Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/20/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cloud Security & the Power of Shared Responsibility

When you and your CSP jointly embrace the shared security responsibility model you can achieve greater success than you or your provider can achieve alone.

When you're a toddler, you think the world revolves around you, and your personal constitution has one word in it: "mine!" As you grow and develop some wisdom, you recognize that the world is complex, there are systems governing everything, and without the ability to share, you're likely destined to a lonely, off-the-grid existence in a van down by the river.

The cloud, itself, is a great example of the power of what sharing can provide. You have data, and you want to transact with that data. But a cloud provider owns the means by which you can do those things, so there has to be an agreement about responsibility – that is how, when, and where it can happen. It’s all dependent upon the two parties agreeing to specific responsibilities. Because it's shared responsibility, there also has to be a security model that ensures that the security of your data, transactions, and operations is being handled adequately within this framework.

For enterprises using public cloud infrastructures like Amazon Web Services (AWS) or Microsoft Azure, that shared responsibility is critical to getting any benefit from these incredibly innovative and lucrative compute platforms. Each Cloud Service Provider (CSP) makes very clear what it is they will secure, and what the expectations are for customers. This codified model helps customers prepare to provide the resources and acquire the necessary tools to monitor and fix security issues as they come into their purview.

For public cloud customers, there's something very easy about adhering to the shared model, because the rules of assigning and managing governance is quite apparent from the onset. In fact, Amazon makes it very clear, as evidenced by this statement from the AWS security page: "AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure." 

Breaking it down, this means that the CSP will maintain the strong security and compliance controls across their entire infrastructure platform for things like datacenter, core network/hardware, operational security practices like data disposal and change control, and others. Your job is to manage anything you manipulate on their platform.

Let's say you want to launch some scalable compute services like EC2 or Azure Virtual Machines. According to the shared responsibility model, you’re on the hook for the security groups, patching of the servers, application-level security, and anything else related to how you use/manage the virtualized servers you created.

Perhaps you're creating objects in a storage service like Amazon S3 or Azure Storage. You, as the customer, will need to manage the encryption status of those files, access policies, geographic containment, and all other aspects of data security and integrity.

With each and every service you can engage in the public cloud, there is a strong suite of security controls that are available to you. The CSPs give you hundreds of ways to configure and misconfigure your infrastructure. You have to ensure you are using them effectively and consistently.

What's compelling about this approach is that when you and your CSP jointly embrace the shared security responsibility model you can achieve greater security success than you or your provider can achieve alone. When a single party tries to deliver comprehensive security throughout an environment, the workload often overwhelms the engaged teams, especially at a time when the surface area your infrastructure touches is growing larger. This stems from the limitation of security resources that any single entity can experience; few organizations have enough security staff and resources to achieve all key project goals PLUS continuous deep security engagement of every environment.

This means any single entity cannot achieve total security nirvana because technical inertia or some impediment prevents it. However, if you partition the responsibility for security, the workload is divided between you and your CSP, not to mention their entire customer base.

This puts market forces to work. If you have a million customers each with one security professional, you now have a million security professionals working to secure a subset of your platform’s resources. This force multiplier is powerful, and is part of the reason cloud platforms like AWS and Azure are some of the most secure compute platforms created to date.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...