Dive Brief:
- Cloud service providers (CSPs) offer similar methodologies for a shared responsibility model, but controls and configurations vary among companies when deploying cloud workloads, according to a report from Cloud Security Alliance (CSA).
- Shared responsibility models are "one of the least understood, but most impactful" components of cloud risk management, according to CSA. Cloud customers face "short-term" challenges, such as confirming validity and accuracy of the CSP's default configurations.
- CSA noted Gartner's findings that companies' failure in deploying software capable of monitoring the "integrity and performance" of cloud security and configurations were the primary cause of high-profile data breaches.
Dive Insight:
Any disconnect between where a CSP's security services end and the customer's security responsibilities pick up is a recipe for disaster.
The report asked: "Are organizations aware of the shared responsibility model introduced by cloud computing, and are the responsibilities appropriately reflected in the risk management processes and programs?"
The cloud muddied the water of how traditional security practices are performed. Security went from an on-premise activity to permission-based. Complications are further elevated by automated procedures.
Those procedures contribute to issues of performance, mistake propagation, hidden interdependencies and visibility, "due to the absence of evidence (required logs) to support control process operation," according to the report.
Last year, Amazon Web Services faced scrutiny from Congress after Capital One disclosed its data breach. The top cloud provider had to answer questions about its role in the breach. Before Congress' involvement, AWS CISO Stephen Schmidt clarified AWS' security stops at the perimeter of its infrastructure, the rest of security is carried out by customers.
The server-side request forgery (SSRF) vulnerability that led to Capital One's breach was documented in 2014 and in August 2018., AWS received recommendations to adhere to similar precautions Microsoft and Google took for the flaw. Congress argued that AWS' lack of action makes the cloud provider partially responsible for the bank's hack.
Misconfigurations in application security are abundant and will continue to grow as the cloud and applications scale. The cloud also complicates security's role when developers and engineers can move so quickly.
The move to the cloud, or software-based infrastructures, has given developers free access to infrastructure configurations. Now, with remote work, developers can work at 4 a.m., with no one to catch mistakes or see potential impacts on security in real time, depending on a company's safeguards and protocols.
Ninety-three percent of enterprises rely on a public cloud infrastructure, but only 40% have cloud and container security strategies, according to a DivvyCloud report. Last year, 64% of enterprises were using at least two cloud services, decreasing from 77% in 2018. DivvyCloud attributed the decline to complex security strategies.
Keeping pace with security configurations for cloud-based workloads is one of the toughest tasks for security organizations, especially those already lacking resources.
