"Be aware that cloud security is a shared responsibility and know the most important aspects to protect your cloud infrastructure!"
-- Kennedy Torkura
About my honored guest
Kennedy Torkura is co-founder and CTO of Mitigant, a cloud security startup based in Germany. Kennedy has more than twelve years of experience in cybersecurity, mainly in cloud security. His expertise spans academic and industry research, including technical positions at several startups. He has published over 20 academic papers on various areas of cloud security and co-authored the first O'Reilly book on Security Chaos Engineering. Kennedy is passionate about exploring the intersection of security chaos engineering, incident response and risk analysis for cloud infrastructures. Kennedy is a member of the AWS Community Builders and has spoken at several international conferences including KubeCon (Cloud Native Security Conference), Conf42 Chaos Engineering, ChaosCarnival and BSides Berlin.
Find Kennedy on:
Linkedin - https://www.linkedin.com/in/aondona/
Twitter - https://twitter.com/run2obtain
Blog Post - https://mitigant.io/blog
I recently asked Kennedy to share some key insights from his own experience of cloud security and how to deal with it successfully. Kennedy provided the digital business nugget above with the following background and details.
Cloud Security is a Shared Responsibility
Public cloud infrastructures are extremely attractive to entrepreneurs due to several advantages, such as lower initial costs, scalability and elasticity. These benefits allow entrepreneurs to set up different businesses and scale quickly and seamlessly. However, cybercriminals are also quick to attack cloud infrastructures due to the associated attack opportunities. These opportunities are mainly due to a major misconception among cloud users: that cloud infrastructure is secure by default. Therefore, it is imperative to understand the shared responsibility model that most cloud service providers operate under to prevent business owners from becoming easy targets.
The shared responsibility model in cloud computing is a crucial concept for digital business owners to understand, as it outlines the division of responsibilities for security and maintenance between the cloud service provider and the customer. Here are the five key aspects of this model that digital business owners should be aware of:
1) Navigating Cloud Security: "Of" the Cloud vs. "In" the Cloud
In cloud security, distinguishing between "Security of the Cloud" and "Security in the Cloud" is crucial. These terms outline the specific responsibilities of cloud service providers and customers in safeguarding digital assets.
"Security Of the Cloud": Providers are responsible for securing the underlying infrastructure supporting all cloud services. This includes safeguarding servers, networks, and essential elements for seamless platform operation, focusing on the overall architecture.
"Security In the Cloud": Customers are responsible for securing their data and applications within the cloud service. This involves implementing access controls, encryption, and other measures to protect specific resources in the cloud environment. Emphasizing safeguarding entrusted content and operations.
Understanding this distinction is vital for entrepreneurs shaping security strategies. It's not one-size-fits-all; collaboration is needed. Entrepreneurs must be aware of their cloud provider's security measures ("Of" the Cloud) and address aspects themselves ("In" the Cloud).
For a comprehensive understanding, entrepreneurs should explore educational resources from their chosen cloud providers. These resources, including documentation and support channels, provide insights into best practices for both "Of" and "In" the Cloud security. Staying informed enhances the overall security of cloud-based operations.
2) Ensuring Compliance and Governance in Cloud Usage
In cloud computing, compliance and governance involve both providers and users. Providers ensure infrastructure meets regulations, but users bear the responsibility. Entrepreneurs must grasp industry-specific legal requirements when entering the cloud. Navigating data protection, privacy, and security rules is vital. This knowledge is crucial for compliant cloud service utilization.
Strategically managing cloud compliance requires automation. Many providers offer automated services for regulation adherence. Yet, these services, often technical, can be challenging for non-cybersecurity entrepreneurs. A solution is exploring third-party vendors for user-friendly compliance management, even without cybersecurity expertise.
To sum up, cloud compliance requires understanding industry regulations and available tools. While providers aid infrastructure compliance, entrepreneurs are pivotal in lawful cloud use. User-friendly third-party services provide additional support.
3) Effective Data Management and Encryption
Entrepreneurs must adeptly manage cloud data, ensuring robust encryption and proper backups. While cloud providers offer tools for data management and encryption, entrepreneurs must grasp and effectively use these resources.
Cloud services provide baseline coverage, but clients bear the responsibility of correct tool utilization. Entrepreneurs should invest time in understanding and configuring services to align with their business needs.
Proper configuration tailors encryption to data sensitivity, preventing loss through backup procedures. This proactive approach enhances information security and overall business resilience in the digital landscape.
In summary, entrepreneurs should see data management and encryption as ongoing responsibilities. Comprehending and configuring cloud tools ensures secure, accessible, and resilient data in the dynamic realm of cloud computing.
4) Access Control and Identity Management
Effectively managing access control and identity is crucial for securing cloud resources. Prioritize robust access control mechanisms by defining and enforcing policies for resource access. Utilize authentication and authorization practices such as usernames, passwords, or advanced methods to verify user identity and ensure proper access based on roles.
Cloud security challenges can be addressed by allocating adequate time and resources. Consider leveraging built-in tools from cloud providers, like identity and access management (IAM), for fine-grained control. Alternatively, explore third-party solutions offering advanced features and customization based on business needs, infrastructure complexity, and regulatory compliance.
In conclusion, a proactive approach to access control and identity management is essential for a secure cloud environment. Whether using cloud provider services or third-party solutions, dedicating resources to implement and enhance these mechanisms is key.
5) Incident Response and Reporting
Entrepreneurs must establish concise incident response plans for security issues. While cloud providers offer monitoring and support, clients bear the primary responsibility for incident response. Entrepreneurs need robust protocols outlining steps for security incidents, identifying stakeholders, setting communication channels, and defining actions to mitigate impact.
Cloud providers offer monitoring but entrepreneurs should supplement with their own mechanisms. The incident response plan requires regular review and updates to adapt to changes. Training and drills for key personnel ensure effective responses in real-world scenarios.
A proactive approach safeguards business operations, customer data, and digital assets. This ensures entrepreneurs are well-prepared for security incidents, minimizing damage and maintaining stakeholder trust.
Summary
Entrepreneurs exploring the benefits of cloud computing must navigate the shared responsibility model, understanding the division of security responsibilities between providers and users. From distinguishing 'Of' and 'In' the Cloud security to ensuring compliance, effective data management, access control, and proactive incident response, these key aspects empower entrepreneurs to harness the advantages of the cloud while mitigating cybersecurity risks. By adopting a comprehensive and collaborative approach to security, businesses can confidently leverage cloud resources, safeguarding their digital assets and maintaining stakeholder trust in an ever-evolving digital landscape.
Learn more
Join my webinars, video masterclasses, workshops, and coaching sessions to learn more about successful data-driven business models and scaling, metrics-based financial planning, investor readiness, and how to leverage technology and AI to move your business forward.
I speak tech, product and business.
Let's work together to build successful digital and tech-based companies! 🚀
Visit my website (English / German): www.arndtschwaiger.com
Join me on: LinkedIn, Instagram, Facebook and X
I am looking forward to your feedback and comments!
Thank you for reading and sharing!
Best regards,
Arndt
