Insight by Raytheon

How to ensure security in the cloud is a shared responsibility

The Shared Model for Security in the Cloud

The bad actors are outside and inside your network even if you still put your security policies in place and you still purchased cloud security platforms or encryption or different types of trusted applications for your devices. You need to make sure those can be tied together on a on a transaction-by-transaction basis from a data view in order to be successful.

Options for Securing Data in the Cloud

You want to be able to deploy applications fast and efficient. You want to be able to innovate quicker and get them to the production line at a much increased speed. But once you roll these applications out, they're vulnerable and that's a problem. That is why the security piece must be part of that development production line. It is critical that you are confident that what you produce has got the right security controls.

Securing data and applications in the cloud is not a turn it on and leave it alone.

In fact, according to Gartner, over the next three years, “at least 95% of cloud security failures will be the customer’s fault.”

The model requires both agencies and commercial cloud providers to understand and clearly identify their responsibilities—both individually and where they overlap.

At the center of this approach are people and the trust relationship. Experts say trust erodes when customers misunderstand the role and responsibilities of the cloud provider.

The challenges for many public and private organizations is making sure they know what’s expected of them around the varying security requirements between infrastructure, platform and software cloud environments.

Agencies need to acknowledge the risks they are accepting and what steps they and their partners are taking to mitigate them.

John DeSimone the vice president for cybersecurity, training and services at Raytheon Intelligence and Space, said when it comes to security in the cloud, agencies and their vendor partners have a acknowledge upfront that shared responsibility.

“There’s the infrastructure piece, which the providers are responsible for securing your data. When it goes into the cloud, it is the agency’s responsibility to make sure it’s secure and available, and you understand where it is, who’s accessing it,” DeSimone said on the discussion Shaping the Future of Secure Cloud sponsored by Raytheon. “That’s not well known to a lot of businesses, especially if you are a young business that is just going into the cloud. When you get into larger enterprises, it becomes more complex because of the systems that that ride in the cloud and out of the cloud. You have to make sure that you, as the as the customer and consumer of the cloud, are ultimately responsible for your data. You need to make sure you understand what the cloud providers are providing for you, and what you need to provide to make sure your data is secure.”

While the cloud providers try to be clear about their security roles and responsibilities with the infrastructure, the confusion usually is around the data.

DeSimone said cloud providers have an incentive to provide, or really sell, more tools to help agencies protect their data.

“I think the issue is they purchased a cloud security platform, which is very good. But it doesn’t solve the entire problem. They think they are protecting their data, and they are to a certain degree, but the more complicated their enterprise becomes, the more vulnerable they are, and the more vectors of attack that open up for them,” he said. “If they don’t really understand that, then they’re vulnerable and bad things happen. I think it’s really along the lines of educating consumers that, ‘hey, you really do own your data, and you absolutely can move things into the cloud, but you’re responsible for your enterprise data protection, which may include on-premise, cloud, mobile devices, laptops or whatever the case may be. Your enterprise users need a holistic approach for securing that information.”

This is why applying concepts like zero trust architecture and identity and access management are so important for agencies to protect their data.

“The bad actors are outside and inside your network even if you still put your security policies in place and you still purchased cloud security platforms or encryption or different types of trusted applications for your devices. You need to make sure those can be tied together on a on a transaction-by-transaction basis from a data view in order to be successful,” DeSimone said. “I think the key is a shared model in the cloud. You have to be the integrator across all your devices, all your data, all your platforms, and you need to make sure you have the appropriate approach to insurance and security.”

Listen to the full show:

Featured speakers

  • John DeSimone

    Vice President, Cybersecurity, Training & Services, Raytheon Intelligence & Space

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts