We’ve all read the horror stories and seen that information can be leaked from the cloud. The media reports of reputational damage that accompany those leaks foster mis-trust of the cloud, although it is often unwarranted. Virtually no mention of cloud service provider failures appears in prominent studies, such as the annual Verizon Data Breach Investigations Report.

By contrast, Gartner1 findings indicate that it’s almost always the user, not the cloud provider, who fails to manage the controls necessary to protect data. In fact, Gartner predicts that a staggering 95% of cloud security failures in 2020 will be the result of customer failure.

Let’s look at Software as a Service (SaaS) as a case in point. Many businesses mistakenly believe the cloud provider carries full responsibility for security. While the provider maintains responsibility for the operating environment and application, what transpires within the application, particularly identity and access management and data security, is the responsibility of the customer.

With many SaaS applications, it’s relatively simple for individuals to inappropriately share data internally. Many applications also allow individuals to share large amounts of data externally, with little or no authentication required for access. Unfortunately, several of the most popular SaaS applications default to allowing all users to share all data with anyone in the world.

The disproportionate attention placed on cloud service providers and their security posture has diverted attention away from the area of greatest risk – that is, establishing cloud control, visibility and auditing processes.

Those businesses that haven’t adopted a carefully governed approach to cloud computing can all-too-easily use it in a manner that exposes them to unfortunate compliance issues and data leaks.

Compounding the issue, many organisations unwittingly have a large amount of unsanctioned public cloud usage. Where sensitive or regulated data is involved, unapproved cloud environments can represent significant risk exposure.

Developing an enterprise cloud strategy

Developing an enterprise cloud strategy with clearly articulated guidelines on what data can be stored in the cloud, and under what circumstances, goes a long way to mitigating these risks.

Gartner reports that “the most significant step an organization can take to ensure appropriate levels of cloud security is for the corporate leadership to agree that cloud computing has become indispensable, and that it should be governed through planning and policy.”

Structures to support the safe ongoing use of public cloud services, particularly given the requirements of General Data Protection Regulation (GDPR) and other regulations, are vital. Those businesses leading the charge are taking it one step further and exploring cloud contingency planning as part of their broader organisational risk mitigation strategies.

As part of this, implementing and enforcing policies on cloud ownership, responsibility and risk acceptance is vital. Similarly, following a life cycle approach to cloud governance that emphasizes the operational control of your cloud environment, whether SaaS, PaaS, IaaS, or a combination.

Suffice to say, there’s a lot you can do to strengthen your cloud security posture and businesses like Gartner offer a stack of useful resources and white papers to assist businesses in that journey. Where more localised expertise is required, whether it’s refining your cloud strategy, or assisting in execution of it, Ordyss is here to help.


1 Gartner is a world-leading research and advisory company