sb-as logo
Story image

Implementing shared security models in the cloud

08 Jan 2019

Article by Barracuda Networks A/NZ and Pacific Islands regional director Andrew Huntley

When it comes to cloud security, the issue isn’t the platforms, but rather a lack of processes for implementing and maintaining the best cloud security processes.

Whenever there’s a security breach involving a public cloud, the issue almost invariably winds up being caused by a developer who forgot to implement one control or another.

Developers are understandably excited about public clouds because they allow them to build and deploy applications without having to wait for internal IT organisations to provision IT infrastructure.

The trouble is that developers aren’t usually aware of every control that should be implemented to ensure security.

Before anyone realises that, cybercriminals are exfiltrating massive amounts of data regardless because the developer didn’t fully appreciate the inherent shared responsibility model for security when employing public clouds.

Who’s responsible for what?

Cloud service providers must ensure the security of the underlying infrastructure, but organisations are responsible for the security surrounding the assets they put into the cloud.

This is backed up by the Shared Security (or Responsibility) Model, which is standard across all cloud platforms.

A 2017 Vanson Bourne survey Barracuda Networks sponsored revealed some interesting data related to the Shared Security Model.

More than three-quarters of Australian respondents reported that they fully understand the public cloud security responsibilities of both their organisation and public cloud provider.

However, when asked what cloud vendors are responsible for securing, the responses clearly indicate that the Shared Security Model isn’t fully understood.

The majority believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there’s still a lack of clarity around the subject.

The vast majority are leaving major security responsibilities to their provider, which could leave gaps in public cloud security.

When asked more directly about security, around three quarters state that security concerns restrict their organisation’s migration to the cloud.

In addition, the vast majority believe there are threats to their organisation’s public cloud infrastructure.

Despite these threats being in mind, the use of public cloud is still set to increase, suggesting that organisations are willing to see past these concerns.

It would be beneficial for any organisation running workloads in the cloud to have a conversation about security.

The one thing that cloud service providers can do is make it simpler for IT organisations to enforce the controls they do have in place for cloud applications.

Greater accountability

In the cloud era, developers are being held more accountable than ever before for implementing security controls.

Known as DevSecOps, the basic idea is to make implementing security controls part of the gates that developers need to pass as they build applications using a continuous integration/continuous development (CI/CD) framework.

The rise of DevSecOps should make applications more secure, but developers are humans and there will always be mistakes.

Cybersecurity teams need to embrace frameworks that enable them to verify cybersecurity policies have been implemented at the same rate of speed developers are now deploying applications. That’s especially critical in cloud computing environments where the rate of application deployment is typically several orders of magnitude greater than an on-premises IT environment.

Many cybersecurity teams will need to find a way to achieve the capabilities required to manage security and compliance across multiple cloud environments.

That will require some ability to programmatically consume services via an application programming interface (API).

The good news is that public cloud providers like AWS have these shared responsibility issues in mind and are coming up with ways to simplify the management of cybersecurity and compliance on the public cloud.

Regardless of the path chosen, however, the one thing that’s clear is that implementing a shared security model in the cloud is about to finally become simpler than it is today. 

Story image
Houseparty denies security breach as users accuse app of hacking accounts
The popular face-to-face video hosting service has been accused of hacking users' other accounts, a claim Houseparty disputes.More
Story image
CompTIA absorbs cybersecurity info-sharing group
“There is great interest from managed service providers and other organisations to be part of an information-sharing body dedicated to cybersecurity, the global MSP community and its customers.” More
Story image
Mentorship key to bringing women into cybersecurity - Microsoft
“Diverse teams make better and faster decisions 87% of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20%. What ideas have we missed by not including more women?”More
Story image
Kaspersky announces update to Microsoft Office 365 security solution as COVID-19 threats emerge
The upgrade introduces enhanced anti-phishing capabilities with a dedicated anti-spoofing feature, as well as bolstered protection within Microsoft Teams.More
Story image
Interview: RSA explains security in the epoch of IT disruption
We discussed cybersecurity in terms of how it fits into business continuity, as well as the threat landscape, and what RSA is currently doing to assist businesses that need protection.More
Story image
Zero trust security gaining momentum as a cybersecurity model
The model is centred on the belief that organisations should not automatically trust anything inside or outside its perimeters and instead must verify anything trying to connect to its systems before granting access, according to CSO.More