Cloud security cannot be outsourced - it's up to your organization

Securing your cloud is not something your organization usually does on its own. What questions should you ask your vendors? We discuss it in a roundtable discussion with experts from Conscia, PQR, Tesorion, Thales, and Upwind Security.

It is clear that IT players have their work cut out for them when it comes to cloud security. It is a layered environment, often complex and dependent on third parties. There are all kinds of advantages to moving to the cloud, especially for SMEs. It is therefore a good idea to equip yourself with all the necessary information. Existing cloud users also need to think carefully, because the cloud, and certainly its security, requires critical scrutiny. Organizations are used to questioning their own IT teams about security measures, but the same should apply to security within the cloud. In practice, this is not always the case, as we noticed from the discussion with the participants in our conversation.

Read also: The state of cloud security

Making choices

In the security landscape, people are the weakest link in securing systems, observes Andre Honders, Strategic Architect at PQR. At the same time, those same people know better than anyone which systems keep their organization alive when things go wrong. According to Erik de Jong, Chief Research Officer at Tesorion, organizations must be able to explain which processes and systems are most important to their business operations. “Otherwise, organizations don’t know where to make choices,” he says, referring to the options of completely locking down IT environments or, conversely, increasing ease of use with more privileges and fewer login screens. “If your security isn’t workable, people will circumvent it,” adds Steven Maas, Sales Director Data & Application Security BeNeLux at Thales. The balance between convenience, the right level of security, and, of course, price, must be “spot on,” he says.

Een man in een lichtblauw overhemd zit aan een houten tafel met documenten en een pen en kijkt een beetje opzij. — Andre Honders, Strategic Architect at PQR

It is striking that Wesley Swartelé, System Architect at Conscia Belgium, has never heard a customer ask how best to balance these factors. Instead, the emphasis is on the budget for purchasing a security package, and customers are not inclined to really understand the product from that perspective. Steven Duckaert, Solution Architect at Upwind Security, points out that an up-to-date understanding of the state of security tooling is not something you can expect from a customer. “With GenAI, you can’t expect a company to keep up with developments.”

Don’t outsource responsibility

De Jong of Tesorion notes that organizations are gradually adopting all kinds of cloud solutions, but that security is not always included as a criterion in that adoption process. As a result, an organization may suddenly find itself using a large number of cloud services without having put in place appropriate detection or response measures for said cloud. In addition, involving employees in developments related to security also plays a role in this area.

Een man met een bril en een donkere blazer zit aan een tafel met papieren en een pen te praten. Achter hem is een raam met gedessineerde gordijnen en een decoratieve vaas. — Steven Maas, Sales Director Data & Application Security BeNeLux at Thales

Steven Maas acknowledges this: training your staff not to click on phishing links, for example, is not enough now. “You need to have the tools to ward off attacks or protect your data.” He points out that access to certain databases must be accompanied by alerts. It soon becomes clear that there is no single solution that fully addresses cloud security.

Cloud security can be viewed from many angles. There are many aspects that play a role in decisions surrounding this topic. Yet we repeatedly end up discussing data. Honders of PQR believes that more attention should be paid to metadata in particular. “A data scientist or investigator can use [metadata] to sketch out an entire company.” How so? In addition to names and phone numbers, this data often includes job titles, license data, and contextual information. Organizations are not sufficiently aware of this, or at least, Honders wonders whether organizations simply consider giving away metadata to be safe.

This brings us to a task that customers must perform themselves: classifying data. Honders hears few questions about this. Swartelé of Conscia points out that regulating access to data is very simple, but again, organizations too often ignore this low-hanging fruit. “Sensitive data is far too easily accessible,” says Maas. There is never a silver bullet, and De Jong warns against getting too excited about the introduction of passkeys or MFA. “Crime is always a problem; infostealers and BEC (Business Email Compromise, ed.) are commonplace.” His advice is to think in terms of threats. “When you think in terms of threats, MFA is a no-brainer to implement. It is a step in the overall process of making it difficult for attackers. However, it is an illusion to assume that MFA solves all problems.”

Een man in een grijs overhemd zit aan een tafel bij een open haard, met zijn gezicht opzij. Voor hem liggen papieren en een tablet op tafel. — Steven Duckaert, Solution Architect at Upwind Security

In summary, the experts agree that the end user of security services bears a considerable responsibility. Although it is recognized that developments in cloud security are happening fast (see the AI wave and the ever-changing hype terms surrounding it), the basics are often not in order. Solving this starts with asking the right questions to both your business owners to identify the most important processes and to the IT supplier to arrive at appropriate measures.

A step-by-step plan is not 1-2-3

To answer some questions in advance, we will take a look at some of the positive developments mentioned that customers can adopt. At the same time, the following applies to this adoption process: you cannot do everything at once, so start with the points that are most important to your organization. This can seem overwhelming and therefore lead to a step-by-step adoption. Duckaert of Upwind says the following about this: “Organizations think too reactively, ‘just help us’. When an incident occurs, the person responsible can tell the board that it was covered by a software solution.” In this way, parties assign blame, even though infiltration can happen even with the best cloud security tooling.

Een man met kort grijs haar en een baard zit en praat in een kamer met gedessineerde gordijnen en crèmekleurige muren. — Erik de Jong, Chief Research Officer at Tesorion

For example, data theft is a greater disaster if the backup was not properly hidden by the organization itself, even though this was an option within the package they had purchased. Attackers frequently encrypt both company data and these backups. Maas sees this situation occur frequently. In fact, in all these types of situations, it is important not only to ask questions, but also to check in practice whether the measures have actually been taken.

Duckaert has become more hopeful about a relatively recent development. Browser-based attacks are on the rise, but on the other hand, he sees an increase in the adoption of enterprise browsers. Employees continue to use the familiar browser interface, but the functionality “provides more visibility” for security teams, according to Duckaert. Swartelé sees this as a step that organizations still need to take in onboarding and training employees. “Work laptops are also used at home. The focus [during onboarding] should be on the fact that this is a company device, but employees find that difficult.” The adoption of enterprise browsers requires the same awareness of the importance of security for the organization, says Swartelé. De Jong indicates that employees’ cyber awareness should actually develop naturally: with a number of basic measures and simple rules. In other words, keep it simple. De Jong compares it to teaching a child to cross the street. It’s a step-by-step process: stand still, look left and right to see if it’s safe, etc. Understanding such a safety measure is “easy for most people to grasp.”

Involving the entire organization

Finally, we mention one group of employees in particular: the developers. Despite all their knowledge of code and IT infrastructure, this group of employees is difficult to secure. Organizations must therefore extend their security policy to everything from production to the development environment. Duckaert: “Misconfigurations make the cloud more difficult to protect. A firewall is simpler. Hopefully, few developers in your organization have access to it.” Honders mentions the fact that the cloud is extremely configurable in the form of Infrastructure-as-Code. In other words, setting things up properly is just as easy as unknowingly configuring your infrastructure in an insecure way.

Een man in een wit overhemd zit aan een tafel met papieren, een glas water en een notitieblok voor zich, in een kamer met gedessineerde gordijnen en een raam. — Wesley Swartelé, System Architect at Conscia Belgium

Swartelé suggests that developers should not be able to perform a deployment just like that. “Reject it if it does not meet the requirements. If you allow a developer to do anything, strange things will happen.” At the same time, the real challenge here is also to identify the right security measures. The experts repeatedly acknowledge that striking a balance between friction and convenience is anything but easy.

Conclusion: organization-wide awareness

Security cannot be outsourced, and that does not change if you happen to use the cloud. That is the lesson we can learn from our roundtable discussion with the gentlemen from Conscia, PQR, Tesorion, Thales, and Upwind Security. Erik de Jong of Tesorion insists that when organizations start thinking in terms of threats, this automatically leads to an improvement in their security posture. Andre Honders from PQR notes that data classification requires a step forward, especially when it is wrongly claimed that metadata is not that important to protect. Steven Maas from Thales knows that even critical infrastructure sometimes does not even have MFA in place, which means we remain stuck in a security situation where the basics are lacking. Wesley Swartelé from Conscia still hears too few questions from customers that they should actually be asking. Hopefully, this discussion has raised questions that vendors, partners, and suppliers can provide helpful answers to.

Stay tuned, subscribe!

Nebul has already built its AI factory, with NetApp as the storage layer

Check-in chaos continues: airports still waiting for secure software

China bans big tech companies from buying Nvidia chips

Slack is evolving into a work operating system

What is HPE VM Essentials and is it a direct competitor to VMware?

Why does Digital Realty standardize on HPE for operations?

Oracle Database @ AWS: best of both worlds?

The AI productivity mirage: why leaders are aiming at the wrong target

Meeting future workload demands: the case for emerging memory technologies

How AI and automation are redefining ROI in the enterprise

Enhancing video encoding: The AV1 support in the new ARTPEC-9 System-on-Chip

IT Arena

Save the Data

National 6G Conference

Innovation Week 2025

Luxembourg Venture Days

Appdevcon

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices