Story image

Implementing shared security models in the cloud

08 Jan 2019

Article by Barracuda Networks A/NZ and Pacific Islands regional director Andrew Huntley

When it comes to cloud security, the issue isn’t the platforms, but rather a lack of processes for implementing and maintaining the best cloud security processes.

Whenever there’s a security breach involving a public cloud, the issue almost invariably winds up being caused by a developer who forgot to implement one control or another.

Developers are understandably excited about public clouds because they allow them to build and deploy applications without having to wait for internal IT organisations to provision IT infrastructure.

The trouble is that developers aren’t usually aware of every control that should be implemented to ensure security.

Before anyone realises that, cybercriminals are exfiltrating massive amounts of data regardless because the developer didn’t fully appreciate the inherent shared responsibility model for security when employing public clouds.

Who’s responsible for what?

Cloud service providers must ensure the security of the underlying infrastructure, but organisations are responsible for the security surrounding the assets they put into the cloud.

This is backed up by the Shared Security (or Responsibility) Model, which is standard across all cloud platforms.

A 2017 Vanson Bourne survey Barracuda Networks sponsored revealed some interesting data related to the Shared Security Model.

More than three-quarters of Australian respondents reported that they fully understand the public cloud security responsibilities of both their organisation and public cloud provider.

However, when asked what cloud vendors are responsible for securing, the responses clearly indicate that the Shared Security Model isn’t fully understood.

The majority believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there’s still a lack of clarity around the subject.

The vast majority are leaving major security responsibilities to their provider, which could leave gaps in public cloud security.

When asked more directly about security, around three quarters state that security concerns restrict their organisation’s migration to the cloud.

In addition, the vast majority believe there are threats to their organisation’s public cloud infrastructure.

Despite these threats being in mind, the use of public cloud is still set to increase, suggesting that organisations are willing to see past these concerns.

It would be beneficial for any organisation running workloads in the cloud to have a conversation about security.

The one thing that cloud service providers can do is make it simpler for IT organisations to enforce the controls they do have in place for cloud applications.

Greater accountability

In the cloud era, developers are being held more accountable than ever before for implementing security controls.

Known as DevSecOps, the basic idea is to make implementing security controls part of the gates that developers need to pass as they build applications using a continuous integration/continuous development (CI/CD) framework.

The rise of DevSecOps should make applications more secure, but developers are humans and there will always be mistakes.

Cybersecurity teams need to embrace frameworks that enable them to verify cybersecurity policies have been implemented at the same rate of speed developers are now deploying applications. That’s especially critical in cloud computing environments where the rate of application deployment is typically several orders of magnitude greater than an on-premises IT environment.

Many cybersecurity teams will need to find a way to achieve the capabilities required to manage security and compliance across multiple cloud environments.

That will require some ability to programmatically consume services via an application programming interface (API).

The good news is that public cloud providers like AWS have these shared responsibility issues in mind and are coming up with ways to simplify the management of cybersecurity and compliance on the public cloud.

Regardless of the path chosen, however, the one thing that’s clear is that implementing a shared security model in the cloud is about to finally become simpler than it is today. 

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Tech community rocked by deaths of Atta Elayyan and Syed Jahandad Ali
Both men were among the 50 killed in the shooting in Christchurch last Friday when a gunman opened fire at two mosques.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
How AI is changing the medical industry
With NVIDIA Clara, developers can speed up their medical imaging applications and implement AI.
The Data Literacy Project expands its library of free courses
Upskilling the workforce in data literacy is fundamental to unlocking business growth.
Digital experience managers, get excited for Adobe Summit 2019
“Digital transformation may be a buzzword, but companies are trying to adapt and compete in this changing environment.”
Interview: Cisco on digital transformation and data centres at the edge
"On-premise we speak English, Amazon speaks French, and Amazon and Microsoft speak something else. But someone has to translate all of that and Cisco is involved with normalising those rule sets.”