Teenagers, Cloud Security, and Shared Responsibilities

cloud_securityAs my wife and I depart for an out-of-town wedding and leave our two college-bound teenagers alone at home with a set of shared responsibility instructions, we do so feeling both excited about our trip and apprehensive about the ambiguity of who will do what at home. Trust is earned, after all, and needs to be verified. Such is also the case for enterprises moving application workloads to the cloud. These teen – if not toddler – phases of cloud security can be awkward, but with real benefits, and ultimately survivable with a few cautionary tips.

  • Expectation Setting
Leading cloud service providers (CSPs) such as Amazon Web Services (AWS) are fairly prescriptive about how they share the responsibility of securing a customer’s cloud environment, using a stack diagram to depict this division of labor. AWS takes responsibility from the hypervisor down including the network layer all the way to securing access to their data centers. The customer, in turn, owns securing the workload (i.e., server operating system and resident application) and the data. This level of clarity on who handles what is essential to determine where to focus (hint: see the next bullet!), where to push your CSP for more visibility, and who is culpable should a breach and data loss occur. 
  • It’s Your Data and Responsibility

Be they “cloud-washed” applications hosted in a public cloud or a native application built in the cloud, make no mistake – customers should take responsibility for securing and protecting their data created and accessed in the cloud and should not abdicate this responsibility to their CSP. While data duplication across zones and regions provides some level of recoverability, customers are still responsible for keeping their data secure and their secrets, well, secret. So encrypt early and often – i.e., in flight and at rest - and consider providers and solutions that allow you to keep the encryption keys under your control. CSP-based and on-premises encryption gateways offer good options for native and hybrid cloud deployments. 

  • Best of Both Worlds: Public, But Private

Not all of us are especially good at sharing. In the case of security and the cloud it’s nothing personal – some of us just don’t want our data co-mingling with others’. And not all data is created equally with respect to its particular intrinsic value, so it may be entirely appropriate, perhaps even regulated and required, that especially-sensitive data be treated with the utmost care. For these data types and the associated application stacks, CSPs, including AWS and Google Compute Engine (GCE), offer virtual private cloud and networking services giving customers the agility of the cloud utility and, at the same time, segregation from others. 

  • Visibility: Mind the Gap

In a cloud service, the absence of a network egress point and thus network tap to plug in intrusion detection, next-gen firewall, and malware detection systems means a lack of visibility that many enterprises have become accustomed to having for both detection and response purposes. As a result, most, if not all, security professionals with an on-premises orientation are understandably concerned about a visibility gap when deploying in the cloud, some of which can be augmented with host-centric security controls such as host-based firewalls, file integrity monitoring (FIM), and system monitoring. And while network traffic can be re-routed, aggregated, and analyzed, it’s only a partial view so customers ought to push their cloud service providers for greater visibility into the lower levels of the stack for which the CSP is responsible. After all, what’s below the workload is like an iceberg – there’s a lot of activity underneath the hypervisor and many enterprises want greater visibility even if they can’t have control. Providing additional visibility closes the trust loop by offering customers that level of verification of the efficacy of the controls employed by their CSP.

These are just a few of the tenets of a shared responsibility security model in what is still very much early days in securing public cloud deployments. It may seem remedial, but cloud security is also in the teen years, needing constant reminders about responsibility and consequences. And, no, I can't tell you where the party is!


federal cybersecurity analysis

Topics: Cybersecurity