Secure in the cloud: 5 myths about cloud data security

The best way to build secure cloud solutions is to understand what the cloud can and can’t do for organizations. But even knowledgeable business professionals and cloud leaders can struggle to sort fact from fiction when it comes to cloud data security.

Faye Ellis, Principal Training Architect at Pluralsight, sat down with Larry Whiteside, Jr., CISO at RegScale, to talk through the five biggest cloud security myths and how to build more secure cloud solutions. Watch their video on-demand.

• Myth 1: Cloud environments are more secure than on-premises data centers
• Myth 2: Cloud solutions are more cost-effective
• Myth 3: Cloud security is the responsibility of the cloud provider
• Myth 4: We’ll ask the vendor about securing cloud data
• Myth 5: Staying secure in the cloud requires the same controls as on-premises
• How to prevent cloud security threats
• Navigating cloud security with expert insights

While data centers offer control over on-premises infrastructure (including hardware, software, and maintenance), they’re also prone to cyberattacks and other security vulnerabilities.

For this reason, many organizations have transitioned to enterprise cloud solutions or hybrid cloud architectures. (In fact, the Pluralsight 2023 State of Cloud report found that 94% of organizations already operate in the cloud to some degree, and 30% have fully adopted the cloud.)

But this doesn’t guarantee your organization will be secure in the cloud. Larry points out that cloud service providers are just that: service providers, not security providers. Companies must remain vigilant, understand their configurations, and adopt appropriate cloud data security practices. 

“[Vendors are] going to take some of the burden off of you,” explained Larry. “But as it relates to real, basic security, [like] identity and asset management [and] perimeter security, you still have that level of responsibility.”

Earn your Certificate of Cloud Security Knowledge with Pluralsight cloud security courses.

Because cloud service providers are responsible for maintenance and hardware failures, they absorb certain costs for organizations. But the cloud doesn’t always save organizations money, especially if they lack a cloud strategy. Sometimes, it can be even more expensive than an on-premises data center.

Creating something in an on-premises data center requires memory, hard drive, power, and cooling. In contrast, cloud scalability allows organizations to spin things up quickly. But if organizations don’t spin those systems back down, costs can spiral out of control. 

For example, when IT professionals need to build out a test environment in an on-premises data center, they consult with teams throughout the organization to get the right resources. This process inevitably loops in the individuals monitoring finances.

This governance is harder to implement in the cloud because financial monitoring falls to the cloud service provider. The people putting those systems together aren’t necessarily seeing the cost ticking upward.

“You can quickly get to a situation where your footprint has grown exponentially, and you really don’t understand it,” Faye pointed out. Cloud financial management is key to ensuring a financially viable cloud infrastructure.

One of the most pervasive myths about cloud? Data security in the cloud falls to the cloud provider and not to individual organizations.

Cloud service providers are secure. If they weren’t, nobody would use cloud solutions. But they work with many different types of organizations with vastly different needs. Assuming your cloud service provider’s security offering encompasses everything your organization needs is the fastest way to leave your data unsecured.

Whiteside offered this analogy: “Would any of us expect that a home builder is going to automatically build in when your doors lock, when your lights turn on, when your shades go up and down? They’re not.”

Working with a cloud provider is a shared responsibility. The cloud vendor is responsible for the maintenance and updates to tech infrastructure under their control. The organization is responsible for understanding the services of their chosen cloud model, how those services work together, and how security and access is structured across the complete cloud solution. This is particularly important in multicloud environments.

Some organizations think they can ask their cloud vendor to “sign their paper” and address their unique cloud data security concerns. But that hope is simply unrealistic. 

“If you think about the scale at which GCP, Azure, and AWS operate, it would be so problematic for them to sign everybody else’s paper and then try and carve out operating models in all of these different little ways for everybody they’re doing business with,” Larry said. “It’s just not scalable.”

The best approach? Review the cloud service provider’s paper in detail, identify where it falls short of your organization’s needs, and decide what your team needs to build to address those cloud security risks.

Securing cloud environments can be extremely different from securing on-premises environments. “You don’t stand up a server like you used to where you load an operating system. It’s now code,” explained Larry. “How do you look at things transitioning as code? How do you look at data through systems that are running as code? [There are] different models, different controls.”

Because data centers have evolved so much in the past several years, he urged IT professionals to seek out resources to better understand how to secure these new environments. Learning how to manage cloud security and mitigate cloud risks ensures your organization gains value from the cloud while avoiding security issues.

Getting the most out of the cloud while mitigating security threats requires teams to be proactive, not reactive. They need to understand how the cloud works and gain real-world experience in these environments.

“As a CISO, I need to know what I’m doing,” said Larry. “I’m not going to trust a third-party organization to do these things unless I have some sort of contractual understanding and visibility into them actually doing it, but [even] more so, my ability to test it.”

Even though practically every business has security concerns, 69% of organizations fail to create a comprehensive cloud strategy. Having a working knowledge of the five pillars of cloud security is a good starting point for developing a strategy that addresses all of your infrastructure—whether it’s on-premises or in the cloud.

One of the best things organizations can do for stronger cloud data security is to develop protocols and remain consistent with established practices. Our courses can help you learn the main components of cloud security, how to select a cloud service provider, and other strategies for addressing cloud security risks. 

Ready to boost your team’s cloud security skills? Check out the Pluralsight cloud transformation strategy guide for insights from cloud experts at AWS, Microsoft, and more.