Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

12/13/2017
10:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Cloud Security Is an Enterprise Responsibility Report

When it comes to the 'shared responsibility,' enterprises and their cloud providers have equally important roles to play. However, the ultimately responsibility for protecting data falls to the business and its IT and security departments, according to NSS Labs.

Enterprises of all sizes are getting more comfortable moving company data into the cloud. However, moving data from on-premises to off-premises requires a delicate balancing act of shared security responsibilities between enterprise and the cloud service providers they employ.

While enterprises and cloud service providers do share responsibility for cloud security, when it comes to a breach, it's the business and its IT and security departments that must shoulder the ultimately responsibility and answer to customers

These and other observations concerning cloud security are part of a new report -- "The Shared Responsibility of Securing the Cloud" -- conducted by NSS Labs Inc. , an independent, information security research and testing organization.

The report, which is based on interviews with 205 US-based security professionals, looks at the notion of shared responsibility between enterprises and cloud service providers, which are typically created through a service-level agreement (SLA).

In the era of cloud computing, the report finds that:

Moving enterprise data off premises requires that both the enterprise and the cloud service provider manage security controls to ensure the confidentiality, integrity, availability, and non-repudiation of the enterprise’s data. This approach, often referred to as shared responsibility, requires enterprises and cloud service providers to agree upon specific management roles for each component of the cloud computing infrastructure.

Digging into the numbers, about 71.5% of those surveyed were familiar with the concept of shared responsibility between an enterprise and a cloud service provider, while three out four noted that they were "comfortable" with their role in that agreement.

However, 46% believe that cloud service provider is responsible in case of a breach.

The NSS report concludes that it's ultimately the responsibility of the enterprise to secure data.

"Enterprises that migrate workloads to the cloud cannot exempt themselves from being primarily responsible for securing their data," the report finds.

This not to say enterprises are wholly on their own. In fact, businesses and their IT department and security staff need the help of their cloud service provider counterparts, and much of this should be spelled out in the SLA.

For example, if a company is using software-as-a-service (SaaS) -- right now the most popular cloud model, according to the report -- the enterprise should maintain responsibility for the for identity and access management policies. The SaaS provider, however, needs to patch the operating system and virtual machines that serve the application.

In the case of infrastructure-as-a-service (IaaS), enterprise must bare most of the responsibility, but providers such as Amazon Web Services LLC are adding additional layers of security on their end. (See AWS Adds Security Management to Growing Portfolio.)

As part of its recommendations, NSS suggests enterprises, especially those struggling to fill key security positions with in the IT department, use a managed security services provider (MSSP) to help close the gap.

"In our study, 21.7% of respondents reported that skill shortage was an inhibitor for adopting cloud security products at their organization," according to the report.

Another way to close the security gap is to use a traditional hosting provider to shoulder some of the additional burn. Players in this space include Hosting.com , Rackspace Hosting (NYSE: RAX) and Armor (formerly FireHost).

These hosting providers can perform a range of duties from managing security control to helping manage database applications. In the study, about a third of all respondents reported having a relationship with a hosting provider.

Still, the most important part of cloud security is to get any agreement in writing, whether it’s a an MPPS, a cloud service provider, a hosting firm or one of the big web-scale providers.

"SLAs should be meticulously reviewed both by an enterprise’s technical leadership and by its legal resources to ensure that the roles and responsibilities of the cloud service provider and the enterprise are clearly defined. Where necessary, the terms of these documents should be negotiated to suit enterprise requirements," according to the report.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A time share on Mars. Looks like a great investment.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30482
PUBLISHED: 2021-05-11
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
CVE-2021-31897
PUBLISHED: 2021-05-11
In JetBrains WebStorm before 2021.1, code execution without user confirmation was possible for untrusted projects.
CVE-2021-31898
PUBLISHED: 2021-05-11
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
CVE-2021-31910
PUBLISHED: 2021-05-11
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
CVE-2021-31911
PUBLISHED: 2021-05-11
In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages.