Thousands of years ago, our cave-dwell - ing ancestors depended on a simple set of shared responsibilities. “I hunt the meat. You pick the berries.” With specialized roles and shared responsibility, everyone ate fresh food and more of it.
Unfortunately, today’s cloud security leaders rarely follow the same approach. Too often, orga - nizations have limited IT resources, resulting in one IT manager holding accountability for many specialized areas of the data center.This causes major risks in setting up, maintaining and optimizing cloud and hybrid environments.
“A cloud provider delivers services to replace some of your IT, but not all of it. Where their responsibilities stop, yours begin,” says Michael Lucas, the Amazon Web Services (AWS) Practice Leader for Softchoice.
Lucas, who is a SaaS and DevOps expert, stresses the dangers of not understanding this relationship. Overlook one small aspect of your security duties, and major damages follow. These include regulatory fines, loss of customer trust, even ransomware assaults.
WHO IS RESPONSIBLE FOR WHAT?
When it comes to security, who owns what responsibility all depends on the cloud service model you use: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS). With IaaS, the cloud service provider is responsible for the core infrastruc - ture security, which includes storage, net - working and compute. As you move from IaaS, to PaaS and then to SaaS, you’ll find that you’re responsible for less and the cloud service provider is responsible for more.
But you are almost always on the hook for extremely crucial aspects of your defenses, such as access management, endpoint protection, and data classification. 12 | ULTIMATE SECURITY GUIDE SPRING 2017 13 | Knowing what is yours to handle is a confusing and often overwhelming process. But it gets even harder due to what is often seen as the cloud’s biggest asset: its ease of use.
USERS BELIEVE THEY CAN HANDLE ALL CLOUD DEMANDS ON THEIR OWN.
And to a certain degree, that is true. Anyone with minor tech knowledge can take the company credit card, spin up a server and be running a new workload in less than a day’s work. Lucas points to Amazon’s cloud service as an example.
“AWS empowers customers to get in there and ‘do it yourself.’ DIY at Amazon is big,” Lucas explains. “When companies feel empowered, having no managed service provider is actually quite appealing.”
But just because you can do something on your own, doesn’t mean it’s a good idea. Lucas points out that many businesses aren’t qualified for all the work and configurations best-practices demand.
“You should be thinking of the cloud like a pile of building blocks. You can do amazing things with it, you can build whatever you want. But if you don’t have the right mason, the right architect, your wall is going to fall apart,” he says.
SECURITY PROS MIGHT UNDERSTAND THEY NEED HELP, BUT BRINGING IN YET ANOTHER PARTY IS HARD TO SWALLOW.
Remember, when the cloud was still emerging, it didn’t just demand new technological approaches. It demanded new cultural attitudes, too. That same concern lingers to this day, especially when it comes to adding a third partner into the mix.
Similarly, companies look at a managed service provider, offering to help with their cloud needs, and all they see is more complexity.
“It’s like adding a service onto another service,” he says, “and that just seems counter-intuitive.”
WHEN YOU FIND THE RIGHT MIX OF SHARED SERVICES, EVERYTHING GETS BETTER.
Teaming up with a managed service provider gives you direct access to a very select group of individuals whose only job is to understand the cloud, and help organizations configure their environments according to best practices and to avoid mistakes. Hiring resources with the same level of expertise is a challenge – due to a limited supply of expensive and hard to retain IT security talent.
Not to mention, the sheer volume of work entailed is more than the average company can afford. Take for example security updates and patches. Take security updates and patches for example. “AWS released more than one update a day last year,” says Lucas. “With each change came an opportunity for an exploit.” Staying on top of these patches is a full-time job.
ONE OF THE ESSENTIAL VALUES OF THE CLOUD IS THAT IT GIVES IT A FIGHTING CHANCE AT GETTING CLOSER TO THE BUSINESS by working on strategic goals instead of ‘keeping the lights on’. The same is true for the security team.
Remember, shared responsibility means you still have some work on your plate. When you work with another provider, they help prioritize your actions by identifying gaps and showing you what you can do to close them. Businesses need to see what is lacking before they can act. Plus, no partner will ever understand your user base or have the same access as you do. By freeing you to focus, you’re more likely to build a security strategy that reflects the unique needs of your business.
“Unfortunately, there is a perception that cloud takes care of all your security problems,” sums up Lucas.
THE FIRST STEP ON THE PATH TO SHARED RESPONSIBILITY IS BOTH THE SIMPLEST AND MOST IMPORTANT.
It’s about facing reality and realizing that, no matter how much value your cloud provider offers, you still have a job to do.
“If I had to offer one piece of advice to any company adopting cloud services, whether its Azure or AWS or Google, it’s this. You, the organization, are primarily responsible for securing your data. Passing liability is not the answer.”