“When you put all your data in one spot there’s this aggregation going on. There’s a potential that one issue could lead to lots of problems for organizations. We’ll call that a systemic risk,” said Jake Kouns (@jkouns), CISO for Risk Based Security, in our conversation at the 2016 Black Hat conference in Las Vegas. “Companies are a little concerned that now a problem with your neighbor in the cloud could lead to problems with your data.”
A traditional data breach would have to happen 1,000 times to infect 1,000 companies, said Kouns. But now there’s a possibility that one authorized access could infect 1,000 companies.
Kouns, like many others, advises to ask lots of questions of one’s cloud provider when making the move the cloud. Given the potential for systemic cloud risk, ask what the cloud provider is doing to prevent cross-contamination from one client to another. What’s being shared? Ultimately, you want to know your potential exposure.
Much of cloud security isn’t necessarily about what hardening techniques one has in place, but rather what legal agreements a company has with its cloud provider, outlining who’s responsible for what security measures.
This is important because so often Kouns’ clients don’t realize their responsibilities. They just assumed it’s all being handled in the cloud.