Assessing the State of the Shared Responsibility Model

We hear (and at Threat Stack, we write) a lot about the shared security responsibility model. This is the idea that, when it comes to the cloud, businesses are responsible for the security of their data and applications in the cloud, while providers are responsible for the security of the cloud infrastructure.

But are companies prepared to take responsibility for their end of the bargain? How far do we still have to go to reach the promised land of a successfully shared responsibility model? Below, we’ll explore where we stand today and what it will take to reach that holy grail.

In Cloud Providers We Trust

The good news is that most companies today do, in fact, trust their cloud providers. That wasn’t true a few years ago, when it was common to hear IT and DevOps folks question whether the public cloud was really production-ready. That mindset has changed, and most organizations now accept that the average cloud infrastructure company has significant in-house security expertise, world-class security tools, and the resources they need to take action. Rare is the organization that can lay claim to the amount of collective cloud security experience in-house at, say, AWS or Azure.

It also helps that providers have become increasingly transparent about how they handle and approach security. Take AWS’s Shared Responsibility Model documentation. It explains how seriously AWS takes security and offers in-depth information about ongoing security issues via its Bulletins service. If you have a question or concern about security (or compliance), AWS makes it easy to get in touch. Azure also offers significant information about their approach to security.

Cloud providers have also started offering a slew of security tools and features that organizations can use for data protection — like encryption at rest and in transit, web app firewalls, and key management. AWS CloudTrail, for example, lets organizations identify which users and accounts are accessing AWS services, the source IP address that API calls are made from, and when the calls occur. This offers quite a bit of information that can be used to detect and respond to potential security issues.

Finally, cloud providers have undergone HIPAA, PCI DSS, and other rigorous certifications to demonstrate that they meet the requirements of these common frameworks, adding yet more peace of mind for their customers, especially in regulated industries.

The Cloud is Only as Secure as Your Configuration

That said, your cloud is only as secure as your configurations. The onus is on organizations running in the cloud to make sure that they are meeting the best practices laid out by providers like AWS and/or CIS. While AWS offers clear guidelines about how to best configure your environment, it’s actually up to you to make sure you do so.

We built Threat Stack’s Configuration Auditing solution so that organizations could quickly and easily see where they are in relation to these best practices. If you run a configuration audit, you can see exactly where you need to make improvements and prioritize these action items based on severity.

Amazingly, 73% of companies today have critical AWS misconfigurations — meaning configuration weaknesses that make it easy for attackers to access non-public resources or consoles. We completed a study recently and found that the majority of companies have still not closed these gaping holes. If that’s you, it’s time to get to work!

The first step in making sure that you’re holding up your end of the shared responsibility model is to ensure that you are taking the necessary measures to meet best practices. If you’re not doing that and something goes wrong, you’ll only have yourself to hold responsible.

Visibility Offers Peace of Mind

In addition to trusting your cloud provider and making sure you uphold configuration best practices, you need to make sure that you have complete visibility into what’s going on in your cloud. Unfortunately, some businesses have avoided moving to the cloud because they feared it would offer them less visibility. That’s not true at all; in fact, it’s quite the opposite.

With a solution such as Threat Stack Cloud Security Platform®, you obtain broad and deep visibility into your environment. This is obviously very important for regulated industries and sensitive workloads in the cloud, but it’s key across the board.

The best way to ensure visibility is to stay laser-focused on the workload. After all, how can you know what is happening with your files and who’s doing what if you can’t look at events on the host? This requires a big change in mindset and approach from on-prem monitoring, but it’s the key to upholding your end of the bargain when it comes to security.

Collecting data straight from the kernel means you can monitor, audit, and alert on potential threats in real time. That’s frankly not possible with more traditional network and log-driven systems. And that’s why it’s the best (really the only) way to achieve complete visibility and to truly accept responsibility for the security of your data and applications in the cloud.

Your Road to Security

Many organizations are at the beginning of their cloud security maturity lifecycles. Some are still making the transition to the cloud and are experiencing the growing pains of moving away from on-prem data centers. But the shared responsibility model offers a path forward that will enable us to reap all the benefits of the cloud without being susceptible to its potential pitfalls.

It’s safe to say that cloud providers today can be trusted with their end of the bargain, and now it’s time for organizations to ensure their side of the responsibility equation. That means making sure that best practices are met and visibility is prioritized, so there are no nasty surprises in the cloud.