There is a common perception among organizations that cloud security, especially when using a public cloud model - is a shared responsibility model.
According to one of the largest cloud services provider, Amazon Web Services "...the customer should assume responsibility and management of, but not limited to, the guest operating system...and associated application software..." It further adds "..it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of..host based firewalls, host based intrusion detection/prevention, encryption and key management."
Regardless of the provider, all providers operate under this model. The provider is responsible for the physical infrastructure, the shared networking, the computing, storage and the hypervisor. Everything that sits on top of a basically virtual machine and the guest instance is the responsibility of the customer. This includes securing data, the application code, the application framework and the Operating Systems that is sitting on top of the infrastructure itself.
Depends on how an organization views this - it provides the flexibility to enforce consistency and a similar level of controls as the organization does in its other environments, including in its data centers. However, it's extremely challenging to achieve this using the traditional network perimeter-based approaches.
All of this requires a new way of thinking.
The security and compliance requirements in any form of cloud environment haven't changed. We still need - strong access controls, privileged accounts monitoring, multi-factor authentication, user auditing, device verification, file integrity monitoring etc.
We need to reduce the attack surface on a continual basis and find ways to implement corporate policies in a consistent manner.
Listen to Amrit Williams address these issues via Software Defined Security:
- Software Defined Security capabilities including exposure management;
- Compromise management - application whitelisting, data leak prevention;
- Security & compliance intelligence - reporting and analytics, auditing and standardized policy implementation.