Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/20/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cloud Security & the Power of Shared Responsibility

When you and your CSP jointly embrace the shared security responsibility model you can achieve greater success than you or your provider can achieve alone.

When you're a toddler, you think the world revolves around you, and your personal constitution has one word in it: "mine!" As you grow and develop some wisdom, you recognize that the world is complex, there are systems governing everything, and without the ability to share, you're likely destined to a lonely, off-the-grid existence in a van down by the river.

The cloud, itself, is a great example of the power of what sharing can provide. You have data, and you want to transact with that data. But a cloud provider owns the means by which you can do those things, so there has to be an agreement about responsibility – that is how, when, and where it can happen. It’s all dependent upon the two parties agreeing to specific responsibilities. Because it's shared responsibility, there also has to be a security model that ensures that the security of your data, transactions, and operations is being handled adequately within this framework.

For enterprises using public cloud infrastructures like Amazon Web Services (AWS) or Microsoft Azure, that shared responsibility is critical to getting any benefit from these incredibly innovative and lucrative compute platforms. Each Cloud Service Provider (CSP) makes very clear what it is they will secure, and what the expectations are for customers. This codified model helps customers prepare to provide the resources and acquire the necessary tools to monitor and fix security issues as they come into their purview.

For public cloud customers, there's something very easy about adhering to the shared model, because the rules of assigning and managing governance is quite apparent from the onset. In fact, Amazon makes it very clear, as evidenced by this statement from the AWS security page: "AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure." 

Breaking it down, this means that the CSP will maintain the strong security and compliance controls across their entire infrastructure platform for things like datacenter, core network/hardware, operational security practices like data disposal and change control, and others. Your job is to manage anything you manipulate on their platform.

Let's say you want to launch some scalable compute services like EC2 or Azure Virtual Machines. According to the shared responsibility model, you’re on the hook for the security groups, patching of the servers, application-level security, and anything else related to how you use/manage the virtualized servers you created.

Perhaps you're creating objects in a storage service like Amazon S3 or Azure Storage. You, as the customer, will need to manage the encryption status of those files, access policies, geographic containment, and all other aspects of data security and integrity.

With each and every service you can engage in the public cloud, there is a strong suite of security controls that are available to you. The CSPs give you hundreds of ways to configure and misconfigure your infrastructure. You have to ensure you are using them effectively and consistently.

What's compelling about this approach is that when you and your CSP jointly embrace the shared security responsibility model you can achieve greater security success than you or your provider can achieve alone. When a single party tries to deliver comprehensive security throughout an environment, the workload often overwhelms the engaged teams, especially at a time when the surface area your infrastructure touches is growing larger. This stems from the limitation of security resources that any single entity can experience; few organizations have enough security staff and resources to achieve all key project goals PLUS continuous deep security engagement of every environment.

This means any single entity cannot achieve total security nirvana because technical inertia or some impediment prevents it. However, if you partition the responsibility for security, the workload is divided between you and your CSP, not to mention their entire customer base.

This puts market forces to work. If you have a million customers each with one security professional, you now have a million security professionals working to secure a subset of your platform’s resources. This force multiplier is powerful, and is part of the reason cloud platforms like AWS and Azure are some of the most secure compute platforms created to date.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.