Why identity has become the path to cloud security

COMMENTARY: There’s a common myth in the business world that moving data into the cloud is like checking luggage into a hotel.

A customer hands their heavy bags (data and infrastructure) to a smiling concierge (AWS, Microsoft, or Google) and assumes they will handle the rest.

Meanwhile, the customer can now go and relax by the pool. It’s a nice thought, in theory, but it’s a far cry from being true.

It's better to think of cloud security as less of a concierge service and more of a self-storage unit. Yes, the storage facility will handle security on their end, ensuring the place doesn’t burn down, the front gate gets locked, and the cameras work. But if we leave our specific unit unlocked or hand a copy of the key to a stranger, we're responsible for the resulting disaster.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Most data breaches happen because of the disconnect between how people think cloud network security works and how it actually works. It’s rarely a sophisticated hacking attempt, and it’s almost always because someone leaves the digital front door propped open with a brick.

The relationship between the organization and a cloud provider usually gets referred to as the shared responsibility model. Cloud providers look after all the specialized hardware, the virtualization layer, and even physically guard the data centers to ensure they stay out of harm’s way. These providers are constantly audited, and they know how good cybersecurity helps them maintain their reputations.

On the other side of the relationship, the companies that rely on these services are responsible for security inside the cloud. This includes the operating system, applications, data encryption, and, most importantly, access controls.

Too many companies think that it’s the provider’s job to oversee the customer’s configuration. It’s not. They are the electricity provider, but they aren’t going to check whether someone’s sticking a fork into the outlet.

The trap of default settings

Modern cloud tools are compelling, but they can quickly become complicated. There are thousands of different switches and dials, and the default setting won’t keep most organizations secure.

It’s more likely that these settings are configured to get companies off the ground quickly by prioritizing convenience over safety. This can lead to a misconfiguration that leaves the environment exposed.

An employee might accidentally leave a storage folder set as public instead of private, or a critical database can get set up without a password. Often, a server gets left open so a developer can test it from home, unknowingly creating a gaping hole in the company’s security.

Humans are still the weakest link

Security teams have been looked at as the “department of no” for several years.

Devs want to build fast, but security wants to slow down to check things are in order. Marketing wants a shiny new AI tool, but security says no, as it doesn’t align with policy. While intentions are good, humans will eventually just try to find a way around. They use personal email accounts, their own laptops, and download apps without obtaining permission first, so they can get their work done.

The companies that get cloud security right know that they can’t constantly nag people into being safe. Humans get tired, bored, and click the wrong files.

The solution to this? Automate via identity and access management (IAM) tools.

Instead of asking people to remember to lock the door, install a door that locks itself. Set up the system so that if someone tries to create an insecure server, the system automatically stops them. Build guardrails that keep everyone on the road, rather than just yelling at them when they crash.

Security pros need to view cloud security as a collection of tools, policies, and behaviors that the organization adopts to fend off threats. It’s by no means a hands-off exercise.

Cloud security done well means accepting that the old “castle and moat” strategy no longer stands up as it once did. Instead, the company has to check its own locks and manage access with care, because identity has become the front door to the entire operation.

It also means knowing that misconfigurations, rushed setups, and “we’ll fix it later” thinking are the real threats. Get the basics right first, because they matter.

David Balaban, owner, Privacy-PC

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.