Seemingly endless service provider companies are offering a multitude of great hosting products in every shape and size. Its good to have options, but can too many alternatives muddy the waters and complicate an already difficult exercise? Particularly when trying to assign risks to the various layers and platforms, and matching those factors against application data sensitivity, it can come down to how comfortable you are kicking the trust framework down the road to the next org.
Excerpt from ISC2 blog…
In 2012, a Fortune 500 oil and gas company joined the early adopters migrating assets and business processes to “the cloud.” Corporate executives’ biggest security concern then was the potential for a rogue administrator from a chosen cloud service provider to pilfer all of its data. “That was the big fear at the time,” explained Jon-Michael C. Brook, CISSP, CCSK, a principal at Guide Holdings who consulted with the company during its initial cloud migration. “They weren’t as worried about errors that they might make; they were more worried about the trusted insider within the cloud service provider.” Those concerns haven’t gone away, but eight years later a different insider threat is forcing companies to step up their cloud security posture. Today, a cloud-based breach is much more likely to come from an honest mistake rather than malicious attack.
This commonplace lapse in configurations, combined with a growing global reliance on cloud services and increasing complexity of cloud infrastructures, is expanding risks and challenging vendor relationships. It’s also requiring cloud consumers to “own” their security, rather than rely on providers to carry a greater load.
Anna Saita via ISC2