Who Owns Your Cloud Security Stack?
Sometimes I kick off a client conversation by asking, “What is your strategy for cloud security?”
It is surprising how often they not only have no such strategy, but do not even think they need one. They take the security options offered by their cloud service providers (CSP) and assume their workloads are safe. Like most assumptions, this one can leave you looking foolish, because cloud security is seldom so simple.
Every workload is a stack of physical and virtual resources: network, servers, a hypervisor, storage, OSs, middleware, applications, data, and users. In an on-prem environment, we protect each workload with a parallel security stack: firewall, IPS, web and email proxies, endpoint protection, advanced malware detection, application controls, data encryption, identity and access management, and behavioral analytics. This not only protects the workloads (and the services they provide to our organizations), it keeps us compliant.
When we move to public cloud, this clear line of security responsibility can become unclear. We outsource a slice of the workload stack to our CSP and leverage its optional security controls. These typically cover the provider’s own infrastructure and platform services, but not the higher tiers of the workload stack that we still configure, manage, and maintain ourselves. Too often we forget that we still own security for everything from the guest OS on up.
Amazon is admirably clear about how it divides the security domain.
“When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:
- Security measures that the cloud service provider (AWS) implements and operates – “security of the cloud”
- Security measures that the customer implements and operates, related to the security of customer content and applications that make use of AWS services – “security in the cloud”
While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.”
With Amazon at least, we know exactly where we stand. It is our job to secure our own OS, apps, data and users. The tools we choose and the way we fold them into our security and compliance frameworks are ours to decide as well. Other providers can and do draw the line differently.
The first challenge of protecting cloud workloads is knowing what you still own in the security stack. Only then are you sure to implement the full security stack in the cloud.