Story image

Implementing shared security models in the cloud

08 Jan 2019

Article by Barracuda Networks A/NZ and Pacific Islands regional director Andrew Huntley

When it comes to cloud security, the issue isn’t the platforms, but rather a lack of processes for implementing and maintaining the best cloud security processes.

Whenever there’s a security breach involving a public cloud, the issue almost invariably winds up being caused by a developer who forgot to implement one control or another.

Developers are understandably excited about public clouds because they allow them to build and deploy applications without having to wait for internal IT organisations to provision IT infrastructure.

The trouble is that developers aren’t usually aware of every control that should be implemented to ensure security.

Before anyone realises that, cybercriminals are exfiltrating massive amounts of data regardless because the developer didn’t fully appreciate the inherent shared responsibility model for security when employing public clouds.

Who’s responsible for what?

Cloud service providers must ensure the security of the underlying infrastructure, but organisations are responsible for the security surrounding the assets they put into the cloud.

This is backed up by the Shared Security (or Responsibility) Model, which is standard across all cloud platforms.

A 2017 Vanson Bourne survey Barracuda Networks sponsored revealed some interesting data related to the Shared Security Model.

More than three-quarters of Australian respondents reported that they fully understand the public cloud security responsibilities of both their organisation and public cloud provider.

However, when asked what cloud vendors are responsible for securing, the responses clearly indicate that the Shared Security Model isn’t fully understood.

The majority believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there’s still a lack of clarity around the subject.

The vast majority are leaving major security responsibilities to their provider, which could leave gaps in public cloud security.

When asked more directly about security, around three quarters state that security concerns restrict their organisation’s migration to the cloud.

In addition, the vast majority believe there are threats to their organisation’s public cloud infrastructure.

Despite these threats being in mind, the use of public cloud is still set to increase, suggesting that organisations are willing to see past these concerns.

It would be beneficial for any organisation running workloads in the cloud to have a conversation about security.

The one thing that cloud service providers can do is make it simpler for IT organisations to enforce the controls they do have in place for cloud applications.

Greater accountability

In the cloud era, developers are being held more accountable than ever before for implementing security controls.

Known as DevSecOps, the basic idea is to make implementing security controls part of the gates that developers need to pass as they build applications using a continuous integration/continuous development (CI/CD) framework.

The rise of DevSecOps should make applications more secure, but developers are humans and there will always be mistakes.

Cybersecurity teams need to embrace frameworks that enable them to verify cybersecurity policies have been implemented at the same rate of speed developers are now deploying applications. That’s especially critical in cloud computing environments where the rate of application deployment is typically several orders of magnitude greater than an on-premises IT environment.

Many cybersecurity teams will need to find a way to achieve the capabilities required to manage security and compliance across multiple cloud environments.

That will require some ability to programmatically consume services via an application programming interface (API).

The good news is that public cloud providers like AWS have these shared responsibility issues in mind and are coming up with ways to simplify the management of cybersecurity and compliance on the public cloud.

Regardless of the path chosen, however, the one thing that’s clear is that implementing a shared security model in the cloud is about to finally become simpler than it is today. 

Adobe, Microsoft and LinkedIn join forces to accelerate account-based experiences
“With these new account-based capabilities, marketing and sales teams will have increased alignment around the people and accounts they are engaging.” 
Winners of 2019 Adobe Experience Maker and Marketo Revvie Awards announced
The Adobe Experience Maker Awards recognise Adobe Experience Cloud customers and partners.
How Adobe and ServiceNow aim to advance customer experience management
“Together, ServiceNow and Adobe will help enable seamless digital workflows that power the experiences customers want.”
Adobe opens up marketing opportunities with Roku
Adobe and streaming TV platform Roku are now offering Adobe customers the ability to precisely target consumer audiences moving to over-the-top content (OTT).
Adobe Summit kicks off the future of customer experience in Las Vegas
“Today, at Adobe Summit, we unveiled significant new capabilities in Adobe Experience Cloud, including the introduction of Adobe Commerce Cloud and Marketo Engage, and general availability of Adobe Experience Platform.”
NEXTDC appointed data centre provider for Queensland Government
“NEXTDC’s appointment to the supplier panel for data centre services is an important step forward for the Queensland Government."
Ruckus releases new switch for 100GbE edge-to-core networks
Enables multi-gigabit networks with pay-as-you-grow model suitable for education, government and enterprise environments.
How AI could help cardiologists detect heart defects
Deep learning supposedly has the potential to help doctors cut down on diagnostic errors.