"We are fully on the cloud, hence we are secured"
This is a very frequent statement that I hear during my day-on-day conversations with tech founders and software developers.
But if that was the case, why would there be instances of Data Breaches for Unacademy, Twitch, Domino's, Twitter etc whose majority of the workload is in the cloud?
The answer to that is the following statement:
Security and Compliance is a shared responsibility between cloud provider and the customer
Now the above language isn't something coined by me, it's what all the existing cloud providers around the world speak. But somehow this crucial piece of information during their elaborate marketing and knowledge seminars seems to be missing.
So what does it exactly mean?
Let's take an example of a server aka AWS EC2/Google Cloud compute engine/Azure VM and many other fancy names all mean the same thing 😛
When you spin a new server, at that point ensuring nobody steals the actual hardware sitting somewhere in the data centre, no one steals your data disks and ensuring other facilities that are required to keep running your system are secured by the cloud provider.
Anything beyond that is the responsibility of the customer. This includes securing your Operating System, server-side encryption, firewalls etc.
For those who are wondering why did Log4j become such a big issue even for organisations deployed on the cloud, this is precisely the reason. It was and is the responsibility of the customer to identify and fix it.
Now cloud providers aren't evil or incapable to help you with these security issues, there's a fundamental roadblock for them. Let's continue with the Log4j example. The patch to this vulnerability was to simply upgrade to a higher version. But if AWS upgrades it for you automatically and your application isn't compatible with the new version, the application breaks which could mean a significant financial and reputational loss to the customer.
And this is why my team have built SecOps Solution, a platform that takes care of the other half of the security of your cloud.
@Ashwani_PaliwalSome good points, but how many actually read and understand the Shared Responsibility Model, which every Cloud Providers has on their web sites? Which is part and parcel of the contract ones signs with the provider. This also tied to the SOC2 Reports which are required to provide assurance the cloud providers are protecting their infrastructure, systems as well as the clients.
Then use the NIST Cybersecurity Model and compare their Shared Responsibility Model, and then you really appreciate the real gaps and responsibilities - far more then an client originally thought in reality. It is quite eyeopening in some circumstances, depending on the clients experience and knowledge.
Which is another reason for getting an independent Cloud Posture Security assessment regularly service conducted regularly, and do not depend on the cloud providers own statements including the SOC2 report - according to auditors it must be independently conducted regularly, by a provider independent of the cloud provider.
The other side of the coin, is the number of mistakes clients actually make in configuration of systems, which the client is responsible for in many cases, including networks, virtual servers, storage etc. They must appreciate that the Cloud Provider, provides the infrastructure, services such as storage, security, logging, but the client is ultimately responsible for their configuration.
The client may be advised by the cloud provider, but it is like taking a horse to water, the horse may not drink!
Regards
Caute_Cautim
Very well articulated @Caute_cautim .
I would just add that we as a security community needs to spread this awareness more, as cloud's usage has become omnipresent and is more important than ever to raise security awarenes.