SMB, are you relying solely on your cloud provider's security controls to tick your security box?

You have chosen to use one of the top cloud service providers to host your web application or simply to provide you with a cloud based document management solution to provide your services to your customers. This means that your security checkbox is ticked, right? Your cloud service provider has security certifications and is renowned for their great security, so this means that your obligation to implement technical and organisational measures is taken care of right?

Mmm, not exactly.?

Many SMBs have misperceptions about the role that their cloud service provider plays in securing their application or services.

If you as a business owner are relying solely on your cloud provider’s security controls to meet your obligations of implementing technical and organisational measures (remember those data processing agreements that you signed with your customers), then not only may you be failing to fully meet your obligations, but you are potentially also exposing your business to a number of risks that you may not have considered.

Let’s explore two of these misperceptions that I frequently come across when performing risk assessments for SMBs.

Misperception 1: I host my application/service with AWS / Microsoft Azure / Google Cloud, they have SOC 2 / ISO 27001 security certification, therefore my application or service is also SOC 2 / ISO 27001 certified.

Using a cloud service provider that has security certification/s and third party attestation is important, but it does not automatically certify your application or service, simply as a consequence of you hosting your application /service with this provider. Sure, you are using a provider who is providing elements of your infrastructure that are certified according to a specific security standard, such as the physical data centre, network and hardware on which your solution is hosted, but that only addresses a portion of the security controls that you are required to implement in order to secure the information that is processed by your application or to provide your services in a secure manner to your customers.?

For your application to be considered certified to a security standard, your business would need to embark on its own journey of implementing an information security management system and undergo an external audit to certify your compliance with your chosen security standard. The controls managed by your cloud service provider would certainly be identified as their responsibility in your audit scope, but you remain responsible for implementing all the other relevant security controls, such as secure software development, human resource security, access and account management, securing employee’s devices, identifying and complying with regulatory requirements, implementing data protection processes and other key controls.

Misperception 2: I host my application/service with AWS / Microsoft Azure / Google Cloud, therefore my application is secure, and I have met my obligations for implementing technical and organisational measures.

When selecting your cloud service provider to host your application, the services that you procure are highly configurable. You may choose to procure additional tools or even managed services, such as malware protection and detection tools, vulnerability management tools, intrusion detection and prevention systems, security incident and event management systems (SIEM), as well as managed incident detection and response or managed vulnerability management services, to name a few. These additional services are normally optional for you to purchase at an additional cost, and are not built into the service by default. It is up to you to determine your security and privacy requirements, so that you can select the specific services offered by your cloud service provider that meet those requirements, within the constraints of your available budget, and finally configuring the purchased services in a manner that meets your security objectives.?

It’s a bit like going to Build-A-Bear. First you choose the type of soft toy that you would like to?purchase and customise. You then spend time browsing all the clothing and accessories available to to customise your soft toy, and selecting items that meet your desired aesthetic and budget. Build-A-Bear provides a large variety of clothing and accessory options for you to choose from, but ultimately the product that you walk out the door with is completely up to you. That’s what it’s like procuring services from cloud service providers. They provide you with the opportunity to purchase optional tools and managed services to secure your application, but the final configuration of your cloud service and the appropriateness of your cloud security controls depends on both your budget and how you have defined your requirements for security and privacy.

How do you decide what security tools and services you require? Ideally you need an experienced information security resource to help you to define your requirements based on the outcome of a formal risk assessment. Simply procuring cloud hosting services from a cloud service provider who is well-known for their great security posture will not automatically make your product or service secure by extension.?

What if your business simply uses a cloud based document management system or cloud application to store or access confidential or personal information belonging to your customers? The same principle applies. Using a cloud service provider well-known for their security does not automatically address your obligations to implement appropriate technical and organisational measures.?

Now I know that many of you are going to say, “but Yolande, we use Google Workspace or Microsoft Office 365 for document creation and storage, so Google or Microsoft is responsible for the security of the data stored within their services”. Sure, they are responsible for securing the actual application or platform that they provide, but providers of cloud services and applications work on the basis of a shared responsibility model, whereby each party has responsibility for implementing and maintaining security and privacy controls, as relevant to each of them.

Your business remains responsible for implementing a number of your own controls, including human resource security, device security, account and password security, remote working controls, privacy controls and more. Examples of some of these controls may include:

• Screening and vetting candidates to ensure that they are who they say they are, can do what they say they can, and that they will not pose unnecessary risk to your business.
• Ensuring that your employment contracts include clauses to protect confidential information and intellectual property belonging to you and your customers.
• Training your employees on choosing and using strong passwords, how to recognise and avoid social engineering attempts, how to protect their devices, how to handle and protect confidential and personal data etc.
• Ensuring that appropriate controls are implemented to protect employee’s devices, such as ensuring that they regularly receive security updates, that full disk encryption is enabled to protect data on their computers, that a good antivirus product is installed etc.
• Ensuring that employee’s devices are securely wiped when end of life is reached or the device is to be reallocated.
• Implementing personal data protection processes that are in compliance with the relevant data protection laws with which your business is required to comply, such as documenting and maintaining a register of personal data processing, defining a data retention schedule, implementing processes for responding to data subject requests, defining processes for performing privacy impact assessments and legitimate interest assessments etc.
• Implementing a process for responding to incidents and training your employees accordingly.
• Implementing a process to review the security of your suppliers/vendors.
• Identifying regulatory requirements that you are required to comply with and implementing controls to ensure compliance.
• Identifying your critical business processes and defining continuity plans.

These are just some of your basic security and privacy responsibilities that will not be addressed as a result of your use of certified cloud applications and services.

Let’s say that you have developed a cloak that allows you to be invisible. You know that this cloak is breakthrough technology that is worth billions of dollars, so it needs state of the art protection. You rent a facility with a secure vault from one of the best service providers in the business to protect your valuable cloak. The facility has advanced access control features, is surrounded by high walls with electric fencing and is monitored by cameras. You have employed your own security guards who will be responsible for controlling access to the facility and patrolling the perimeter. You have rented the most secure facility to protect your cloak, so no one is getting in right??

Well, let’s find out. Someone arrives at the entrance to your premises and manages to produce very legitimate looking paperwork, stating that they are here to test all the cameras in the facility to make sure that they are functioning optimally. Jerry, the security guard on duty, is a new employee. He has not received training to help him identify the possibility of a thief posing as a camera technician. Jerry really wants to do a good job, and he believes that helping the security camera technician gain access to all the necessary areas is very important. After all, part of his job is helping to secure the premises and if the cameras aren’t functioning optimally, then he won’t be able to tell if any part of the facility or perimeter has been compromised.? He facilitates the technician gaining access to all of the relevant areas. When the technician is ready to leave, Jerry even helps him load his heavy bags of equipment into his van. He is supposed to check the back of the van anyway, so it makes sense to help the guy out. The technician leaves and 5 minutes later….chaos erupts!?

Your invisibility cloak is gone! Jerry doesn’t know what to do, and so he panics and flees. No one ever defined an emergency response plan for this situation, so Jerry was never trained on how he should respond to and report an incident. To steal your cloak, the thief did not have to compromise the electric fencing or scale the high wall, and he didn’t have to compromise the sophisticated authentication system. The thief only needed to compromise the human being controlling entry to the facility.?

Of course it is critical to choose a secure cloud service provider, however no matter how amazing your cloud service provider’s security is, if you are not assessing the risks posed by your own employee’s behaviour, their processes and the devices that they use, then you are overlooking a number of risks that may lead to the compromise of the confidentiality and privacy of the data belonging to you and your customers.?

Ok, so we have cleared up these two misperceptions but how do you go about figuring out what you as a business owner need to do to identify security and privacy risks and address them? Ideally you need the help of an experienced professional to perform an assessment of your information security and privacy risks.?

It is often not feasible for small businesses to employ full time security and privacy professionals, and for medium sized businesses that do have resources available to implement controls, they may not know where to begin with assessing the risks that are relevant to their business.

This is where an independent consultant may be of value to you. A consultant can perform a risk assessment to identify your security and privacy risks and to help you define a plan to address them. You may not have the budget to embark on implementing a full information security management system at this stage, but even just identifying and prioritising your risks, will provide you with an opportunity to start taking small manageable steps to reduce the risk exposure of your business, and to make progress in addressing some of the security and privacy gaps that your business may have.

If you do not currently have the budget to procure consulting services, then perhaps a short course aimed at SMBs which provides guidance for implementing basic security and privacy controls for your business, may be of benefit to you. I am designing a short course to help small business owners to implement basic security and privacy controls, so if you are interested in being notified when the course is available, please send a message to me via Linkedin to opt into being notified.