The cloud is a tremendous convenience for enterprises. Running a data center is expensive – doing so not only requires buying a lot of servers, cable and networking appliances but also electricity, labor costs, cooling and physical space.
Services like Amazon’s AWS, Microsoft’s Azure, Oracle’s Cloud and Google’s Cloud Platform give businesses the benefits of having a data center without the expensive overhead and related hassles. Imagine how much more expensive it would be to launch a Software as a Service (SaaS) product if establishing the backend had to be done without the help of third-party cloud services?
Cloud services and the internet offer tremendous cost savings, efficiency and functionality. Unfortunately, putting your data on the internet exposes it to greater cybersecurity risks. It’s certainly possible to security-harden cloud services to make them a lot less vulnerable to cyber attack.
But when Amazon or Google owns the infrastructure and your enterprise owns the data, who is responsible for keeping your cloud services secure?
WHAT ARE WE PROTECTING IN THE CLOUD?
The Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework defines the following as essential IT resources:
A cloud prover, such as Azure or AWS, typically provides infrastructure as a service (IaaS) and platform as a service (PaaS). The infrastructure is the physical components of computers, networks and networking appliances. The platform is all of that plus middleware components, such as databases. If the application you’re running is yours, the SaaS aspect is your responsibility.
THE SHARED CLOUD SECURITY MODEL
Amazon’s AWS is a leader in cloud services. AWS’ initiatives help to set trends in the cloud services industry. AWS features what Amazon calls a Shared Responsibility Model.
Here’s what they say on the official AWS policy site:
AWS responsibility ‘Security of the Cloud’- AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
Customer responsibility ‘Security in the Cloud’– Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks. If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.
So, in a nutshell, AWS will make sure that only authorized parties have physical access to their data centers. AWS will keep the pertinent network security appliances running, such as IPS devices, IDS devices and firewalls. They also monitor logs for security alerts and address any related issues of the security of the network itself.
If there’s a vulnerability in your code (which doesn’t belong to Amazon) and a cyber attacker exploits it, that’s on you.
AWS will let you know if there’s a security incident and will address the infrastructure related issues for you. Software-related compliance and incident matters are your responsibility as the customer who owns the product which is running in AWS’ cloud. Access management pertaining to your application is up to you to protect.
WHAT’S NEXT TO HELP YOU SECURE YOUR CLOUD ENVIRONMENT?
You’re responsible for the security of your software in the cloud, but you don’t have to do it alone. Securing your applications is a lot of work; it’s a 24/7 job!
You should consider deploying a third-party cloud security solution. Configuration management, vulnerability management and log management can be better handled with the help of a company that has specific expertise with these security services. Don’t try this at home, kids!
I also strongly recommend that you download Tripwire’s free whitepaper on Securing AWS Cloud Management Configurations, especially if you’re considering AWS as your cloud provider.