Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

12/13/2017
10:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Cloud Security Is an Enterprise Responsibility Report

When it comes to the 'shared responsibility,' enterprises and their cloud providers have equally important roles to play. However, the ultimately responsibility for protecting data falls to the business and its IT and security departments, according to NSS Labs.

Enterprises of all sizes are getting more comfortable moving company data into the cloud. However, moving data from on-premises to off-premises requires a delicate balancing act of shared security responsibilities between enterprise and the cloud service providers they employ.

While enterprises and cloud service providers do share responsibility for cloud security, when it comes to a breach, it's the business and its IT and security departments that must shoulder the ultimately responsibility and answer to customers

These and other observations concerning cloud security are part of a new report -- "The Shared Responsibility of Securing the Cloud" -- conducted by NSS Labs Inc. , an independent, information security research and testing organization.

The report, which is based on interviews with 205 US-based security professionals, looks at the notion of shared responsibility between enterprises and cloud service providers, which are typically created through a service-level agreement (SLA).

In the era of cloud computing, the report finds that:

Moving enterprise data off premises requires that both the enterprise and the cloud service provider manage security controls to ensure the confidentiality, integrity, availability, and non-repudiation of the enterprise’s data. This approach, often referred to as shared responsibility, requires enterprises and cloud service providers to agree upon specific management roles for each component of the cloud computing infrastructure.

Digging into the numbers, about 71.5% of those surveyed were familiar with the concept of shared responsibility between an enterprise and a cloud service provider, while three out four noted that they were "comfortable" with their role in that agreement.

However, 46% believe that cloud service provider is responsible in case of a breach.

The NSS report concludes that it's ultimately the responsibility of the enterprise to secure data.

"Enterprises that migrate workloads to the cloud cannot exempt themselves from being primarily responsible for securing their data," the report finds.

This not to say enterprises are wholly on their own. In fact, businesses and their IT department and security staff need the help of their cloud service provider counterparts, and much of this should be spelled out in the SLA.

For example, if a company is using software-as-a-service (SaaS) -- right now the most popular cloud model, according to the report -- the enterprise should maintain responsibility for the for identity and access management policies. The SaaS provider, however, needs to patch the operating system and virtual machines that serve the application.

In the case of infrastructure-as-a-service (IaaS), enterprise must bare most of the responsibility, but providers such as Amazon Web Services LLC are adding additional layers of security on their end. (See AWS Adds Security Management to Growing Portfolio.)

As part of its recommendations, NSS suggests enterprises, especially those struggling to fill key security positions with in the IT department, use a managed security services provider (MSSP) to help close the gap.

"In our study, 21.7% of respondents reported that skill shortage was an inhibitor for adopting cloud security products at their organization," according to the report.

Another way to close the security gap is to use a traditional hosting provider to shoulder some of the additional burn. Players in this space include Hosting.com , Rackspace Hosting (NYSE: RAX) and Armor (formerly FireHost).

These hosting providers can perform a range of duties from managing security control to helping manage database applications. In the study, about a third of all respondents reported having a relationship with a hosting provider.

Still, the most important part of cloud security is to get any agreement in writing, whether it’s a an MPPS, a cloud service provider, a hosting firm or one of the big web-scale providers.

"SLAs should be meticulously reviewed both by an enterprise’s technical leadership and by its legal resources to ensure that the roles and responsibilities of the cloud service provider and the enterprise are clearly defined. Where necessary, the terms of these documents should be negotiated to suit enterprise requirements," according to the report.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15478
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
CVE-2020-6261
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
CVE-2020-15471
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
CVE-2020-15472
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
CVE-2020-15473
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.