- Security TWENTY
- Women in Security
There’s no doubt that the adoption of public cloud deployments has accelerated for most recently, writes Clint Harris, consultant at AT&T Cybersecurity. In fact, according to metrics released by Oracle recently, nearly half (49 per cent) of all respondents to the Oracle and KPMG Cloud Threat Report expect to store most of their data in a public cloud by the end of 2020. Effectively managing the security and compliance of public cloud deployments can be tricky for many. The same study revealed that 38 per cent of the respondents indicated that detecting and responding to cloud security incidents is their number one cybersecurity challenge.
There are multiple factors that contribute to the issues associated with deploying and maintaining highly secure cloud environments. In this article we’ll explore three of the issues most often encountered:
1. Shared responsibility model
2. Lack of visibility
3. Misconfiguration / Configuration Drift
An exacerbating factor in all three common issues noted above is the lack of common terminology. Also keep in mind that the individual components themselves often require broad capabilities to effectively monitor and provide the security to maintain the various components within a cloud deployment. For instance, the machines deployed within the cloud may be most effectively monitored using conventional solutions often used in traditional on-prem deployments. These solutions include scan engines and / or host agents. The associated storage and serverless code functions require solutions providing functionality specific to the cloud that has the capability to derive account configurations and resources associated with the machines deployed. We’ll delve into more detail as we discuss the other common issues encountered in highly securing cloud deployments below.
Shared responsibility model
Unlike security and compliance controls in more traditional on-premise deployments, the security of public cloud deployments is always a shared responsibility between the cloud provider and customer. This shared responsibility model can be challenging for many organisations. In fact, according to a recent Gartner report, 82pc of cloud users have experienced security events due to confusion over Shared Responsibility Security Models. As you can see in the graphic below, depending on the type of cloud deployment you have, the elements that organisations are responsible for changes:
As illustrated above, while a Software as a Service (SaaS) deployment minimises the number of elements that a public cloud customer is responsible for, that responsibility increases when using a Platform as a Service (PaaS) and continues to expand with Infrastructure as a Service (IaaS) deployments. Because of this, it’s key that organisations with public cloud deployments know which cloud components and associated security controls they’re responsible for so that they can implement appropriate controls and monitor them over time to provide for their on-going effectiveness.
Lack of visibility
Another common challenge facing many organisations is providing that they have a complete and up to date visibility into their cloud deployments. One study noted that 38pc of CISOs responding expressed inadequate visibility into public cloud workloads as their top cloud security challenge. It’s important to realise that visibility into the workloads / machines and all associated resources is a key requirement. Just as important is visibility into the overall public cloud account’s configuration and security controls. Without that complete picture it’s impossible to effectively protect public cloud deployments and provide that they remain protected over time.
Misconfiguration / Configuration drift
Once organisations have a complete understanding of the components that they’re responsible for protecting and complete up to date visibility into their cloud assets and associated resources, the next important challenge to address is establishing, maintaining and enforcing approved configurations. Such configurations should include both internally defined security and compliance controls while including applicable industry standards and best practices. Once those approved configurations are defined and deployed, it’s critical that the assets and associated resources deployed within public clouds be consistently monitored and their approved configurations enforced.
Know that while the common cloud challenges noted above can be daunting for some to address, there are managed service that can be of great assistance when it comes to the security and maintenance of public cloud deployments.