ICAEW.com works better with JavaScript enabled.

Clearing the fog of cyber security

George Quigley takes a look at the murky topic of cloud security, including what you need to understand about cloud service providers and your responsibilities when using one.

There are many benefits that moving to the cloud brings to a business. These include Cloud securityoperational rather than capital spend, paying for what you consume, flexibility and scalability. It also gives you the ability to work from anywhere and collaborate with colleagues wherever they are located.

Operating in a cloud environment doesn’t mean that you can forget about security, though. Security is often highlighted as a benefit when using cloud products. The argument is that Microsoft and Amazon have plenty of experts and spend a lot of money on security, therefore, by using their cloud services, we are secure.

Moving to or operating within the cloud, however, doesn’t mean you are protected. All cloud service providers (CSP) operate on the basis of a shared security model. You need to understand their model and your responsibilities in order to make sure that you have put the right level of security in place for your business and your specific risks.

Shared security model

The shared security models operated by CSPs are similar in manner. In essence, CSPs are responsible for providing you with a secure infrastructure and you are responsible for securing your data. The diagrams on the opposite page highlight the shared security models operated by Microsoft and AWS.

In summary, CSPs provide you with an infrastructure that has been secured in compliance with various industry standards, such as ISO 27001 and NIST. In addition, they provide you with a defined service level generally starting at 99.9%, with availability being provided via geographically dispersed data centres. Physical security of those assets, network monitoring and operations are all the responsibility of the CSP.

CSPs take responsibility for the datacentres and the networks that connect them and provide you with access to those data centres. They don’t take responsibility for data, devices, accounts and identities and they only take part responsibility for identity infrastructure.

CSPs provide a range of additional solutions to assist you securing your data, however the responsibility for architecting and implementing the appropriate level of policies and controls remains the responsibility of the end user.

There are a number of CSP solutions that should be considered, including:

Identity and access management

User or identity management is one of the core services used to provide access to services in a seamless fashion. Identity and access management solutions provide end users with the ability to access and use resources in their environment. CSPs provide a number of identity and access management capabilities such as multi-factor authentication, identity protection and robust role-based access control.  

End-point protection

As the range of devices used to connect continues to grow, clear boundaries need to be defined and responsibilities identified for those devices. CSPs provide a range of capabilities for managing those devices. Microsoft, for instance, offers Microsoft Intune, which provides secure device management, mobile application management and PC management options.

Data loss prevention

Protecting sensitive data relies on identifying that data and putting policies and controls in place designed to make sure that only authorised users can access it. CSPs offer a range of tools that allow you to assign security permissions to files and folders to control access. They also provide a range of data loss prevention solutions designed to allow you to identify, monitor and protect your sensitive data.

Other security controls

CSPs provide a wide range of other security solutions that you can use including threat intelligence and threat protection, automated incident response and cloud access security brokers. Whether you need to implement any or all of the more sophisticated controls will depend on your specific security risk assessment. 

Plan of action 

 Based on our experience we would recommend you follow a structured action plan that:

  • identifies your specific security risks;
  • understands the controls you require to mitigate those risks;
  • completes a controls gap analysis; and
  • remediates any control gaps.


Operating in a cloud environment can significantly improve your overall security. Being cloud based, however, does not remove the need for good security practices. You need to understand the shared security model and your responsibilities. You then need to design an appropriate security model based on your risks, utilising the appropriate tools that are available through your CSP and other suppliers.

About the author

George Quigley, cyber risk consultant with foulkon.com, KPMG ex-partner, and former chair of the faculty, provides insights into cyber resilience