Hammering home public cloud shared security obligations: The importance of education
Public cloud customers need to become clearer on what their responsibility is for securing their data and applications hosted by public cloud providers. I believe there is a misunderstanding on how much responsibility the likes of AWS, Azure, and Google Cloud Platform have for securing their customers. Their platforms are definitely secure and migrating workloads into the cloud can be much more secure than on premise data centers, however organisations do have a responsibility in securing their workloads applications, and operating systems.
Even though every customer’s journey to the cloud is unique, and there are different levels of understanding this model, I hear some very common questions repeatedly. “Why do I need to put my own security in the cloud? I thought it was already secure?” “Why can’t I just move my virtual security appliances in the cloud?” “What does this mean for my network firewall? How do I ensure connectivity and access for my employees?” “How do I secure a cloud application? Aren’t Office 365 and Salesforce already secure?”
If you find yourself asking questions like this, you may want to talk with an experienced partner to help with your migration. Until then, here are some considerations that can help clear things up.
The public cloud operates on a shared responsibility model. This means that the cloud providers give you the responsibility and flexibility to secure what you bring to the cloud. Therefore, without question, as a customer your responsibility is to configure, patch and layer security on applications, workloads and operating systems you spin up. Configuration includes identity management, access levels, and security groups. Customers are also responsible for data protection and availability of workloads.
Public cloud providers are only responsible for the physical security, global and regional connectivity, and power and cooling of the data centers that they own.
This model maintains the highest possible efficiencies for the cloud provider, and relieves the customer of the burden of providing the infrastructure such as a data centre or the server hardware that provides scalability on demand.
The model also enables customers to customise their cloud security to meet the needs of their unique workloads. Application and data security are in the hands of the people who know them best, rather than being left to a public cloud provider to provide a cookie cutter protocol.
Public cloud providers work with vendors to ensure that the solutions available will operate properly on their platforms. AWS, Azure, and GCP partnership programs ensure that vendors have access to tools and specifications needed to design their products for optimum performance on each platform. Once the vendor’s products have met the standards set by the provider, a certification or competency is awarded. This shows customers that the solution is part of the fabric of the public cloud.
The public cloud fabric
When we talk about the public cloud fabric, we are talking about native integration into the platform. Consider this: the model for shared security means that the cloud provider owns the infrastructure for security. All aspects to visibility, monitoring, remediation, and protection, are all substantiated in the public cloud through APIs and tools like CloudWatch and Insights. These are the things that constitute the fabric of the public cloud.
Native integration into a cloud platform requires that a solution be built on a cloud-centric architecture and engineered specifically for that public cloud. While it may be tempting to use a virtualised version of your on-premises security in the cloud, these VMs simply aren’t designed to take advantage of what you’re buying.
They may seem to work, but they lack certain functionality. Some common questions I hear are: can the VM auto-scale for performance and capacity? Can it be provisioned and deployed within minutes, on either AWS or Azure? Does it offer pay as you go, metered billing, and other flexible consumption models? Is it built on a cloud-centric architecture?
These are the features that will distinguish an on-premises solution from a ‘cloud ready’ solution. To take full advantage of what the cloud has to offer, you will need to have a solution that is part of the cloud fabric.
The numbers don’t lie
My belief that many organisations misunderstand this shared responsibility model is supported by recent research of the public cloud customer market. In a recent study conducted by research firm Vanson Bourne, Public Cloud – Benefits, Strategies, Challenges, and Solutions, 77 percent of organisations reported the belief that public cloud providers are responsible for securing customer data in the cloud. 68 percent of decision makers are under the impression that cloud providers are responsible for securing customer applications as well. More concerning in this study is that a nearly a third (30 percent) of organisations have not added additional security layers to their public cloud deployments.
More secure than on premise
Many organisations realise that their cloud deployments can be inherently more secure than on premise deployments because cloud providers are collectively investing more into security controls than they could on their own. However, the organisations benefiting the most from public cloud are those that understand that their public cloud provider is not responsible for securing data or applications and are augmenting security with support from third party vendors.