each marked by distinct attributes, challenges, and behaviors. [Learn more]
We've developed a very comprehensive collection of Strategy & Transformation PowerPoint templates for you to use in your own business presentations, spanning topics from Growth Strategy to Brand Development to Innovation to Customer Experience to Strategic Management. [Learn more]   We have compiled a collection of 10 Lean Six Sigma templates (Excel) and Operational Excellence guides (PowerPoint) by a multitude of LSS experts. These tools cover topics including 8 Disciplines (8D), 5 Why's, 7 Wastes, Value Stream Mapping (VSM), and DMAIC. [Learn more]
Recent Articles by Corporate Function






The Flevy Business Blog (http://flevy.com/blog) is a leading source of information on business strategies, business theories, and business stories. Most articles have been contributed for management consultants and industry executives with over 20 years of experience. If you would like to contribute an article, please email our editor David Tang at [email protected].

Flevy (http://flevy.com) is the marketplace for premium business documents, such as management frameworks, presentation templates, and financial models. Our documents are of the same caliber produced by top tier consulting firms, like McKinsey, Bain, Accenture, BCG, and Deloitte. Learn more about Flevy here.

Connect with Flevy:


About Flevy.com   /   Terms   /   Privacy Policy
© 2020. Flevy LLC. All Rights Reserved.