As cloud breaches large and small become common occurrences, it's reasonable to wonder if the shared responsibility security model is broken.
It's not that cloud users aren't holding up their end of the bargain, rather it's that organizations that consume cloud services have failed their users. There's the ongoing cloud skills gap, tight budgets, understaffing and constant digital transformation challenges that undercut the shared responsibility model.
The shared responsibility model means the cloud service provider secures the cloud infrastructure, including hardware, software and facilities. Cloud customers, meanwhile, are responsible for security of things in the cloud as determined by the services they select from their chosen provider. For example, the customer would need to handle the IaaS security configuration and management. Customers are also responsible for data security.
Recognize the flaws in shared responsibility
With cloud computing's remarkable adoption across industries and governments, the flaws in the shared responsibility model were bound to show themselves eventually.
A common cause of failure with this approach is when customers do not take the time to understand their security responsibilities. They won't have an adequate comprehension of their provider's security, much less third-party offerings that they could implement to protect their own data and endpoints.
Complex multi-tier deployments that span departments further complicate shared responsibility because they make it easier for people within a company to blame other teams when something goes wrong. This happens, for example, when an organization has security teams that work in silos, as when one group protects the data and another safeguards the network. If those teams don't communicate in a cloud operations environment, the disconnect only worsens.
Shadow IT presents another case where shared responsibility fails. Governance, security and compliance are often sacrificed in a rush to launch cloud services. Just because somebody has the skills to quickly spin up some cloud storage or lift and shift an application to the cloud doesn't mean they have the cybersecurity skills required to properly secure it all.
Lingering issues with cloud economics and total cost of ownership (TCO) also contribute to problems with the shared responsibility model. A prime example is when a company shortchanges -- or just plain forgets -- to budget for documentation and employee training. It's critical to remember that an effective cloud security model requires that a company commit money to its security technology and staff.
Know how shared responsibility works
The Capital One breach showed that even a supposedly cloud-first company could stumble with the shared responsibility model. More than 100 million people were affected by the breach, in which a former AWS employee is accused of gaining access to systems via the improperly configured firewalls of cloud customers.
To get shared responsibility right, a customer must be certain about where its responsibilities begin and end. Security and compliance teams need to manage logins, authentication and access permissions. An organization should have the tools, processes and frameworks in place to configure systems properly so that a breach can be detected. A cloud customer will want to be sure it has the necessary tools in place to monitor access to cloud services, including well-maintained virus and port scanners.
A cloud customer's security team also must lock down and manage all device-side permissions and security. Policies need to be in place to so that only approved devices are able to access the organization's cloud services.
Customer teams also need to control the data their organization's users upload to the cloud. This includes being sure that proper encryption is in place. Such policies and procedures should be documented in a central repository so that internal staff and outside auditors can review them.
Also, a cloud customer's ops team needs to have the tools and processes in place to update user-side software such as containers, VMs, third-party applications and OSes.
All teams on the customer side need to understand the cloud platform that's being used, be it Azure, AWS or another platform. This understanding will come from a mix of cloud-certified staff, internal training and documentation, such as runbooks. For many organizations, management oversight will be required to make all of this happen.
An effective cloud security model will also require participation from the service provider's technical account managers and customer success teams before, during and after the sales cycle. Yes, this raises questions open about who's going to pay for this extra effort, but cloud providers need to do their part to help close the loop of shared responsibility. Providers should have the customer relationships and technical chops to assess a client's current and future security requirements from a staffing, training and services perspective. Security responsibilities need to be part of the discussion right from the first sales call.
Also, the cloud service provider or a qualified consultant should mentor a customer in the dark arts of cloud economics and TCO. This will help a business capture the true costs for training and documentation.
A better cloud security model
The shared responsibility model is broken, and no amount of cloud education seems likely to fix it. So, what comes next?
It's easy to envision service providers will acknowledge the problems with the current model and then seize the opportunity to offer their customers additional cloud security services. This will reshape the shared responsibility model -- for a price. Large system integrators with mature cloud practices can also provide services to fill gaps in the current cloud security model, such as more managed services.
For customers getting started in the cloud, the current self-service approach is not good enough. The future of the shared responsibility model hinges on providers being able to ensure success for all their customers -- whether they are sophisticated cloud users or novices. It might come down to deciding who pays for this extra level of service.