We’ve heard it all before.
Moving to the cloud can bring businesses untold benefits, from reduced costs to greater flexibility, yet many organisations are still reluctant to use the cloud due to security concerns. The perception that moving to the cloud offers, in many cases, more risk than an organisation is prepared to take on still persists, which can in turn lead to a decrease in cloud adoption as businesses and public sector organisations are put off from using the cloud.
Why do these concerns and questions around the security of the cloud exist, and what can we do to help build trust in the security of the cloud?
Cloud Security Principles
The key is transparency. Companies can alleviate their customers’ concerns by being transparent about the security credentials of their products and services. To help achieve this transparency, the National Cyber Security Centre (NCSC) published a framework around 14 Cloud Security Principles which include important considerations such as data in-transit protection, supply chain security, identity and authentication and secure use of the service.
The aim of the principles is to enable cloud companies to showcase how solutions built on their platforms adhere to the principles. Some providers use the Principles to self-assess against, showcasing how they abide by a number of them, if not all, whilst others have used them to publish whitepapers and thought leadership reports highlighting the security credentials of their products and services.
One of the main issues around the Principles, however, is that of awareness and understanding amongst customers. Providers can be as transparent as possible by using the Principles however, if the end-user is not aware of them or finds them opaque and difficult to understand, then their usefulness is limited.
That is why education and awareness must go hand in hand with transparency. The simple fact is that the majority of cyber security breaches affecting the cloud are due to user error and misconfiguration; from poor authentication practices like weak passwords to not implementing two-factor authentication. More can be done by vendors to educate end-users about the security protocols behind the tools that they are using but, ultimately, we need to move to a world where the onus is not on the user.
Secure by Default
That is why the NCSC are so keen for the Principles to be used in conjunction with secure by default, enterprise ready cloud services that include configurations that are easy for people to understand. For example, end-users should not have to explicitly turn on audit and monitoring services when buying products. The problem, however, is that whilst vendors can provide a secure by default service, they cannot control what their customers do. That is why the work of the NCSC, and the Principles, are so important.
Through adopting this secure by default posture, companies can help contribute to a future where the demand for secure “serverless” products increases, more organisations begin using cloud services securely and data breaches become less common.
To read more from techUK's Cloud Week, visit our landing page