Sharing the responsibility for security in the cloud? James Brown, Senior Director of Global Solutions Architecture at Alert Logic, says that once an organisation better understands their role and the role of their cloud provider, they will be able to make better-informed decisions concerning their cloud infrastructure.
Despite the rapid growth of cloud services, security is still the number one concern for business owners migrating their workloads to the cloud. Much has been documented about the financial, technical and efficiency advantages of moving business critical applications onto the cloud, and the impact it has on how products and services are developed, purchased and consumed, but there is still a lot of debate about whether cloud infrastructure is more, or less secure than managing applications in on-premise data centres.
The simple fact is that most cloud platforms are more secure than on-premise environments. Most cloud providers have security-in-depth strategies for their global infrastructure that cover processes, people and technology that protect the physical and foundational layers of their offering. They deploy market-leading security technologies to continuously monitor and protect their hardware, software and networking environments to ensure that vulnerabilities are identified and remediated to strict SLAs as quickly as possible – often weeks or even months before the average on-premise deployment.
But, given the volume and sophistication of cyber threats, there is still a lot of confusion about who is responsible for the security and compliance of applications and workloads hosted in the cloud, and keeping them secure. Cloud services providers have made big strides in declaring the areas of security that they are responsible for, but each cloud provider is different, and the subtleties can cause confusion. The simple way to look at it is your cloud provider is responsible FOR the cloud, and you are responsible for what you put IN the cloud … and this is what we call sharing the responsibility for security in the cloud.
In a nutshell, your cloud provider is responsible for securing the foundational services, such as computer power, storage, database and networking services, but you will be responsible for the configuration of those services. At the network layer, your service provider is responsible for network segmentation, perimeter services, and external DDOS spoofing and scanning prevention. But you are responsible for network threat detection, security monitoring and any incident reporting. This means that your cloud provider will secure against attacks to switches and network within the cloud infrastructure, but they will not look for, or stop, network based attacks against your instances and applications. At the host layer, you are responsible for access management, patch management configuration hardening, security monitoring and log analysis. The application security components are 100% the company’s responsibility.
Alert Logic says that in order to best protect from the next vulnerability and/or wide scale attack, there are seven key best practices for cloud security that all organisations should implement. Here’s the top three – you Can see the full list on line.
1. Understand Your Cloud Service Provider Security Model
Every company should get to know their provider, understand where the lines are drawn and then plan accordingly. Cyber-attacks are going to happen; vulnerabilities and exploits are going to be identified. By having a solid security in depth strategy, coupled with the right tools and people that understand how to respond will put your company into a better position to minimise both exposure and risk.
Understanding the shared security responsibility is an important aspect of cloud security and one that all companies need to be aware of. With cloud service providers being responsible for only part of security within the cloud, organisations must be aware of where their own responsibilities lie, and by following the best practice guide can ensure their company is as secure in the cloud as it is on premise.
2. Secure Your Code
Securing code is 100% your responsibility, and hackers are continually looking for ways to compromise your applications. If your company is developing code, even just for basic level websites, questions should be asked about which security lifecycle development you are using. By putting this in place it your organisation will have a methodology to use internally. Code that has not been thoroughly tested and secured makes it all the more easy for potential threats to cause harm. Using encryption wherever possible will also help to secure your application, as well as testing libraries, scanning plugins for security bugs that may not have been picked up previously, and limiting privileges to only those who need access.
3. Stay Informed
It is always important to stay informed of the latest vulnerabilities that may affect your organisation and for this the internet is a wealth of information. Use the internet to your advantage by searching for the trends, breaches and exploits that are happening in your industry and using that to educate your staff.