How to protect your company’s cloud deployments

Robust security depends on companies understanding their own security measures should complement the protections offered by cloud service providers


5 minute read

Key takeaways

  • Companies need to understand and map out the extent and limitations of security provided by their cloud services provider
  • Third-party access to cloud deployments requires additional management oversight and compliance with strong security standards
  • Familiarity with the cloud provider’s guidelines and settings can help organizations protect access to critical data and prevent breaches

Cloud capabilities have become essential to almost every type of business. They provide data storage, enable real-time communication and collaboration, link disparate teams and systems and connect new devices to company networks. Importantly, cloud deployments can scale up quickly, which has helped many companies quickly establish new connections and working conditions with partners, customers, internal teams and remote employees.


But according to one study, 85% of business leaders named security as their top challenge in cloud computing.1 One problem is that many companies simply have not assessed the risks associated with cloud deployments or have not determined what elements of security are their responsibility.


Since most organizations depend on cloud service providers — CSPs — to maintain these systems, it can be challenging to determine what elements of security are the responsibility of the CSP and which are not.


Understanding the limits of CSP security


CSPs usually offer built-in security features that exceed the technical capabilities and financial resources of most small and midsize businesses.  Studies show that over 90% of organizations keep at least some of their digital assets in the cloud.2 The cloud can be as secure as in-house systems, but only if managed with appropriate storage and access controls.


While CSPs often provide tools to help manage cloud configuration, there are still many elements of security infrastructure — such as firewalls, devices and account access — that remain the cloud user’s responsibility. In fact, CSPs are not the source of most security incidents. Lack of knowledge among cloud customers and misconfiguration of CSP accounts are responsible for most breaches, big and small.

“Misconfiguration of cloud deployments can lead to serious vulnerabilities related to account access and permissions.”

Misconfiguration, like many cloud security challenges, often stems from staff inexperience. Many security and IT specialists simply don’t understand the intricacies of secure cloud configuration and often lack in-depth knowledge of their company’s CSP security settings and capabilities.


Another potential pitfall is inadequate or incomplete security processes. When configurations and permissions are not thought through, employees — and bad actors — can gain access to a world of sensitive information that can be unintentionally leaked or very cleverly stolen through social engineering schemes.


This type of insider incident can have serious and costly impacts. Research shows that in the mature stage of cloud security the average cost of a data breach to organizations was $3.87 million.3 It is important to know your third-party vendors and what privileges have been granted to reduce the risk of account take-overs by cyber criminals or disruptions to normal operations.  In one study, 45% of data breaches of companies occurred in the cloud.4


How to overcome the obstacles


In many ways, cloud deployment security is similar to traditional on-premise systems. Cloud security should follow a “cover the basics” approach that includes fundamentals, such as:

  • A thorough understanding of the data you gather
  • Powerful identity and authentication tools
  • Access controls based on the principle of least access
  • Correct configuration of the deployment
  • Encryption of data in motion, in use, at rest
  • Network activity monitoring
  • Limited privileged access to cloud settings
  • Proper training of IT, security and individual users


For more specific guidance in addressing cloud security challenges, a CSP can be one of the best sources of advice. Service providers offer a range of advanced security and privacy capabilities, as well as guidelines and security defaults for rigorous configuration of cloud settings. But many organizations don’t follow these guidelines, and some may even inadvertently disable essential security settings.


A CSP may offer continuous monitoring solutions to help detect suspicious user activity and assess an organization’s threat status in real time. Monitoring is also essential to tracking and prioritizing investigations of malicious incidents.


However, CSPs don’t provide much help in minimizing third-party risks. Business and security leaders will need to carefully assess a partner’s security capabilities to make sure they meet or exceed their own. This assessment can also help deter-mine the right amount of access to grant third-party users.



2IDG and Google, New research: Enterprises more confident than ever in cloud security, July 1, 2021.

3IBM Data Breach Report 2022


Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.