Public cloud providers have had no choice but to take their security and compliance responsibilities very seriously. While initially there were many concerns about the security of data in multi-tenant architectures and on infrastructures not directly under the enterprise’s control, cloud providers have done a good job of convincing users that their infrastructures are as secure as—if not more secure than—on-premises data centers. As a result, we are seeing more and more highly-regulated sectors such as finance and healthcare deepening and broadening their cloud profiles. Perhaps the strongest endorsement for the security capabilities of the cloud providers was the CIA’s strategic decision to go all-in on the cloud, using a private AWS cloud deployment.
However, the two leading cloud providers, AWS and Microsoft Azure, have made it clear that their responsibility for security and compliance goes only so far. Customers are left having to close the data security loop. AWS and Microsoft Azure have articulated a shared responsibility model for security and compliance, which has been adopted by the other cloud providers as well.
This white paper looks at how AWS and Azure have divided the security and compliance responsibilities between the cloud providers and their customers as well as what enterprises need to do to properly secure their cloud-based assets.
THE SHARED RESPONSIBILITY MODEL ACCORDING TO AWS AND MICROSOFT AZURE
There are virtually no differences between Amazon’s and Microsoft’s visions of the shared responsibility model. Companies take responsibility for the security of their infrastructure and managed services. The user is responsible for the security of the software it chooses to run on that infrastructure. They are also responsible for the security of their data—in-transit and at-rest.
AWS explains the shared responsibility model by differentiating between Security of the Cloud (for which it takes responsibility) and Security in the Cloud (for which the customer is responsible). To provide a secure cloud, AWS manages and controls the host operating system, the virtualization layer, and the physical security of its facilities. To ensure security within the cloud, the customer configures and manages the security controls for the guest operating system and other apps (including updates and security patches), as well as for the security group firewall provided by AWS. The customer is also responsible for encrypting data in-transit and at-rest.
The Azure rendition of the shared model effectively illustrates how the boundary of responsibility shifts depending on the level of cloud deployment:
› In an IaaS framework, the provider is completely responsible for the physical layer and shares responsibility with the customer for the security of the host infrastructure and network; all the rest is the responsibility of the customer.
› In a PaaS framework, the provider also takes full responsibility for host infrastructure and network security, but it also shares responsibility with the customer at the application and access control levels.
› In a SaaS framework, the provider takes full responsibility for application controls while sharing responsibility with the customer for access control as well as client/endpoint protection.
Another context within which the customer bears responsibility for security is the Amazon Machine Image (AMI). AMI provides the initial configuration for an EC2 instance (OS and app runtime parameters), including security controls related to confidentiality and compliance. It is recommended that the customer build a catalog of AMIs with security configuration baselines that ensure each instance conforms to the organization’s security policies. It is also the customer’s responsibility to keep its AMIs updated to the latest security patches.
Both AWS and Azure provide best practice guidelines and an array of services and tools to help their customers uphold their end of the shared security responsibility. The following table describes some of the leading AWS and Azure tools and services.
THE KEY CHALLENGES OF CLOUD SECURITY
While it may be possible to “lift and shift” infrastructures and workloads to the cloud with little or no refactoring, migrating traditional security tools is a more complicated process.
The cloud introduces a whole new set of security challenges and requires an entirely new way of thinking about security. The challenges start with the unprecedented velocity of change that the cloud allows as a result of its on-demand resources and streamlined provisioning processes. Traditional security tools cannot handle this “chaos,” and configuration and policy management become overwhelming tasks. Access and other security controls are weakened and become unreliable.
The next challenge is the transient nature of networks in the cloud. Virtual instances are spun up instantaneously and torn down just as quickly. Network identifiers, such as IP addresses, are no longer stable control points, and the encryption of data in-transit to and from the cloud reduces the visibility into application behavior. Perimeter-based security tools cannot do their job when the perimeter has, for all intents and purposes, disappeared. In short, traditional network-centric security tools cannot provide a suitable measure of protection for cloud-based assets.
The cloud is complex in even the simplest deployment framework, i.e., working with a single public cloud provider. The complexity increases exponentially in multi-cloud or hybrid deployments, which are quickly becoming the norm. Analyzing security incidents—or even tracking an administrator’s activities—across a multitude of cloud entities, configuration files, event logs, networks, and so on is impossible for legacy data center security tools.
Last but not least, with the cloud providers responsible—at a minimum—for securing the infrastructure, the host OS, and the networks to and from their facilities, customers have far less visibility and control than they would in their own environments. This too undermines the ability of on-premises-oriented security tools to do their job.