There appears to be misconception and contradiction around who is responsible for cybersecurity within the public cloud. In a newly published cloud security study commissioned by the global cybersecurity leader, Palo Alto Networks, nearly a third of respondents incorrectly believe that the cloud service provider has primary responsibility for securing their organisation’s data within a public cloud infrastructure. However, while the shared responsibility model makes service providers responsible for their cloud infrastructure, organisations are wholly responsible for securing their own data and applications.
Key findings include:
- A high majority (83%) of cybersecurity professionals expressed complete confidence in their cloud service provider securing the infrastructure
- However, only 51% of respondents claim full awareness of the shared responsibility model
- One in 10 respondents incorrectly believe that the shared responsibility model refers to multiple cloud providers sharing security responsibilities
While there is misunderstanding about the responsibilities for data and infrastructure security in the cloud, there is little hesitance by organisations about operating multiple cloud service provider environments simultaneously. On average, most reported that their organisation used two cloud providers and almost 44% use three or more.
Separate findings reveal that cybersecurity professionals do want more scrutiny over cloud service providers security capabilities. However, more than half (52%) say their organisation hasn’t carried out enough due diligence around cybersecurity requirements when picking a cloud provider, suggesting that security may not be scrutinised appropriately as projects are scoped.
Greg Day, VP and CSO, EMEA, Palo Alto Networks, said: “Our survey shines a light on a telling anomaly: cybersecurity professionals have high confidence in cloud service providers, but are still not crystal clear about their own responsibilities for their data and application security. Cybersecurity teams cannot assume that the security offered by public cloud vendors provides consistent and holistic enough protection. Today we see only just over one in 10 cybersecurity professionals saying they have the capability to maintain consistent security policies across their entire IT space including typically multiple clouds; a situation that must significantly improve.”