If you think you do not have to worry about your business information because it is safe and secure in the cloud, think again! As more and more businesses transition their infrastructure to the cloud, the big concern is just who is responsible for security in the cloud. This presents opportunities for bad actors to slip in and cause all kinds of havoc.
Major cloud service providers (CSPs) obviously have a lot of motivation and the resources to secure the cloud environments they are selling. They have deep pockets, skilled personnel, and the threat of significant liability if they fail to provide adequate protections (see the Capital One/AWS Breach in 2019). But that same risk of liability is also a strong driver toward the CSPs’ desire to divest themselves of responsibility when it comes to the actual configuration of security of a customer’s environment in their cloud.
This means that ensuring the integrity and security of the cloud is a two-party responsibility. Typically, the CSP takes on the physical security of the cloud infrastructure while the customer’s internal security team owns the apps, data, containers, and workloads in the cloud. There are tools provided by the CSPs that can greatly increase security, but it is up to the customer to configure them appropriately for their environment.
Additionally, in practice, this separation of responsibility for security is not completely straightforward. There is not a uniform shared responsibility model across all the major CSPs.
Microsoft’s shared responsibility model puts responsibility for data, devices, accounts, and identities in software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), and on-premise solutions on the customer. However, responsibility is shared between Microsoft and the customer when identity and directory infrastructure, apps, network controls, and operating systems (OS) are involved. Microsoft only takes full responsibility for physical hosts, networks, and data centers for SaaS, PaaS, and IaaS.
AWS’ shared responsibility model makes a distinction between protecting the “Security of the Cloud” versus “Security in the Cloud.” AWS says it is responsible for “protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of hardware, software, networking, and facilities that run AWS Cloud services.” The customer is responsible for data, platform, apps, identity and access management, operating systems, network and firewall configuration, and encryption.
Google’s model is even less explicit. “Google secures the underlying cloud infrastructure and services, [and] the customer secures their applications, devices, and systems when building on top of Google’s Cloud infrastructure.” They specify that all on-premise services are the customer’s responsibility, gradually shifting responsibility toward Google as you move from IaaS, to PaaS and finally SaaS, where customers are only required to secure the content and access policies of their software.
As evidenced by these policy statements, the issue is further complicated because the CSP’s level of responsibility also depends on what services the customers select. The nuances of securing SaaS, IaaS, and PaaS can blur the expectations for security even further between customer and provider. Ultimately, the CSP is responsible for providing a secure cloud environment, but it is still the customer’s responsibility to secure the data and applications in that environment.
The good news is, the CSPs have a vested interest in helping their customers do this and generally have created guidelines and tools to help the customer configure their security settings.
Microsoft created the Azure Security Benchmark to help make security progress more measurable. Once customers have identified their security controls, they are able to measure progress against implementation of these controls and receive an Azure Secure Score.
AWS created the Well-Architected Framework for implementing the cloud environment and Well-Architected Tool for self-service to run workload reviews. The AWS Identity and Access Management are tools for customers to manage access to AWS services and resources securely.
However, even with all these tools, cloud migration and security are typically separate considerations, according to research from Deloitte. In 2019, less than 10% of organizations factored cloud migration and SaaS into their cybersecurity budget.
There was a sharp rise in the number of companies shifting portions of their infrastructure in 2020 to the cloud, due to COVID. Many of these organizations made this move without adequate attention to and configuration of proper security for their environments. Moving to the cloud definitely allows you to offload the security concerns of specific aspects of your environment to the CSPs. But the devil is in the details, and those details will always be your responsibility.
For questions about Windes Cybersecurity services, please call 844.4WINDES (844.494.6337) or email us at advisory@windes.com.