In the era before cloud computing, enterprises could expect to be responsible for securing everything—the systems in the data centre, their applications, networks, everything. Today, cloud service providers are ready, willing, and able to take some of that burden off their customers. Just how much, however, depends on the service.
Venturing into the cloud without an understanding of what needs to be secured increases risk and potentially opens the door to attackers through unpatched systems, poor access controls, and other vulnerabilities. Delineating where security obligations start and end for cloud service providers and their customers is the goal of the shared responsibility model.
Knowing your role in the cloud
Unfortunately, research has shown that businesses generally lack an understanding of their role in securing the cloud.
In a 2020 report by Oracle and KPMG, only 8 per cent of the IT executives and cyber security professionals surveyed said they fully understand the shared responsibility security model across all types of cloud services. Some two-thirds said software-as-a-service deployments were the most confusing models.
Despite these numbers, many of those in the survey reported widespread use of software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) in their organisations.
Taking a look at each service model, we can see the differences. Starting with IaaS, the service provider is responsible for protecting everything from the hypervisor down to the physical network.
The guest operating system is the province of the customer, as is their data and the software stack needed to run their applications.
For SaaS users, the responsibility is on the cloud service provider to manage the infrastructure and application, with customers only responsible for securing their users and data. PaaS is the middle ground between the two.
In this scenario, customers focus on their users, applications, and data while the cloud service provider secures the underlying infrastructure.
Adding another wrinkle to the conversation is the growing adoption of Functions-as-a-Service (FaaS) and Containers-as-a-Service (CaaS).
FaaS is a form of serverless computing where the cloud service provider runs the server, removing the need for the customer to maintain the infrastructure associated with developing and deploying an application. CaaS, meanwhile, allows users to manage and deploy containerised applications and clusters.
No matter what approach companies take in regards to the cloud, maintaining the same security and regulatory compliance levels they have in their on-premises environment is a must.
From there, however, it is up to the customer to configure and secure users and access. Likewise, any data that is uploaded to the cloud should have the appropriate levels of encryption and protection.
Misconfigurations are one of the most common consequences of misunderstanding where a cloud provider's duties start and stop.
Recent history is filled with tales of misconfigured AWS S3 buckets and other stories where organisations migrated workloads to the cloud and assumed they were safe without taking proper precautions.
Even in situations where the security configuration and access policies are well thought out at the time the service is purchased, as the needs of the business change, configurations may change along with them.
If these changes are not closely monitored, enterprises can leave themselves open to attacks and data leaks.
Meeting the challenge
The answer to this problem is to combine comprehensive visibility and automated security. Catching misconfigurations in the cloud is critical but is complicated by the sheer number of cloud instances in corporate environments and the ease by which misconfigurations can be introduced via infrastructure-as-code (IaC) templates.
To support DevOps, organisations need the ability to identify and correct any mistakes as quickly as possible. Enter cloud security posture management solutions, which provide visibility across multiple environments and reduce alert fatigue for Security Operations Centres.
These solutions can also offer visibility into cloud workload events and instance metadata to provide detection, response, and proactive threat hunting and investigation when integrated into cloud workload protection solutions.
This includes the delivery of real-time information about workloads, such as metadata about system size and configuration, networking, and security group information for AWS, Google Cloud Platform, and Microsoft Azure.
It extends to containers as well, providing protection without compromising performance.
With a cloud-native security platform, organisations can unify the security capabilities they need in a single platform, as opposed to relying on point solutions and adding more complexity to the job of protecting cloud environments.
With cloud driving digital transformation, securing cloud environments is securing the potential for business growth.
However, leveraging a cloud service without first understanding the security and compliance implications for your organisation is a recipe for failure.
Starting with the planning process, enterprises that collaborate with their chosen vendor to understand what they are responsible for and the extent of the service provider’s capabilities, will be better able to use the cloud securely.
Brett Raphael is the managing director of CrowdStrike Australia and New Zealand