Based on our recent survey of cloud decision makers, security/privacy continues to be the top factor on their influence to allocate compute and storage workloads between on-premise servers, co-location/third-party hosting or public/hybrid clouds. I’ve been working closely with an industry thought leader on cloud security, Mark Nunnikhoven from Trend Micro, and would like to share some of his insights that should provide some simplification around securing the cloud.

The key is to understand what the model is for the service you’re using…and this concept is called the Shared Responsibility Model.  Once organizations understand it, they could end up more secure than a traditional environment.  The reason for that is straight-forward.  If, for example, you have a team of 10 resources and a $1M budget per year.  And by moving into a cloud service provider scenario, you can reduce the number of activities with which your team is responsible.  So with the same amount of people and the same budget, your team is focusing on 5 areas instead of 10 and you simply need to verify your provider is doing what they said they are.  This allows your team to narrow their focus on the areas they are responsible for and verifying the provider’s areas of responsibility.

This model is true of most major cloud service providers if you look at their trust center landing page. They publish information on how they secure their services and what they do to ensure that they’re holding up their end of the responsibility.  Typically, you can open up a support ticket and request the auditor evidence to get a copy of the SOC 1 and SOC 3 audit reports showing they have externally verified they are running the datacenter using best practices.

Once you understand verification, you must then know where the line is in the Shared Responsibility Model. For cloud compute environments, you take over at the operating system.  So the provider is more than happy to give you the instances you need where you’re paying per hour and there’s zero security applied to it beyond what they’ve done at the hyper visor level.  They provide some tools to help you like security group, the network ACL, but it’s up to you to configure them…and entirely your responsibility. You can open it up on any port to the world…a horrible idea…but you can do it.  It’s your responsibility to understand that it is a bad idea and that you need to do more to lock it down to only the ports you need.

Whereas, the hypervisor level, which is their responsibility, has technology in place to ensure that VMs aren’t cross-talking, that nobody is accessing the memory space outside of their individual VM, that administrators only connect to that service through a host that’s been approved by two people, it’s spun up on demand, it’s heavily monitored and audited, and then shut down.  They cover all that security but as soon as they hand you the actual server and the instance, it’s hands-off for them.

This concept is fairly easy to understand for some organizations that have similar setups internally.  For example, when a request comes into the VMWare team to provision 10 new servers, those VMs are setup based on standard templates, then it’s up to the user to configure and manage them.  This holds true when moving to the public cloud but instead of asking an internal group, you’re asking a third party provider and there is a hard line of responsibility once the keys are handed over.

Once this is understood, you can start to examine what type of security controls you need in place. So if you look at infrastructure as a service (IaaS), in a traditional datacenter, you have various controls around the boundary. You’re normally going to have firewall, intrusion protection systems, and gateway controls to protect the perimeter at the edge.

That edge goes away when you move into the cloud.  And now you need to start evaluating what controls you need to put directly on the virtual machines or on the instances to regain those controls points.

This is where you start to look at products like Trend Micro Deep Security that pushes that network stack and other controls like integrity monitoring and log inspection directly onto the virtual machine.

I like how Mark summarizes these models with a simple quote, “The closer you are to the hardware, the more responsibility you have.”

Our CDW Cloud Team is familiar with helping clients navigate the “Cloud Readiness” planning process through a structured methodology that helps mitigate the risks of cloud projects & migrations.  One of these steps is helping client’s understand the Shared Responsibility Model and has been a key part of our success in the emerging world of Cloud.

If you have comments or questions related to this topic, comment below or feel free to catch me at @jasohar and Mark at @marknca.

One thought on “Securing the Cloud: A Shared Responsibility

Comments are closed.