Story image

Implementing shared security models in the cloud

08 Jan 2019

Article by Barracuda Networks A/NZ and Pacific Islands regional director Andrew Huntley

When it comes to cloud security, the issue isn’t the platforms, but rather a lack of processes for implementing and maintaining the best cloud security processes.

Whenever there’s a security breach involving a public cloud, the issue almost invariably winds up being caused by a developer who forgot to implement one control or another.

Developers are understandably excited about public clouds because they allow them to build and deploy applications without having to wait for internal IT organisations to provision IT infrastructure.

The trouble is that developers aren’t usually aware of every control that should be implemented to ensure security.

Before anyone realises that, cybercriminals are exfiltrating massive amounts of data regardless because the developer didn’t fully appreciate the inherent shared responsibility model for security when employing public clouds.

Who’s responsible for what?

Cloud service providers must ensure the security of the underlying infrastructure, but organisations are responsible for the security surrounding the assets they put into the cloud.

This is backed up by the Shared Security (or Responsibility) Model, which is standard across all cloud platforms.

A 2017 Vanson Bourne survey Barracuda Networks sponsored revealed some interesting data related to the Shared Security Model.

More than three-quarters of Australian respondents reported that they fully understand the public cloud security responsibilities of both their organisation and public cloud provider.

However, when asked what cloud vendors are responsible for securing, the responses clearly indicate that the Shared Security Model isn’t fully understood.

The majority believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there’s still a lack of clarity around the subject.

The vast majority are leaving major security responsibilities to their provider, which could leave gaps in public cloud security.

When asked more directly about security, around three quarters state that security concerns restrict their organisation’s migration to the cloud.

In addition, the vast majority believe there are threats to their organisation’s public cloud infrastructure.

Despite these threats being in mind, the use of public cloud is still set to increase, suggesting that organisations are willing to see past these concerns.

It would be beneficial for any organisation running workloads in the cloud to have a conversation about security.

The one thing that cloud service providers can do is make it simpler for IT organisations to enforce the controls they do have in place for cloud applications.

Greater accountability

In the cloud era, developers are being held more accountable than ever before for implementing security controls.

Known as DevSecOps, the basic idea is to make implementing security controls part of the gates that developers need to pass as they build applications using a continuous integration/continuous development (CI/CD) framework.

The rise of DevSecOps should make applications more secure, but developers are humans and there will always be mistakes.

Cybersecurity teams need to embrace frameworks that enable them to verify cybersecurity policies have been implemented at the same rate of speed developers are now deploying applications. That’s especially critical in cloud computing environments where the rate of application deployment is typically several orders of magnitude greater than an on-premises IT environment.

Many cybersecurity teams will need to find a way to achieve the capabilities required to manage security and compliance across multiple cloud environments.

That will require some ability to programmatically consume services via an application programming interface (API).

The good news is that public cloud providers like AWS have these shared responsibility issues in mind and are coming up with ways to simplify the management of cybersecurity and compliance on the public cloud.

Regardless of the path chosen, however, the one thing that’s clear is that implementing a shared security model in the cloud is about to finally become simpler than it is today. 

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Ensign and IronNet partner to create cyber analytics capabilities
The Singapore-based joint venture will form a Cyber Analytics Center for Excellence focused on securing regional enterprises from sophisticated cyber threats.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.