Availability coverage by cloud service providers: Who bears the true cost of a cyber event?

Security in the cloud is a shared responsibility, and migrating to the cloud disrupts the traditional cybersecurity models that companies have built up over years

Most organizations rely on their cloud service providers’ guarantees of security, recovery and continuity, yet there is a remarkable lack of confidence that those providers can deliver on their promises in a cyber event.

In a recent Forbes Insights survey of global executives, “Perception Gaps in Cyber Resilience: Where Are Your Blind Spots?,” 65 percent say they rely on their cloud service providers’ guarantees of security, recovery and continuity, yet only 45 percent of those surveyed believe their providers can meet service-level agreements in a cyber event. The overwhelming majority — 84 percent — say their organization would bear some or most of the costs for recovery, downtime and any monetary or reputational loss. It is clear that there is not a lot of confidence that cloud service providers can provide the security that many organizations believe they should.

The facts, however, tell a different story. Security and resilience at the biggest cloud providers far outmatch what most organizations could provide for themselves, according to James Kaplan, partner and co-leader of IT infrastructure and cybersecurity at McKinsey. Major cloud providers have the scale to build multiple redundancies, and they can form a vanguard for detecting new threats.

In a recent study of cybersecurity executives, Kaplan and his colleagues looked for examples of breaches but couldn’t find any instances where the cloud provider had been compromised. “But we found lots of cases where a developer had misconfigured their environment and left it wide open,” he says. For example, one CIO was fond of giving developers unfettered access. “It was like giving a machete to a toddler,” explains Kaplan. “His developers did not understand enough about security to be given that kind of access.”

For Kaplan, it’s not a question of whether the cloud is secure but whether organizations can consume the cloud in a secure way. A power outage is a leading cause of outage for cloud service. “No major cloud provider will guarantee the absence of downtime, but they will say that if you write your app the right way, it can fail over to multiple regions, and there has never been an outage in more than one region at one time,” he explains. Organizations also must ensure that they meet data regulation requirements when failing over.

Perception gaps in cyber resilience: What are your blind spots?

Security in the cloud is a shared responsibility, and migrating to the cloud disrupts the traditional cybersecurity models that companies have built up over years. Even organizations that understand how to design and architect their system for a safe migration to the cloud face a backlog of decades’ worth of applications that don’t necessarily comply with that standard.

Access is another issue that requires rethinking for applications in the cloud. “If you make it too hard, people will forget their passwords and have to reset them,” says Larry Ponemon, founder of the Ponemon Institute, a technology research firm. That can add frustration for workers and partners as well as customers, who may simply take their business elsewhere. If convenience is improved, security could be diminished. “Balancing those concerns in the world of cloud computing has become very important,” he says.

Migrating to the cloud involves a certain level of trust when it comes to a cloud provider’s security controls. But organizations should not be dependent on vendors to provide all necessary controls, or some responsibilities could fall through the cracks. Taking a proactive approach to resilience in the cloud means including cloud service providers in threat assessment, regularly updating recovery plans with cloud providers and conducting regular backup and failover testing with those providers.

“Enterprises are still gaining an understanding of the shared responsibility model for cybersecurity,” says Kaplan. “Those that lack the technical understanding to identify necessary actions and determine the level of cloud service provider support can leave themselves more vulnerable to cyberattacks. Multiple parties — the cloud providers, tool vendors, managed-security service providers — jointly have a role in ensuring the security of data in the public cloud.”

Organizations must recognize the extent of their providers’ responsibilities by first understanding their providers’ security operating model and then enforcing a clear view of who is responsible for cloud security among users, developers and anyone who has access.

This article was originally published on Forbes.com; the content is unchanged.