Users of cloud-based services often assume that the provider is responsible for managing the security of their services.
While Amazon Web Services (AWS), Microsoft Office 365 (O365) and Azure are compliant with security best practices, their compliance only covers the components they are responsible for. Using a shared security model, their customers are still primarily responsible for the security of many other components.
For example, Amazon is responsible for managing their infrastructure and foundation services such as compute, storage, databases and networking. In many cases, customers still may be responsible for managing (and ensuring security for) operating systems, network configuration, platform and application management, customer data, firewall configurations, encryption, credential management and more.
In addition, while cloud services can be configured to support a high level of security, many times clients use default configuration options that provide attackers with vulnerabilities they can exploit. Attacks on poorly configured O365 environments made up a significant number of our incident response calls this past year.
It is very important that users of cloud services understand their security responsibilities versus the responsibilities of their service provider. Users also need to ensure that the configurations and settings for their cloud services establish the appropriate level of security.
Here are five best practices that can help your organization reduce the risk of a data breach or unauthorized access to your cloud services. Read more