Drawing the lines on cloud security responsibility

Cloud has been around for the best part of a decade, yet it’s only in recent years that adoption has achieved a measure of scale.

Over that time, a lot of enabling methodologies and tools to operationalise cloud have matured, including for security, but organisations are still at various stages of deployment and use.

The end result is cloud instances are still prone to security issues such as misconfigurations; insecure code is still being shipped and run in the cloud; and customers still struggle with how to determine who is responsible when something goes wrong.

One reason cloud security risks aren’t easily mitigated is because cloud environments continue to grow in size and complexity. Being able to maintain visibility across that change and evolution is a challenge, as is assigning security oversight and responsibility to the party (or tool) most capable of handling it.

Cloud security responsibilities principally fall on the cloud provider or the customer, but within the customer organisation, there are also multiple additional stakeholders to align. I’ll explore both areas of security responsibility, before discussing options for how they can be addressed.

Provider-customer responsibility

At the highest level, cloud security is a shared responsibility between provider and customer, but the division of responsibilities is often not well defined.

A 2020 survey found only 8 per cent of CISOs “fully” understood shared-responsibility models for cloud security, compared to the year prior to that, when 18 per cent thought they understood. There was across-the-board confusion on how models differed between providers and cloud types — for example, software versus infrastructure versus platform as-a-service. And in 46 per cent of cases, more people were required to stay abreast of the division of responsibilities.

VIEW ALL

An important aspect of these results is they largely pre-date a period of intensive digital transformation and cloud adoption.

Multi-cloud use is now more common, with 46 per cent of APAC organisations already that way and 38 per cent expecting to be multi-cloud within a year. Cloud migration is also occurring at scale: a recent survey found “75 per cent of IT leaders plan to move more business functions”.

That explains why confusion on the split of responsibilities is still prevalent and a consistent theme that still comes up in customer conversations. Cloud environments are exponentially more complicated today. There’s more to oversee, unpack and assign responsibility for.

Internal customer responsibilities

Once the customer understands what they are broadly and granularly responsible for, there is a further internal division of labour and responsibility with which to contend. ExtraHop explored this issue in a recent study, Reducing Cloud Security Friction.

Organisations start using the cloud ​​to spur innovation because it enables development teams to quickly create and deploy new applications. But moving fast and moving securely are often at odds. Often the clouds that allow the fastest movement — those used to host containerised workloads or that are platform-as-a-service (PaaS) — are the most challenging to create security guardrails for. Yet it has to be done: more than half (52 per cent) of organisations leverage containerised environments, and another 42 per cent use PaaS to drive innovative app development. These are very much the future of the cloud, and need to be secured in such a way that does not hinder their use and unique value proposition.

Communication gaps can be another point of friction, especially between security and development teams. Only 4 per cent of respondents rated communication between the two as excellent, compared to 32 per cent of communication lines between security and infrastructure teams.

Security teams can’t defend what they can’t see, so they need tools that work across cloud environments. They also need open communication lines with developers, and to know that developers buy into cloud security and will do their part not to ship vulnerable code. This can be codified in a DevSecOps approach, though it is still the exception rather than the rule.

Better visibility for better cloud security

Organisations that are better at resolving responsibility delineation, despite environment and team complexity, have one thing in common.

They’ve all established a layer of visibility that stretches right across their cloud environments and is shared across teams and executives that need to know. Once that visibility is established, everyone is better able to coordinate and delegate responsibilities.

Visibility also needs to be supported by cloud threat detection. If vulnerable apps are released, organisations need the ability to quickly detect, investigate, and respond to alerts when adversaries take advantage of those vulnerabilities. They can then turn to the division of responsibilities to effect a suitable incident response.

Aligning people, processes, and technology is essential to creating better outcomes and reducing friction in cloud security. When security teams and their counterparts in development and operations participate in joint methodologies and have tools they can both use, it eliminates silos and improves communication. Ideally, tooling should also be unobtrusive, helping security teams identify risks in fast-moving cloud environments, without interrupting the speed of development work.

When everyone with a stake in cloud security is working well together and keeping everything on track, it helps mitigate friction that could slow or stop migration or digital transformation projects and bubble up to the C-suite if projects face delays over security concerns.