Managing and protecting a traditional, on-premises network infrastructure is often more straightforward. With all network hardware, servers, applications, and data housed in one place, there’s no ambiguity about who is responsible for maintaining and securing it. However, when businesses move to the cloud, things become less clear. Many companies inadvertently expose themselves to risk because they don’t fully understand that cloud security operates under a shared responsibility model.
This confusion is understandable. For years, many organizations viewed the cloud as inherently risky. Cloud security concerns hindered adoption, prompting providers like AWS and Azure to emphasize the security of their platforms.
Avoid Making Assumptions About Cloud Security
That narrative creates an assumption by some that AWS and Azure are ensuring cloud security and t they don’t need to do anything other than put their apps and data in the cloud and trust that the cloud provider will protect it all.
Understand Your Role in the Shared Responsibility Model
In the cloud, the cloud provider is the “apartment owner” and you are the “tenant”. AWS, Azure, GCP, and other cloud providers are responsible for the security OF the cloud. You are responsible for security IN the cloud, though. It is your job to maintain and protect the servers, applications, and data that you run from the cloud platform — and, frankly, that is the stuff attackers are most likely to go after.
Consider this from an attacker’s perspective. The cloud provider is focused on securing physical access to network infrastructure and the hardware powering the cloud. They’ve likely fortified the network perimeter and implemented defenses to prevent unauthorized access to the hypervisor. But why bother? There’s no real payoff in targeting those areas anyway.
Attackers are focused on two things: What is the easiest thing to attack? and, What is the most profitable thing to attack? The web applications that run in the cloud are much more vulnerable and easier to attack than the underlying infrastructure, and those web apps can be leveraged to gain access to servers and data — and that’s where attackers hit the jackpot.
Don’t take my word for it. Recent data and trends in cloud security prove it. In the first half of 2023, the number of malicious web application transactions increased by 500% as compared to the same timeframe in 2022. In addition, the Verizon 2023 Data Breach Investigations Report reveals that basic web application attacks made up nearly 25% of all breaches.
Since web applications are a prime target for attackers, and your cloud provider won’t safeguard them for you, it’s your responsibility to secure your assets in the cloud. You must minimize your attack surface, reduce your exposure to risk, and stay vigilant in detecting and responding to security incidents as they occur.
A managed approach to web application protection can be both effective and cost efficient. Learn more about Fortra Managed WAF, a competitively priced, highly versatile, enterprise-level, cloud-ready WAF that comes with a team of experts to eliminate the complexity of managing the WAF for you.
Additional Resources:
Key Steps in Defining a Shared Responsibility Model for Public Cloud Environments
Guide: Key Steps to Defining and Implementing a Secure Multi-Cloud Strategy
