Amazon Web Services, Microsoft Azure and Google Cloud are better at protecting their cloud-based infrastructures than an internal security operations center. The reason? Liability.
Major cloud service providers (CSPs) have deep pockets, said Barak Engel, founder and chief geek at EAmmune, while speaking on a virtual SANS Institute fireside chat in January. "If they screw this thing up ... those deep pockets are going to be raided by an army of corporate lawyers that are really, really good at what they do."
Ensuring the integrity and security of the cloud is a two-party responsibility. The Cloud Security Alliance defines the shared responsibility models as internal security teams owning apps, data, containers and workloads in the cloud while the CSP takes on the physical security of the cloud infrastructure.
The heart of the shared responsibility model centers on humans and trust. Trust erodes when customers misunderstand what security measures fall under the CSP. More often than not, customers understand what's expected of them, but confusion grows in the varying security requirements between infrastructure, platform and software cloud environments.
Though neither Capital One or AWS questioned their respective security roles as customer and vendor, Congress called the shared responsibility model into question following the 2019 data breach. AWS CISO Stephen Schmidt answered Congressional inquiries about the security of AWS, saying the cause of the breach stemmed from firewall misconfiguration.
"We will not be able to definitely know whether a firewall is misconfigured (only the customer truly knows what they intended with resources under their control)," Schmidt said. But AWS said it would "err on the side of over-communicating" with customers following proactive scans of the public IP space of customers.
The theoretical notion of holding AWS accountable in some way was a change for hardware and software providers. "If you were to go back 15 years ago, and there was a misconfiguration of a server that had been provided by a hardware manufacturer or a software manufacturer, nobody would have asserted that it was the problem of the manufacturer," Atlassian CISO Adrian Ludwig, told Cybersecurity Dive in October. "Neither of those two companies, hardware or software manufacturer, likely would have felt some sense of responsibility."
Today, there's a different expectation between service providers and customers. Cloud customers rely on service providers 24/7; there's a continuum of security unlike anything companies have had before. There are very few organizations, including governments, that are more secure than cloud providers today, said Ludwig.
But leaning on the cloud's security invites different risks. Leaving on-premise solutions behind is a repudiation of decades-old security thinking. Deloitte says the transition moves from "managing physical infrastructure to monitoring access across a 'stateless distributed environment,'" according to a recent report.
The new risks are a challenge for companies in the early stages of infusing cybersecurity holistically in their cloud strategy. "As humans, we really suck at assessing risk. We're terrible at it; you're afraid to fly, but we drive our car to the grocery store twice in 15 minutes," said Engel. "From a risk perspective, that is irrational behavior."
The cloud was an uncomfortable transition for security practitioners because it meant they were relinquishing a portion of their control. And some companies are unsure how to translate those new responsibilities into actions, according to Vikram Kunchala, principal and cyber cloud leader at Deloitte Risk & Financial Advisory.
Gaps in IaaS, PaaS and SaaS
Because there isn't a uniform shared responsibility model across major CSPs, misunderstandings for companies using a multicloud environment perpetuates to some degree. "We like to think of it as well defined, but it's not," said Engel. "Understanding that all these integrations mean that the boundaries are fuzzy between everybody."
Though the variations between CSP responsibility models are slight, vendors are trying to accommodate customers struggling with understanding the jobs of the service provider, customer and technology. "One key challenge many customers have is getting visibility to all your required security actions across Azure, AWS and [Google Cloud]" until a universal reference is established, said Eric Doerr, VP of cloud security at Microsoft.
"Larger companies often ask for a security control framework to identify the security control categories that should be put in place," said Doerr. Though industry staples are used, including frameworks from National Institute of Standards and Technology (NIST), customers were in need of more guidance from Microsoft.
"Our customers asked us to extend their concepts into Azure and make them more measurable, so we created the Azure Security Benchmark to help. Once customers have identified their security controls the next step is to measure progress against implementation of these controls, and that’s where the Azure Secure Score comes in," said Doerr.
Similarly, AWS has the Well-Architected Framework for implementing the cloud environment and Well-Architected Tool for self-service to do run workload reviews. Providing the tools for customers to be able to perform their responsibilities is a major job for CSPs.
The cloud's level of responsibility depends on what services customers select. More often than not, there's less confusion about where roles end and begin between CSPs and customers, as opposed to how customers get it right. The AWS Identity and Access Management are tools for customers to use to assess how correctly they're doing security.
It's not often a customer, coming from a competitor's cloud, has different expectations of the shared responsibility model.
Microsoft's shared responsibility model delegates data, devices, accounts and identities in software as service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS) and on-premise solutions entirely to the customer. Responsibility splinters, depending on the service, when identity and directory infrastructure, apps, network controls, and operating systems (OS) become involved. Microsoft only takes full responsibility for physical hosts, networks and data centers for SaaS, PaaS and IaaS.
AWS' shared responsibility model differentiates protecting the security "of" the cloud versus what's "in" the cloud. Instead of outlining the "physical" aspects of the cloud it's responsible for — like Microsoft does — AWS says it's responsible for "protecting the infrastructure that runs all of the services offered in the AWS Cloud," including hardware, software, networking, and relevant facilities.
The AWS model encompasses shared control over "the infrastructure layer and customer layers, but in completely separate contexts or perspectives," the company said. The split share, for example, has customers handle the configuration of their guest operating systems, databases and apps. AWS on the other hand manages its infrastructure devices configurations.
Google's model is not as explicitly defined. The company includes all on-premise services as part of the customer's responsibility, and then it varies until reaching SaaS security. In SaaS, customers are only required to secure the content and access policies of their software before Google takes over audit logging, encryption, web application security and more.
By the time a company graduates from on-premise, to IaaS, and then PaaS, it can abstract away the operating system, said Drew Firment, SVP of cloud transformation at A Cloud Guru.
When a company reaches a predominantly SaaS environment, the shared responsibility model becomes clearer. But before then, between the operating system and the applications is where "you see a lot of those issues traditionally, because that's where the confusion comes," said Firment.
The nuances of securing SaaS, IaaS, and PaaS can blur the areas of security expectations even further between customer and provider. "It’s still the organization’s responsibility to secure the data and applications in the cloud," Deloitte said in its report.
Two-thirds of executives say they use cloud providers for their baseline security while nearly three-quarters of executives say the cloud is primarily for SaaS security, according to Deloitte. Forty-two percent of executives say their cloud provider secures their IaaS.
Sharing at scale
Scaling the opportunities the cloud enables is underway, leaving a total cybersecurity cloud strategy in development. Companies are "still not quite moving from the tactical to strategic, certainly not the transformational," said Firment.
In the early stages of structuring a cloud cyber team, companies should detail their CSPs' service agreements and leverage necessary controls, risk strategies and compliance, Deloitte said. Companies should consider establishing a cloud center of excellence composed of internal cloud and cybersecurity personnel and outside cloud and MSPs.
This isn't to say companies don't know what they need — but some miss out on what their CSPs provide. Using data collected from cloud-native infrastructure across hundreds of deployments by Accurics users, the company found 10% of companies paid for additional data security and privacy features from their CSPs. However, those companies lacked environments to enable the advanced services.
Companies that dip into over-provisioned resources are stored for "just in case" purposes that take up additional bandwidth, according to 451 Research. "I can click a button right now and create 100 servers," Rory McCune, principal consultant at NCC Group told Cybersecurity Dive in November. Customers are creating resources but failing to "go back and clean them up" when they don't need them anymore.
The ease of use creates a disconnect in visibility across environments.
"The complex ecosystem creates new sources of log data, so understanding the telemetry and capturing the right set of logs across the stack and leveraging native services to build a security data lake or leveraging marketplace vendors to benefit from out of the box capabilities that reduce deployment times is key," said Kunchala. It's what will shape cost and security expectations.
However, cloud migration and security are typically separate considerations, according to research from Deloitte. In 2019, less than 10% of organizations factored cloud migration and SaaS into their cybersecurity budget.
"Often consumers accelerate the journey to cloud without proper planning and an appreciation for shared responsibilities," leading to overconsumption of IaaS, PaaS, SaaS services across their CSPs, said Kunchala.