Gartner predicts that through 2025, 99% of all cloud security failures will be the customer’s fault. A statistic like this can be jarring, maybe even alarming or worrisome, especially if you’re a cloud customer. The cloud is an unyielding force with exponential levels of complexity, and this lends it to be difficult to control. So perhaps, instead of looking at cloud failures as the customer’s fault, we must consider the guidelines around cloud configuration and acknowledge why it is so easy for customers to ineffectively secure their cloud.
The great news is that a large portion of that 99% of cloud failures is actually preventable, if a customer knows exactly what they are responsible for securing in their cloud. This brings us to The Shared Responsibility Model.
What is the Shared Responsibility Model?
To be brief, the shared responsibility model defines that the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud.
Digging a bit deeper, the shared responsibility model is an overarching working model that multiple cloud providers promote and enforce to customers of their product. Each provider defines their own respective shared responsibility model. Below we’ll define the basics of two top cloud providers, but first let’s understand the context behind the creation of the shared responsibility model.
Security in the Cloud
As organizations migrate to the cloud, new needs for security emerged, including a major need for cloud providers to ensure secure environments. It can be viewed as simply as offering your customer a safe and stable platform on which to build and grow their businesses. The Cloud Service Provider’s accountability has grown dramatically in recent years, especially after pivotal moments like Azure’s famous vulnerability detected in its managed database service, CosmosDB.
Since then, cloud service providers, like Microsoft Azure, Amazon Web Service (AWS) and Google Cloud Platform (GCP), have worked tirelessly to assure its customers that their environment is as secure as possible, even more secure than the on-prem data centers they might be used to.
But this promise can only go so far, and so a line was drawn in the sand. Cloud providers, AWS, specifically, published a clear guide of how far they will go to monitor and regulate their customer’s environment – the birth of the shared responsibility model.
AWS Shared Responsibility Model
AWS is focused on the security of AWS infrastructure, including protecting its computing, storage, networking, and database services against intrusions because it can’t fully control how its customers use AWS. AWS is responsible for the security of the software, hardware, and the physical facilities that host AWS services. Also, AWS takes responsibility for the security configuration of its managed services such as AWS DynamoDB, RDS, Redshift, Elastic MapReduce, WorkSpaces, and others.
Customer responsibility depends on what AWS service is being used, but in sum, AWS customers are responsible for the secure usage of services that are considered unmanaged. For example, while AWS has built several layers of security features to prevent unauthorized access to AWS, including multi-factor authentication, it is the customer’s responsibility to make sure multifactor authentication is enabled, particularly for those Identities with the most extensive IAM permissions in AWS.Furthermore, the default security settings of AWS services are often the least secure. Enhancing the default AWS security settings and uniquely configuring your cloud, therefore, is a low-hanging fruit that organizations should prioritize to fulfill their end of AWS shared responsibility model.
Azure Shared Responsibility Model
Azure is focused on the security of the underlying infrastructure, by protecting its computing, storage, networking, and database services against intrusions. Azure is also responsible for the security of the software, hardware, and physical facilities that host Azure services. The Azure cloud security framework takes responsibility for the security configuration of its managed services such as Azure Kubernetes Service (AKS), Container Instances, Cosmos DB, SQL, Data Lake Storage, Blob Storage, and others.
Azure customers are responsible for the security in their own cloud, or more simply put, everything that they instantiate, build and/or use. This responsibility is contingent on what service Azure customers are using and whether it is SaaS, PaaS or IaaS. Per Microsoft, “In an on-premises data center, the customer owns the whole stack. As you move to the cloud some responsibilities transfer to Microsoft Azure.” The following diagram illustrates the areas of responsibility between the customer and Microsoft:
Microsoft clearly defines that the customer always owns all their own data and identities and they are therefore responsible for the security of them as well as the cloud components they control.
The Azure Shared Responsibility model continues by stating the four responsibilities that always fall to the customer:
- Access management
Holding Up Your End of the Deal
Now that you know you’ve got your work cut out for you in securing your cloud environment, how do you hold up your end of the deal? Managing all your data, platforms, applications, identities, networks etc. is overwhelming for any security team. The obvious answer is to turn to help.
Consider integrating a third-party platform to your AWS or Azure environment. Solutions exist today to ensure your cloud is secure at its most foundational level. A key feature of any cloud security platform is Cloud Security Posture Management (CSPM), which evaluates the configuration of your cloud environments looking for security or operational issues and then alerts when misconfigurations arise. More advanced solutions monitor this continuously and offer advanced workflows and automation to correct issues at the speed and scale of the cloud.
Identities and data run ramped in the cloud, get a hold of them with solutions like Cloud Infrastructure Entitlement Management and Cloud Data Loss Protection. CIEM will provide you insight into all the identities in your environment, person and non-person, and reveal all the permissions they possess, and the potential dangerous escalation paths. By inventorying all your identities, reducing their access to meet least privilege, CIEM solutions can continuously monitor that baseline and alert you when excessive permissions arise.
Taking things even a step further, explore graphing technologies that will map out the complex web of connections between all identities, identity chains, excessive permissions to data, and so much more allowing you critical insight into the dangers of your environment.
Contact us today if you’re interested in seeing how the Sonrai Dig helps you hold up your end of the shared responsibility model.