Businesses must remember shared cloud security requires shared responsibility

Ceding some control, partnering with a security provider can boost an organization's data protection

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Migrat­ing ser­vices to the cloud stream­lines process­es and gives com­pa­nies a greater degree of flex­i­bil­i­ty to focus on their core busi­ness. Many com­pa­nies have seen their growth poten­tial unleashed as they dis­cov­er that large parts of their tech­nol­o­gy can be effec­tive­ly out­sourced.

Ed note_AlienVault_SpitlerAs ben­e­fi­cial as this is from a busi­ness point of view, many orga­ni­za­tions strug­gle with the secu­ri­ty risks asso­ci­at­ed with plac­ing valu­able assets in the cloud. They also grap­ple with how to answer the sim­ple ques­tion of who is respon­si­ble for secu­ri­ty?

The uncer­tain­ty around how to share the respon­si­bil­i­ty of secu­ri­ty along with the con­fi­dence to give up con­trol to a third par­ty has slowed the adop­tion of cloud ser­vices and has even caused major secu­ri­ty issues.

Relat­ed: Why you should be selec­tive about cloud stor­age

 The shared secu­ri­ty mod­el is core to any cloud offer­ing. When using cloud ser­vices, busi­ness­es are required to relin­quish con­trol of part of their tech­nol­o­gy stack. They also must trust cloud providers to hard­en, mon­i­tor and per­form inci­dent response for that por­tion. How­ev­er, this is a part­ner­ship and the busi­ness, as a cus­tomer, is still respon­si­ble for the por­tions of tech­nol­o­gy that remain under its con­trol.

For dif­fer­ent forms of cloud ser­vices, the line between a provider’s respon­si­bil­i­ty and a customer’s is drawn in dif­fer­ent places.

Soft­ware as a Ser­vice (SaaS) – The provider is respon­si­ble for the major­i­ty of the secu­ri­ty hard­en­ing, mon­i­tor­ing and inci­dent response. They are expect­ed to take respon­si­bil­i­ty for the secu­ri­ty of the phys­i­cal assets, hyper­vi­sor, net­work, oper­at­ing sys­tem, appli­ca­tion and even por­tions of the user activ­i­ty. The cus­tomer is still respon­si­ble for man­ag­ing user per­mis­sions and mon­i­tor­ing priv­i­leged user actions.

Plat­form as a Ser­vice (PaaS) – The provider is respon­si­ble for the secu­ri­ty of the phys­i­cal assets, hyper­vi­sor, net­work, oper­at­ing sys­tem and por­tions of the appli­ca­tion. The cus­tomer is respon­si­ble for the log­ic run­ning on the plat­form (i.e., the appli­ca­tion, or oth­er busi­ness log­ic as it applies to the plat­form pro­vid­ed), as well as user per­mis­sions and priv­i­leged user actions.

Infra­struc­ture as a Ser­vice (IaaS) – The provider is respon­si­ble for the secu­ri­ty of the phys­i­cal assets, hyper­vi­sor and por­tions of the net­work. The cus­tomer retains a large por­tion of the secu­ri­ty respon­si­bil­i­ty, from man­ag­ing por­tions of the net­work con­trols all the way up to users of the appli­ca­tions host­ed in the envi­ron­ment.

This shared respon­si­bil­i­ty has major impli­ca­tions on secu­ri­ty mon­i­tor­ing. It is not rea­son­able to expect providers to give insight into the activ­i­ty for the por­tions of the infra­struc­ture they are respon­si­ble for. It is rea­son­able to expect them to prove they are doing their job.

Clar­i­fy roles

When select­ing a cloud provider, it is impor­tant to dis­cuss the shared secu­ri­ty mod­el so that all par­ties are clear on respon­si­bil­i­ty. Poten­tial providers should be able to describe:

  • The shared secu­ri­ty mod­el, and how it relates to their offer­ing
  • How they are man­ag­ing abuse cas­es (e.g. appli­ca­tion vul­ner­a­bil­i­ties, mal­ware, priv­i­lege abuse)
  • The peri­od­ic secu­ri­ty assess­ments that their offer­ing under­goes
  • The mon­i­tor­ing pro­grams they have in place for their ser­vice
  • The response and dis­clo­sure pro­ce­dure if an inci­dent occurs

Beyond the abil­i­ty to demon­strate that they are, in fact, tak­ing respon­si­bil­i­ty for their por­tion of shared secu­ri­ty, cloud providers also should be able to explain how they will sup­port your secu­ri­ty efforts.

High­er lev­el of pro­tec­tion

Most major cloud providers have well-estab­lished secu­ri­ty teams with high­ly qual­i­fied inci­dent response per­son­nel and focus on secu­ri­ty through­out the devel­op­ment life cycle. While many busi­ness­es still might have con­cerns about the secu­ri­ty of cloud offer­ings, a cloud provider’s lev­el of secu­ri­ty matu­ri­ty is typ­i­cal­ly much high­er than that of the aver­age orga­ni­za­tion.

As a result, mov­ing ser­vices to the cloud actu­al­ly can enable com­pa­nies to vast­ly improve their secu­ri­ty. Just remem­ber: Regard­less of the nature of the cloud offer­ing, you will always be respon­si­ble for some secu­ri­ty mea­sures. Under­stand­ing the type of cloud offer­ings avail­able and where respon­si­bil­i­ty lies will help you max­i­mize the secu­ri­ty of these ser­vices.

More sto­ries about cloud secu­ri­ty:
As threats mul­ti­ply, more com­pa­nies out­source secu­ri­ty to MSSPs
New encryp­tion ser­vices boost con­fi­dence in the cloud
Com­pa­nies must rede­fine their perime­ter to ensure secu­ri­ty in the cloud