Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

// // //
12/13/2017
10:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

Cloud Security Is an Enterprise Responsibility Report

When it comes to the 'shared responsibility,' enterprises and their cloud providers have equally important roles to play. However, the ultimately responsibility for protecting data falls to the business and its IT and security departments, according to NSS Labs.

Enterprises of all sizes are getting more comfortable moving company data into the cloud. However, moving data from on-premises to off-premises requires a delicate balancing act of shared security responsibilities between enterprise and the cloud service providers they employ.

While enterprises and cloud service providers do share responsibility for cloud security, when it comes to a breach, it's the business and its IT and security departments that must shoulder the ultimately responsibility and answer to customers

These and other observations concerning cloud security are part of a new report -- "The Shared Responsibility of Securing the Cloud" -- conducted by NSS Labs Inc. , an independent, information security research and testing organization.

The report, which is based on interviews with 205 US-based security professionals, looks at the notion of shared responsibility between enterprises and cloud service providers, which are typically created through a service-level agreement (SLA).

In the era of cloud computing, the report finds that:

Moving enterprise data off premises requires that both the enterprise and the cloud service provider manage security controls to ensure the confidentiality, integrity, availability, and non-repudiation of the enterprise’s data. This approach, often referred to as shared responsibility, requires enterprises and cloud service providers to agree upon specific management roles for each component of the cloud computing infrastructure.

Digging into the numbers, about 71.5% of those surveyed were familiar with the concept of shared responsibility between an enterprise and a cloud service provider, while three out four noted that they were "comfortable" with their role in that agreement.

However, 46% believe that cloud service provider is responsible in case of a breach.

The NSS report concludes that it's ultimately the responsibility of the enterprise to secure data.

"Enterprises that migrate workloads to the cloud cannot exempt themselves from being primarily responsible for securing their data," the report finds.

This not to say enterprises are wholly on their own. In fact, businesses and their IT department and security staff need the help of their cloud service provider counterparts, and much of this should be spelled out in the SLA.

For example, if a company is using software-as-a-service (SaaS) -- right now the most popular cloud model, according to the report -- the enterprise should maintain responsibility for the for identity and access management policies. The SaaS provider, however, needs to patch the operating system and virtual machines that serve the application.

In the case of infrastructure-as-a-service (IaaS), enterprise must bare most of the responsibility, but providers such as Amazon Web Services LLC are adding additional layers of security on their end. (See AWS Adds Security Management to Growing Portfolio.)

As part of its recommendations, NSS suggests enterprises, especially those struggling to fill key security positions with in the IT department, use a managed security services provider (MSSP) to help close the gap.

"In our study, 21.7% of respondents reported that skill shortage was an inhibitor for adopting cloud security products at their organization," according to the report.

Another way to close the security gap is to use a traditional hosting provider to shoulder some of the additional burn. Players in this space include Hosting.com , Rackspace Hosting (NYSE: RAX) and Armor (formerly FireHost).

These hosting providers can perform a range of duties from managing security control to helping manage database applications. In the study, about a third of all respondents reported having a relationship with a hosting provider.

Still, the most important part of cloud security is to get any agreement in writing, whether it’s a an MPPS, a cloud service provider, a hosting firm or one of the big web-scale providers.

"SLAs should be meticulously reviewed both by an enterprise’s technical leadership and by its legal resources to ensure that the roles and responsibilities of the cloud service provider and the enterprise are clearly defined. Where necessary, the terms of these documents should be negotiated to suit enterprise requirements," according to the report.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file