Businesses Must Remember Shared Cloud Security Requires Shared Responsibility
By Russ Spitler
Migrating services to the cloud streamlines processes and gives companies a greater degree of flexibility to focus on their core business. Many companies have seen their growth potential unleashed as they discover that large parts of their technology can be effectively outsourced.
As beneficial as this is from a business point of view, many organizations struggle with the security risks associated with placing valuable assets in the cloud. They also grapple with how to answer the simple question of who is responsible for security?
The uncertainty around how to share the responsibility of security along with the confidence to give up control to a third party has slowed the adoption of cloud services and has even caused major security issues.
The shared security model is core to any cloud offering. When using cloud services, businesses are required to relinquish control of part of their technology stack. They also must trust cloud providers to harden, monitor and perform incident response for that portion. However, this is a partnership and the business, as a customer, is still responsible for the portions of technology that remain under its control.
For different forms of cloud services, the line between a provider’s responsibility and a customer’s is drawn in different places.
Software as a Service (SaaS) – The provider is responsible for the majority of the security hardening, monitoring and incident response. They are expected to take responsibility for the security of the physical assets, hypervisor, network, operating system, application and even portions of the user activity. The customer is still responsible for managing user permissions and monitoring privileged user actions.
Platform as a Service (PaaS) – The provider is responsible for the security of the physical assets, hypervisor, network, operating system and portions of the application. The customer is responsible for the logic running on the platform (i.e., the application, or other business logic as it applies to the platform provided), as well as user permissions and privileged user actions.
Infrastructure as a Service (IaaS) – The provider is responsible for the security of the physical assets, hypervisor and portions of the network. The customer retains a large portion of the security responsibility, from managing portions of the network controls all the way up to users of the applications hosted in the environment.
This shared responsibility has major implications on security monitoring. It is not reasonable to expect providers to give insight into the activity for the portions of the infrastructure they are responsible for. It is reasonable to expect them to prove they are doing their job.
When selecting a cloud provider, it is important to discuss the shared security model so that all parties are clear on responsibility. Potential providers should be able to describe:
- The shared security model, and how it relates to their offering
- How they are managing abuse cases (e.g. application vulnerabilities, malware, privilege abuse)
- The periodic security assessments that their offering undergoes
- The monitoring programs they have in place for their service
- The response and disclosure procedure if an incident occurs
Beyond the ability to demonstrate that they are, in fact, taking responsibility for their portion of shared security, cloud providers also should be able to explain how they will support your security efforts.
Higher level of protection
Most major cloud providers have well-established security teams with highly qualified incident response personnel and focus on security throughout the development life cycle. While many businesses still might have concerns about the security of cloud offerings, a cloud provider’s level of security maturity is typically much higher than that of the average organization.
As a result, moving services to the cloud actually can enable companies to vastly improve their security. Just remember: Regardless of the nature of the cloud offering, you will always be responsible for some security measures. Understanding the type of cloud offerings available and where responsibility lies will help you maximize the security of these services.
Russ Spitler, vice president of product strategy at AlienVault, is a guest essayist for ThirdCertainty.com, where this article originally appeared.