SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Implementing shared security models in the cloud
Tue, 8th Jan 2019
FYI, this story is more than a year old

When it comes to cloud security, the issue isn't the platforms, but rather a lack of processes for implementing and maintaining the best cloud security processes.

Whenever there's a security breach involving a public cloud, the issue almost invariably winds up being caused by a developer who forgot to implement one control or another.

Developers are understandably excited about public clouds because they allow them to build and deploy applications without having to wait for internal IT organisations to provision IT infrastructure.

The trouble is that developers aren't usually aware of every control that should be implemented to ensure security.

Before anyone realises that, cybercriminals are exfiltrating massive amounts of data regardless because the developer didn't fully appreciate the inherent shared responsibility model for security when employing public clouds.

Who's responsible for what?

Cloud service providers must ensure the security of the underlying infrastructure, but organisations are responsible for the security surrounding the assets they put into the cloud.

This is backed up by the Shared Security (or Responsibility) Model, which is standard across all cloud platforms.

A 2017 Vanson Bourne survey Barracuda Networks sponsored revealed some interesting data related to the Shared Security Model.

More than three-quarters of Australian respondents reported that they fully understand the public cloud security responsibilities of both their organisation and public cloud provider.

However, when asked what cloud vendors are responsible for securing, the responses clearly indicate that the Shared Security Model isn't fully understood.

The majority believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there's still a lack of clarity around the subject.

The vast majority are leaving major security responsibilities to their provider, which could leave gaps in public cloud security.

When asked more directly about security, around three quarters state that security concerns restrict their organisation's migration to the cloud.

In addition, the vast majority believe there are threats to their organisation's public cloud infrastructure.

Despite these threats being in mind, the use of public cloud is still set to increase, suggesting that organisations are willing to see past these concerns.

It would be beneficial for any organisation running workloads in the cloud to have a conversation about security.

The one thing that cloud service providers can do is make it simpler for IT organisations to enforce the controls they do have in place for cloud applications.

Greater accountability

In the cloud era, developers are being held more accountable than ever before for implementing security controls.

Known as DevSecOps, the basic idea is to make implementing security controls part of the gates that developers need to pass as they build applications using a continuous integration/continuous development (CI/CD) framework.

The rise of DevSecOps should make applications more secure, but developers are humans and there will always be mistakes.

Cybersecurity teams need to embrace frameworks that enable them to verify cybersecurity policies have been implemented at the same rate of speed developers are now deploying applications. That's especially critical in cloud computing environments where the rate of application deployment is typically several orders of magnitude greater than an on-premises IT environment.

Many cybersecurity teams will need to find a way to achieve the capabilities required to manage security and compliance across multiple cloud environments.

That will require some ability to programmatically consume services via an application programming interface (API).

The good news is that public cloud providers like AWS have these shared responsibility issues in mind and are coming up with ways to simplify the management of cybersecurity and compliance on the public cloud.

Regardless of the path chosen, however, the one thing that's clear is that implementing a shared security model in the cloud is about to finally become simpler than it is today.