Who is Responsible for Cloud Security Under The Shared Responsibility Model? (For AWS, Azure & GCP)
Businesses that need cost-effective and scalable cloud environments often turn to one of the three most prominent Cloud Service Providers (CSP)—Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). When managed correctly, the affordability and flexibility of companies outsourcing infrastructure to the cloud wins almost every time over building and maintaining an in-house server. According to RightScale’s 2018 assessment nearly 96% of enterprises use the cloud in their day-to-day business operations. When using the cloud, companies enter into a transparent agreement with the Cloud Service Provider about shared responsibility for their own security. Still, many of these companies do not fully recognize the depth to which they are responsible. It is only after encountering breaches and targeted attacks through a company’s own oversight that many begin to realize just how much onus they have in their cloud security.
In this article, VerSprite’s Cloud Security Posture Managementexperts will share how VerSprite pairs with businesses to recognize and incorporate their responsibilities in a Shared Responsibility Model as defined by CSPs.
Advantages of Cloud Infrastructure for Businesses
The cloud offers businesses a ready-made solution to store and execute their computing strategies in easily accessible, virtual platforms. Storing data and providing services across multiple clouds can help companies control IT costs, streamline procedures, and improve application releases and infrastructures. Additionally, interfacing with internal and external users becomes less burdensome, with access capabilities available from almost any device, anywhere in the world.
Cloud Security Risks with an Easily Accessible Configuration
CSPs offer frameworks that companies can use to build their enterprise cloud environments, giving businesses flexibility in constructing their workflows and services. But, keeping a business’s infrastructure in the cloud does not mean that the content will be inherently protected. Cloud security is a necessary ongoing process that safeguards the virtualized assets and resources enterprises store and use in the cloud. The cloud frameworks themselves are built securely, but how a company configures its assets and resources on the cloud introduces security risks. In fact, according to Gartner’s projections, until 2025, at least 99% of successful attacks against cloud services will be a result of the cloud tenant (or customer’s) misconfiguration or mismanagement.
Cloud teams must take careful consideration when designing their cloud environments and make configuration adjustments to ensure their environments are protected. As the tech industry continues to introduce advancements, including new technologies, security tools, and procedures, businesses who leverage that progress will likewise need to adapt their security.
These new technologies are not always perfect—the security implications of any improved capability can lead to exposure. Managing security across multiple endpoints to provide employees and customers with appropriate access while simultaneously denying other individuals access requires vigilance to adjust security around a litany of moving pieces. Most companies are not equipped with the personnel, experience, or bandwidth to monitor and assess their ever-fluid cloud environment.
Cloud assets can be accessible by people on devices from around the world. The challenges businesses face are identifying gaps in their configuration, vulnerabilities, and obtaining cloud support specifically tailored to their unique business environment and security needs.
Businesses Can Choose to Strengthen Their Cloud Security Gaps with Third-Party Resources
Many businesses choose to outsource their cloud security to third parties for a variety of reasons. Some may have experienced the pains of managing their part in the Cloud Shared Responsibility Model or have come to recognize that their CSP-provided security tools do not wholly offer the levels of support they need to maintain a secure environment. Digital security needs to be customized to meet the regulations that a business is responsible for and built to defend its own unique and continually shifting risks. Security products offer some protection but rarely provide the deep-dive that security-conscious companies need to assure their offense is tight.
What Security Standards is the Business Responsible for in the Cloud Shared Responsibility Model
When considering who holds what responsibilities in a cloud shared responsibility model, it is easier to think of a CSP as a software provider. Just as when a business purchases software and is ultimately accountable for its responsible use, likewise, when it uses the cloud, the business is responsible for the particular ways in which it configures and uses its assets on the cloud platform.
That is where the cloud tenant’s onus in the shared responsibility model comes in. The cloud provider structures a secure environment or sandbox upon which enterprises can configure and house their assets. Tailoring cloud security to a business’s unique environment requires dedicated, professional expertise that CSPs generally do not offer to the degree it is needed. Companies are often blindsided by attacks because there is a lack of understanding and shared ownership in their cloud security.
What is the Biggest Cloud Security Gap?
Cloud-based attacks often occur because it is difficult for businesses to obtain and monitor a panoramic view of its resources, particularly with decentralized business units in the name of tracking and billing. Not only are their data centers dispersed, Cloud Service Providers fragment the view of their total security stance on an array of products whose underlying security infrastructure may not be transparent. Cloud security experts can help enterprises find critical gaps, assess their vulnerabilities, and deploy solutions to strengthen their security posture across their entire cloud environment. A more comprehensive approach can also help piece together seemingly innocuous or disconnected events across the cloud landscape that could mean potential threats are priming the business for a larger attack.
Cloud Service Providers Satisfy Standards and Provide Tools
Along with cloud security measures, many businesses must also consider and adhere to regulatory compliance measures such as those decreed by the Payment Card Industry (PCI), National Institute of Standards and Technology (NIST) 800 series, the International Organization for Standardization 27001 (ISO-27001), and the Health Insurance Portability and Accountability Act (HIPAA). CSPs satisfy these standards that fall under their purview and supply robust features to help their customers meet industry-specific regulations. However, CSPs are not responsible for monitoring and controlling how businesses choose to set up their assets on the cloud. This is where shared responsibility comes back into play—the cloud is a safely built infrastructure; however, businesses can still misconfigure the assets they place on the cloud, leaving them exposed. Utilizing CSPs’ built-in security tools and adhering to compliance regulations is the start of securing an enterprise’s digital presence. Still, it often does not cover everything, which is where a third-party vendor can help uncover and remediate security gaps.
Organizations can manage their part in cloud security more effectively and ferret out hidden risks with tools such as VerSprite’s Cloud Security Assessment Platform, AltorCloud. AltorCloud brings advanced security intel and leverages CSPM services and tools already at a businesses’ disposal. This helps tighten security gaps and identify misconfigurations in one place instead of hunting through multiple built-in tools such as AWS’s CloudWatch, which monitors health and performance on automated dashboards, and CloudTrail, which logs a business’s event history.
Engaging a third party to assess and monitor a business’s collective infrastructure and its many enclaves in the cloud is a pre-strike in the offense against lost or stolen information, reputational damage, regulatory violation accusations, and safeguarding assets and financials. Using a tool like AltorCloud coupled with expert oversite provides comprehensive protection to the enterprise’s total cloud environment rather than “virtually wiring resources together,” which can increase expenditures and weaken security measures.
Hackers will take advantage of a company’s complacence in knowing it has met its regulatory requirements and the industry’s standards—standards that the IT industry does not rapidly update in the lightning-paced progression of technology. While businesses can be in full compliance with the regulations that govern them, that is no guarantee that their security posture is strong. Additional considerations in each organization’s unique risk profile should be examined and remediated to make their environment’s security posture as robust as possible. Applications that are then left exposed on the cloud make for much easier targets than more involved hacks such as infiltrating a software program and can reward hackers with more frequent payoffs.
This article revealed why enterprises need to stake ownership in their cloud security, enlist help in identifying and remediating vulnerabilities, and frequently revisit their security strategies to adjust them to the cloud environment’s fluidity. VerSprite’s Cloud Security experts also illustrated how working with a security partner can help businesses recognize and incorporate their responsibilities in a Shared Responsibility Model as defined by CSPs.