Hands up if your organization uses cloud applications like Microsoft 365, Google Workspace, Slack or AWS? If you do, you’re in the majority. It’s estimated that 90% of companies use the cloud. It’s a huge part of the future of work.
But the cloud is complex—especially when it comes to security. This is because it works on a shared responsibility model, where security responsibilities are carefully divided out between the cloud provider and the customer (that’s you).
Typically, organizations are either unaware of their responsibilities in the cloud, or spend a lot of money trying to plug security gaps with a myriad of tools. This approach isn’t working. As a result, Gartner predicts that 99% of all cloud security failures will result from user error by 2025.
What’s the way forward? You need a smart approach to shared security.
The shared responsibility model in practice
First things first, let’s get the shared responsibility model cleared up. Essentially, in the old days, organizations used to run on-premises data centers. This means they owned the whole stack; security was their responsibility and their responsibility alone.
In the cloud, things are different. Responsibilities vary depending on whether you use SaaS apps like Slack, IaaS apps like Microsoft Azure or PaaS apps like SAP.
For all deployment types, you—as the customer—are responsible for securing:
- Data
- User identities and accounts
- Endpoints
- Access management
The cloud provider, meanwhile, is responsible for securing the underlying infrastructure of the cloud service. They’re very good at doing this. Players like Microsoft, Google and Amazon invest millions into securing cloud infrastructure, making it almost impenetrable to malicious actors.
And yet, data breaches and data leaks still happen in the cloud. In the last 18 months, 79% of companies have experienced at least one cloud data breach; even more alarmingly, 43% have reported 10 or more breaches in that time.
Shared responsibility: More than just technology
It’s clear that something’s going awry with the cloud’s shared responsibility model. Data breaches are still happening and, as the Gartner research shows, this is down to user failure.
User failure can mean a multitude of things, such as:
- Misconfigurations: These occur when administrators or users fail to correctly configure the cloud service, leaving data and applications exposed to the public. Almost half of companies have dealt with security incidents due to misconfigurations.
- Leaked credentials: Poor password practices and a lack of multi-factor authentication leaves user accounts more vulnerable to compromise. Hackers can break into user accounts and, from there, either steal sensitive information or launch a more complex attack.
- Inadequate data management: Cloud sprawl, remote working and shadow IT mean that IT administrators often don’t know where data is or how it’s being used. A lack of control leads to inadequate protection, meaning data is more easily compromised or exploited.
What do all of these issues have in common? User behavior. It’s users who wrongly configure cloud settings, who choose poor passwords, who use data in ways that go against security policies.
The good news, though, is that all these issues can be prevented by empowering users with a better understanding of their roles and responsibilities with regards to cloud security.
People: the secret to better cloud security
Securing the cloud with technology alone is impossible and overwhelming. Security teams have to manage data across multiple platforms and applications, with sometimes thousands of identities and networks.
Security tools can help to enhance security. But human error is still a real-risk. You could spend millions on detection technologies and other tools, only for these investments to be completely undermined by a user accidentally sharing data with the wrong person.
The answer, then, to reducing cloud security breaches is to focus on investing in your people. You need to build a cyber-aware organization, empowering your employees with the knowledge they need to keep data safe, remain vigilant and spot signs of compromise.
Ultimately, your people need to understand that they are responsible for security in the cloud.
What does good training look like?
User awareness and education are pivotal – but not all education is created equal. To enact real change, you need to deliver the right kind of education. Research shows that the best awareness programs are timely, relevant and consistent.
Content must be delivered frequently in short, digestible bursts to keep user interest. This kind of frequent, rapid training helps users to embed cybersecurity awareness into their daily habits, so that they learn to use the cloud securely like it’s second nature.
Polymer data loss prevention (DLP) provides in-app user training, delivering security education to users as they work in popular SaaS apps like Slack, Google Workspace and Teams. Our self-learning engine automatically discovers sensitive data (even in unstructured forms) across your cloud apps.
From there, it monitors user behavior, ensuring that users only interact with data in compliant, secure ways. Should someone accidentally break a security rule, Polymer DLP alerts them to the error, so that they can learn for the future. At the same time, the tool blocks the action from moving forward. This keeps your data secure while building a culture of cloud security.