Blog Feed Post

Cloud Security Pitfall: Understanding the Shared Responsibility Model

In the early days of the public cloud, enterprises were reluctant to place anything but lowest-risk, non-mission-critical applications in the cloud. Public-facing web sites and the like represented much of this early cloud traction.

As the cloud matured, enterprise decision makers became more comfortable with moving mission-critical apps to the cloud. For such applications, the scalability, cost, and ease-of-use benefits outweighed their concerns for an increasingly wide swath of their application portfolio.

Security, of course, has always been the most significant of these concerns. As IT execs came to realize that public clouds could actually offer more secure infrastructure than they could implement in their own data centers, many of the reservations to the cloud fell away, leading to ‘cloud-first’ strategies for many top enterprises.

Yet, while all the leading public cloud providers tout their nearly bulletproof security, there have also been a raft of embarrassing breaches in those same clouds. What’s going on here?

The problem is not with the security of the cloud infrastructure itself, but rather how cloud customers configure their own security inside the cloud.

The Finger-Pointing Problem

All public cloud environments work on a shared responsibility model in which cloud providers are responsible for securing their own cloud infrastructure. Cloud customers, however, are responsible for configuring their cloud environments properly in the context of their overall cloud strategy.

The shared responsibility model also extends to IT controls beyond those specific to security. Just as the customer and cloud provider share the responsibility to operate the IT environment, the same parties must share the management, operation, and verification of all IT controls.

To ease these requirements, cloud providers offer a variety of tools within their environments that customers can use to establish the appropriate controls for their particular situation. However, it is always up to the customer to understand how to properly configure and implement such controls.

When a breach occurs, however, customers are likely to point fingers at the cloud provider as being at least partially culpable for such a breach. After all, it promised that its cloud was secure, right?

From the cloud provider’s perspective, the responsibility for proper configuration of security controls is squarely in the customer’s domain – and the legal contracts between customer and provider are sure to delineate this fact.

This finger-pointing exercise never improves matters, and instead reinforces an adversarial relationship between provider and customer where a collaborative relationship would be both more productive and more secure in the long run.

Taking an Abstracted, Multi-Tier Approach

The burden of avoiding such finger-pointing falls upon the customer’s technical staff – in particular, the architects who are responsible for the overall cloud deployment and operational plan, including the configuration of IT controls.

Enterprise IT is still responsible for data and application security, as well as regulatory compliance. As a result, enterprise cloud and security architects must ensure that everyone within the organization –including security, networking, application, and cloud teams – are properly deploying applications and workloads within the context of the organization’s security and compliance policies.

The reference architecture these professionals hammer out, therefore, must include both the customer and provider sides of the shared responsibility model in a single, unified abstraction layer. Such an architecture must be both policy-based as well as multi-tiered.

The diagram below illustrates the customer and cloud provider sides of AWS’s shared responsibility model – a template that Microsoft Azure and other cloud providers have generally followed.

The AWS Shared Responsibility Model (Source: AWS)


Policies are central to the implementation of adequate security – not simply the policies specific to the configuration of individual cloud services, but policies regarding the IT organization’s use and configuration of the cloud within the context of the overall IT strategy.

Security, however, doesn’t simply operate at this abstracted, policy-centric level. To mitigate security risks in today’s rapidly evolving threat landscape, security personnel must complement traditional security approaches with additional detection and response techniques in order to uncover anomalies and other issues across the entire hybrid on-premises/cloud environment.

In other words, trust but verify. Enterprises must trust their cloud providers to implement their part of the security equation, while leveraging the appropriate tooling to obtain sufficient visibility into the cloud environment to ensure end-to-end security.

The Intellyx Take

Understanding and adopting a true shared responsibility model is a critical activity that one blog post cannot do justice. This is, therefore, the first part of a four-part blog series on this important topic.

In part two of the series, we’ll discuss the respective concerns of the security architect and the network architect. We’ll explore how people in these roles must change their thinking about how they work together to achieve the business goals for the applications they support, including security.

Then, in part three, we’ll dive into the security challenges inherent in hybrid IT and multicloud deployment architectures, within the context of the shared responsibility model and the organizational changes we discuss in the first two posts.

By the time we get to part four, we’ll be able to fill in some of the technical details of the multi-tiered security model that provides visibility into virtual machine network traffic – a particular challenge in public cloud environments that hide the details of their internal network configurations from their customers.

The shared responsibility model can lead to vulnerabilities. The challenge enterprises face is not simply ensuring that they’ve configured cloud services properly, but in implementing a comprehensive, well-architected strategy for security and compliance across all environments, both on-premises and in the cloud.

Copyright © Intellyx LLC. Gigamon and Microsoft are Intellyx clients. At the time of writing, none of the other organizations mentioned in this article are Intellyx clients. Intellyx retains full editorial control over the content of this paper.

Read the original blog entry...

More Stories By Jason Bloomberg

Jason Bloomberg is a leading IT industry analyst, Forbes contributor, keynote speaker, and globally recognized expert on multiple disruptive trends in enterprise technology and digital transformation. He is ranked #5 on Onalytica’s list of top Digital Transformation influencers for 2018 and #15 on Jax’s list of top DevOps influencers for 2017, the only person to appear on both lists.

As founder and president of Agile Digital Transformation analyst firm Intellyx, he advises, writes, and speaks on a diverse set of topics, including digital transformation, artificial intelligence, cloud computing, devops, big data/analytics, cybersecurity, blockchain/bitcoin/cryptocurrency, no-code/low-code platforms and tools, organizational transformation, internet of things, enterprise architecture, SD-WAN/SDX, mainframes, hybrid IT, and legacy transformation, among other topics.

Mr. Bloomberg’s articles in Forbes are often viewed by more than 100,000 readers. During his career, he has published over 1,200 articles (over 200 for Forbes alone), spoken at over 400 conferences and webinars, and he has been quoted in the press and blogosphere over 2,000 times.

Mr. Bloomberg is the author or coauthor of four books: The Agile Architecture Revolution (Wiley, 2013), Service Orient or Be Doomed! How Service Orientation Will Change Your Business (Wiley, 2006), XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996). His next book, Agile Digital Transformation, is due within the next year.

At SOA-focused industry analyst firm ZapThink from 2001 to 2013, Mr. Bloomberg created and delivered the Licensed ZapThink Architect (LZA) Service-Oriented Architecture (SOA) course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, which was acquired by Dovel Technologies in 2011.

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting), and several software and web development positions.

Latest Stories
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
Authorization of web applications developed in the cloud is a fundamental problem for security, yet companies often build solutions from scratch, which is error prone and impedes time to market. This talk shows developers how they can (instead) build on-top of community-owned projects and frameworks for better security.Whether you build software for enterprises, mobile, or internal microservices, security is important. Standards like SAML, OIDC, and SPIFFE help you solve identity and authenticat...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments t...
CloudEXPO New York 2018, colocated with DevOpsSUMMIT and DXWorldEXPO New York 2018 will be held November 12-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI and Machine Learning to one location.
Hackers took three days to identify and exploit a known vulnerability in Equifax’s web applications. I will share new data that reveals why three days (at most) is the new normal for DevSecOps teams to move new business /security requirements from design into production. This session aims to enlighten DevOps teams, security and development professionals by sharing results from the 4th annual State of the Software Supply Chain Report -- a blend of public and proprietary data with expert researc...
DXWorldEXPO LLC announced today that Nutanix has been named "Platinum Sponsor" of CloudEXPO | DevOpsSUMMIT | DXWorldEXPO New York, which will take place November 12-13, 2018 in New York City. Nutanix makes infrastructure invisible, elevating IT to focus on the applications and services that power their business. The Nutanix Enterprise Cloud Platform blends web-scale engineering and consumer-grade design to natively converge server, storage, virtualization and networking into a resilient, softwar...
So the dumpster is on fire. Again. The site's down. Your boss's face is an ever-deepening purple. And you begin debating whether you should join the #incident channel or call an ambulance to deal with his impending stroke. Yes, we know this is a developer's fault. There's plenty of time for blame later. Postmortems have a macabre name because they were once intended to be Viking-like funerals for someone's job. But we're civilized now. Sort of. So we call them post-incident reviews. Fires are ne...
The digital transformation is real! To adapt, IT professionals need to transform their own skillset to become more multi-dimensional by gaining both depth and breadth of a wide variety of knowledge and competencies. Historically, while IT has been built on a foundation of specialty (or "I" shaped) silos, the DevOps principle of "shifting left" is opening up opportunities for developers, operational staff, security and others to grow their skills portfolio, advance their careers and become "T"-sh...
This session will provide an introduction to Cloud driven quality and transformation and highlight the key features that comprise it. A perspective on the cloud transformation lifecycle, transformation levers, and transformation framework will be shared. At Cognizant, we have developed a transformation strategy to enable the migration of business critical workloads to cloud environments. The strategy encompasses a set of transformation levers across the cloud transformation lifecycle to enhance ...
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app secu...
Mike is managing director in Deloitte Consulting LLP's Cloud practice, responsible for helping clients implement cloud strategy and architecture to drive digital transformation. Beyond his technology experience, Mike brings an insightful understanding of how to address the organizational change, process improvement, and talent management challenges associated with digital transformation. Mike brings more than 30 years of experience in software development and architecture to his role. Most recen...