What is cloud security?
Cloud security is the technology and processes put in place to protect your cloud infrastructure, data, and applications. Where physical security measures (like secure door locks, security guards, and building check-in processes) keep your office building safe, cloud security measures (like zero trust security or single sign-on) keep you safe from digital breaches.
Whether you choose public cloud (hosted on a shared server), private cloud (hosted on a private server), or hybrid cloud (a combination of both), security is a top priority for most companies—and with good reason. In the first half of 2019 alone, over 3,800 breaches exposed 4.1 billion records. And the average cost of a data breach is $3.92 million.
Cloud security vs. on-premise security
For many companies, the big question is this: Is cloud as secure as on-premise (on-prem)? In the early years of cloud, the answer was “not quite.” But we’ve come a long way since then and today’s answer might surprise you:
According to the data, cloud is now likely more secure than on-prem. In fact, overall, 94% of businesses that made the move to cloud say security got better after the move. And here at Atlassian, 92% of customers say cloud security is better than or equal to on-prem security according to a TechValidate survey of 300 Atlassian customers who migrated to the cloud.
As Jarrett Prosser, Lead Engineer at Rollercoaster Digital, says of his company’s migration to Atlassian cloud: “The stability and security is substantially better than we achieved on premise. Being able to scale with individual user licenses is very cost-effective.”
Key differences between on-prem and cloud security
So, what exactly makes cloud security so much better? The answer lies with rigorous security testing, disaster recovery plans, and encryption in transit and at rest, among other best practices. Not to mention that cloud has embraced zero trust security, which means multiple security checks where on-prem typically favors only one.
On-prem: moated security
When we say that on-prem favors a single security check, what we mean is that most on-prem systems operate like a castle moat. The system is the castle, and the moat is your security check (typically a company-wide VPN and firewall). This system works well, as long as the moat isn’t breached. But as soon as there is a breach, Houston, you have a problem. Because not only has the bad actor breached your system—they now have access to everything. The whole castle.
Cloud: zero trust security
Zero trust security is security that favors ongoing verification over one-time security checks. Its principles include:
- Frequent authentication based on credentials, device, etc.
- Limiting access to only what’s needed
- Encrypting sessions from end-to-end
This means instead of assuming anything behind your firewall is automatically safe, zero trust authenticates, authorizes, and encrypts every single request for access.
In other words, with zero trust security, cloud operates like a series of islands. Unlike on-prem’s single-moat approach, each has its own moat. And breaching one does not grant access to the others. Which means a vulnerability in one system or an issue with one login doesn’t endanger the whole island ecosystem.
Cloud: identity management
Identity management in the cloud is the act of defining and managing the roles and access of individual users in and across your cloud systems. A good identity management program should assign a single identity to each user and grant them access to tools and systems based on the permissions you’ve assigned specifically to them.
Core cloud identity manager functionality should include:
- SAML single sign-on, which allows users to navigate multiple products and systems with a single, secure log-in
- Two-step verification to authenticate your users
- Password policies based on password best practices
- Priority support to help resolve any security issues asap
The keys to cloud security
If you’re planning for a move to the cloud, here are three tips for making sure your security is the best it can be:
1. Choose the right vendors
Here at Atlassian, 92% of customers say security is better or equal on the cloud according to a TechValidate survey of 300 Atlassian customers who migrated to cloud. But that may not be true with all cloud vendors. Which is why, when it comes to security, vendor choice matters.
The good news is there are many compliant cloud vendors to choose from. Cloud vendors often devote more resources to security, privacy, and compliance than the average IT organization can afford. Not to mention that many have teams with specialized skills that keep them on the cutting edge of security best practices. After all, vendor reputations—and their entire platforms—are built on customer trust.
So, how can you tell if a cloud vendor will meet your security and privacy requirements? As you evaluate cloud vendors:
- Ask which compliance certifications they’ve received
- Consider the type of data your teams will enter into the application and the actual business risk of it being exposed (since not all data requires the same level of risk management)
- Find out how your vendor will manage permissions and each individual’s access to data on the system
2. Share responsibility
Your cloud vendor should be taking on a lot of security tasks for your team, but that doesn’t mean you’re off the hook. The most secure companies collaborate to keep their systems and data safe.
A good cloud vendor should be responsible for the security of the applications, the systems they run on, and the environments where they’re hosted. They will typically provide automatic updates and bug fixes—with no work required from your team.
On your side of the equation, your team should be responsible for managing the information within your accounts, the users and permissions you need, and which Marketplace apps you install and trust.
3. Plan for ongoing governance
Security requires ongoing governance—both from your cloud vendor and from your team. Your team should not only keep up with security updates and policies from your cloud provider and any apps, but also do regular audits, looking for things like shadow IT or improper data storage outside your systems that needs to be brought into the security fold.
Cloud security risks (and how to reduce them)
Shadow IT is the use of any system or tool without IT approval or oversight. With the fast growth of available, cheap, and sometimes even free tools, shadow IT is growing at a fast clip. In fact, when companies dig into their own shadow IT, they typically find that it’s 10 times what they originally suspected, according to McAfee.
So, what does this mean for cloud security? In the words of Gartner: “CIOs must change their line of questioning from ‘Is the cloud secure?’ to ‘Am I using the cloud securely?’”
Because the data tells us that every company—even those who think they’re on-prem—is actually using cloud tools. IT just doesn’t always know it.
To reduce the risks that shadow IT poses, the first step is an audit of the tools actually being used across your company. What does your shadow IT ecosystem actually look like? From there, next steps include:
- Evaluating the security of those tools
- Adding security and bringing those tools into your IT fold
- Ditching insecure tools and providing employees with viable alternatives
It’s also valuable to have documented shadow IT policies in place and make sure employees are in the loop about what’s required of them and why.
Bring Your Own Device (BYOD) policy
One of the big benefits of cloud is that it allows employees to work from anywhere and across multiple devices. But this also means making sure all devices comply with your security standards. To mitigate the risk of employees operating on insecure devices, many companies have BYOD policies that outline:
- What employees can and cannot do on non-company devices (is there certain data they shouldn’t access or shouldn’t download? Are there apps only available on secure company devices?)
- Any restricted (or insecure) websites, applications or uses
- What happens if an employee device with company data on it is stolen and needs to be wiped
- Security requirements for devices accessing company data (password requirements, for example)
- Payment policies (if an employee is using a device for work, will your company pay part or all of the bill?)
Data visibility and security
With GDPR, the California Privacy Act, and more regulations cropping up each year, data privacy is more important than ever. Not to mention that your employees and customers have high expectations for how you treat their sensitive information.
Reducing risk of data breach or GDPR noncompliance means looking for vendors that encrypt data in transit and at rest, require high data privacy standards from any third-party apps, and have cloud products that are privacy law-compliant by default.
Any vendor worth their salt should also have security requirements for their third-party apps. Look for vendors with strong security requirements, GDPR compliance, and bug bounty programs. And if you choose to use outside apps or integrations that haven’t been vetted by your vendor, it’s wise to bring on an expert to assess any security risks.
Security at Atlassian
There’s a reason 92% of Atlassians say security is as good or better in the cloud. It’s built into the fabric of our cloud products, infrastructure, and processes—and it’s something we’re committed to improving every day.
Transparency is the key to our security philosophy, which is why we partner with the Cloud Security Alliance (CSA) to make all of our practices, policies, and more publicly available for review.
For more on how Atlassian protects your systems and data, visit our trust center or explore additional security resources below:
* From a TechValidate survey of 320+ Atlassian customers.