The post is part of three-part blog series on cloud security basics and fundamentals. In this installment, cloud security and the shared responsibility model are addressed.
Cloud security should be a key focus area for any organization moving its workloads into the cloud. Frequently, cloud security is also a source of customers’ reluctance to to take this step. It shouldn’t be, however, because cloud security relieves a heavy burden from an organization’s shoulders by transferring some security responsibilities to the cloud provider.The organization can then focus on its applications and business rather than on securing its existing infrastructure.
Security is a process—one that keeps evolving with time. Moving security to the cloud helps companies react to these ongoing changes by allowing them to adopt new threat patterns and perform course corrections quickly.
Fundamentally, cloud security is no different from traditional data center security operations. The concepts remain the same, although the ownership and the implementation requirements are different. Ownership for cloud security is split between the cloud provider and the organization. This arrangement is referred to as “the shared responsibility model.”
The Shared Responsibility Model - What Does it Really Mean?
In data center operations, the customer is responsible for the end-to-end security of the infrastructure. In the cloud, security and compliance responsibilities are shared between the customer and the cloud provider.
According to the shared responsibility model, the cloud provider is responsible for security of the cloud, but the organization is responsible for security in the cloud. In other words, the security of the cloud data center, hardware, and software falls under the responsibility of the cloud provider, while tasks like securely storing the customer data, access management, network traffic encryption, operating system configuration, and anything above hypervisor level is the responsibility of the customer.
Image Source: AWS Shared Responsibility Model
The shared responsibility model is further simplified when organizations start using managed services provided by the cloud provider. For example, if the customer is using the cloud provider’s managed relational database services, they don't have to worry about the operating system layer. The cloud provider manages the security of the operating system layer and the base configuration of the relational database systems.
In this case, the customer is only responsible for its databases, access, and encryption. Many cloud providers are also providing encryption as a service, further simplifying database management. Similarly, the cloud provider is responsible for the security of the various other services they offer, such as load balancers, container services, and object storage, minimizing customer responsibility even more.
Compliance-based customers will find cloud adoption to be particularly advantageous because much of their compliance burden will be assumed by the cloud provider. All of the primary cloud providers have already gone through rigorous audits for various regulated workloads like those found in the health care, financial, and educational sectors, and they have already received their necessary certifications (e.g.,HIPAA, PCI-DSS, FedRAMP, and FISMA). The compliance customer only needs to get compliance certifications for the security in the cloud.
“Get Humans Away From Your Data”
This was the key message of AWS’s CISO during his presentation at Gartner’s Security summit, and it is a message that bears repeating. With the relentless evolution of security threats, there is a constant need to upgrade security teams’ skill sets and add new security tools to the environment.
Studies suggest that year after year, companies report that their cyber security skills deficiencies are worsening. This situation can be effectively tackled by CISOs by consolidating and integrating security processes and technologies which leverage automation.
It is also wise to invest in key employees by providing them with the training necessary to keep their skill sets relevant .
In the world of the traditional data center, security management is a herculean task requiring specialized talent and tools, significant upfront investment, a 24x7 security operations team’s involvement, and a huge amount of energy. From establishment of the data center and procurement of the infrastructure to cloud hosting of the applications, organizations using traditional data center models have to be very focused on and involved in security.
In comparison to traditional data center operations, the security process in the cloud is simpler because of the cloud provider involved, as the customer can make use of the security services offered by the cloud provider to manage the environment.
Each cloud provider provides, at minimum, virtual firewall service, encryption as a service, and identity and access management as a service. Along with these ready-to-use options, cloud providers also offer additional services which simplify management of the resources. These include patching as a service, DDoS protection as a service, and Web Application Firewall as a service.
However, this “shared responsibility” model of security between cloud providers and the customer sometimes becomes blurry in containerized workloads. The Red Hat vulnerability found last month is an example of this. More on how Containers Break the Shared Responsibility Model Between Cloud Providers and Ops can be found here.
Cloud security is not as simple as it looks
Bottom line is that security, especially in the cloud, is an ongoing process. Many security lapses result from avoidable human errors. When moving to the cloud, companies should focus on the cloud architecture design and ensure that the right controls are in place to secure their environment from external and internal threats.