Adopting a Shared Security Model for Cloud

In many ways, it can be simpler to manage and protect a traditional, local network infrastructure. When all of the network hardware, servers, applications, and data are under your roof, there is no confusion about who is responsible for it all. When you start moving to the cloud, though, things become a little more ambiguous. Many companies are exposing themselves to unnecessary risk because of that ambiguity. They don’t understand that cloud security is built on a shared responsibility model.

The confusion is understandable to some extent. For years, the perception from many organizations about moving to the cloud at all is that doing so was risky. Cloud security was a barrier to adoption, so cloud providers like Amazon and Microsoft went out of their way to position their platforms as secure.

Don’t Assume When it Comes to Cloud Security

That narrative creates an assumption by some that Amazon and Microsoft are ensuring cloud security and that they don’t need to do anything other than put their apps and data in the cloud and trust that the cloud provider will protect it all.

It is true that cloud providers are protecting parts of the cloud platform, but the reality is that they leave the hardest—and most valuable—parts for you to defend yourself. Think of it like renting an apartment. The owner of the building has an obligation to maintain and protect the facility itself. They will strive to ensure unauthorized individuals don’t gain access, and that the fire alarm and suppression systems are working properly. They are responsible for making sure the refrigerator and stove in your apartment are operating. The apartment owner is not, however, responsible for your personal belongings or your actions while you’re in the apartment. That’s why renter’s insurance is a thing. 

Understand Your Role in the Cloud Security Shared Responsibility Model

In the cloud, the cloud provider is the “apartment owner” and you are the “tenant”. Amazon, Microsoft, Google, and other cloud providers are responsible for the security OF the cloud. You are responsible for security IN the cloud, though. It is your job to maintain and protect the servers, applications, and data that you run from the cloud platform—and, frankly, that is the stuff attackers are most likely to go after.

Think like an attacker for a second. The cloud provider is guarding things like physical access to the network infrastructure and hardware the cloud is running on, and probably has defenses in place to provide security for the network perimeter and prevent unauthorized access to the hypervisor. Who cares? There’s no money in compromising those things anyway.

Attackers are focused on two things: 1) What is the easiest thing to attack? And, 2) What is the most profitable thing to attack? The web applications that run in the cloud are much more vulnerable and easier to attack than the underlying infrastructure, and those web apps can be leveraged to gain access to servers and data—and that’s where attackers hit the jackpot.

Don’t take my word for it. Recent data and trends in cloud security prove it. According to the latest Verizon Data Breach Investigation Report (DBIR), there has been a 300 percent increase in web app attacks in just the last three years. Our most recent Cloud Security Report found that more than three quarters of all events we saw during the 18-month period analyzed involved web application attacks.

Knowing that web applications are the primary target for attackers, and that your cloud provider isn’t going to protect them for you, it’s up to you to take the steps necessary to defend your assets in the cloud. You need to minimize your attack surface and reduce your exposure to risk, and remain vigilant to identify and respond to security incidents, if and when they happen.

If you’re going to AWS re:Invent, I invite you to come by and talk about cloud security and the shared responsibility model with the Alert Logic team. Alert Logic will be running technical demos and security presentations at Booth #1222, so be sure to stop by and learn about our AWS Security solutions for AWS workloads.

About the Author

Tony Bradley - Senior Manager of Content Marketing for Alert Logic

Tony Bradley

Tony Bradley is Senior Manager of Content Marketing for Alert Logic. Tony worked in the trenches as a network administrator and security consultant before shifting to the marketing and writing side of things. He is an 11-time Microsoft MVP in security and cloud and has been a CISSP-ISSAP since 2002. Tony has authored or co-authored a dozen books on IT and IT security topics, and is a prolific contributor to online media sites such as Forbes and DevOps.com. He has established a reputation for effective content marketing, and building and engaging a community and social media audience.

Connect | Email Me | More Posts by Tony Bradley