Why ‘Cruise Control’ Is Not An Option For Cloud Security
By Richard Tracy
According to Security Boulevard, “More often than not, enterprise data is safer within the cloud.” I’ve agreed with this sentiment for some time, making the case as early as 2011 that cloud providers offer better security than many organizations can achieve on their own via premises-based facilities and resources.
Economies of scale, rapid innovation and standard security tooling — all available within the cloud — can improve security for most companies. However, for many organizations, cloud technology is unfamiliar, and roles and responsibilities are not clearly defined by the cloud service provider (CSP) or understood by the cloud user.
In recent years, news headlines regarding cloud-based data breaches would suggest that storing data in the cloud is inherently insecure, but these headlines do not always convey the entire story. More often than not, cloud-based breaches are not the fault of the CSP. Instead, they are the result of user error or inexperience. Users are not always aware of their security responsibilities when it comes to cloud deployments, and it’s possible to make honest mistakes when it comes to a new technology that is sometimes marketed as an autopilot solution in itself.
Speaking of autopilot, let’s look at the increased adoption of driver-assisted technology in everyday vehicles. There have been legitimate concerns and subsequent studies conducted regarding the safety of these features when it comes to driver vigilance. While there are many benefits to these technologies, such as adhering to speed limits and driver comfort, one particular study found there was a decline in driver attention — essentially, a false sense of security set in, resulting in accidents and loss of life. Is this the fault of the manufacturer, or is it the responsibility of the driver to fully understand the limitations and caveats surrounding its use?
When it comes to cloud security, users certainly have an obligation to understand their respective roles and responsibilities. The reality is, cloud users cannot assume that the security aspect of their workloads and data is set on autopilot when they are pushed to the cloud. These responsibilities simply cannot be outsourced to a cloud provider.
Case in point, many cloud breaches on AWS are attributed to user misconfigurations that allow open S3 buckets where no access controls are applied. In fact, ISC2’s recent report noted that user misconfigurations were the main threat to cloud security, no matter which cloud platform was utilized.
On the other hand, a certain level of responsibility does fall on CSPs to clearly communicate to their customers who does what when it comes to securing their cloud-based solutions. The concept of shared security sounds like an easy way for organizations to understand their responsibility when it comes to cloud security. However, understanding the distinction between user responsibility and what is covered by the CSP is still a gray area for many users. Add to that the fact that shared security responsibilities differ based on the type of cloud you are using (IaaS, PaaS, SaaS, etc.), and it’s no wonder so many cloud security incidents can be attributed to user misjudgment. Indeed, it is in the cloud provider’s best interest to help its customers better understand the platform’s security offerings and what the customer is accountable for.
Thankfully, CSPs are all too aware of this shortcoming, and we are already beginning to see solutions such as the adoption of security guardrails to help reduce user error. As cloud technology becomes even more widely adopted, knowledge and understanding of security roles and responsibilities on the part of cloud providers and cloud users will undoubtedly continue to increase. In the meantime, it is essential for cloud providers to be very clear about what security functions they provide and for cloud users to “read the user’s manual” before deploying workloads and data to the cloud rather than relying on cruise control.