How to succeed under the shared responsibility model
Cloud security is an evolving space where consumers and vendors must innovate quickly, not only to outpace attackers, but also to support rapid development while minimizing the risks presented by misconfiguration and other forms of user error. Your best bet is to stay closely attuned to industry learnings and best practices compiled by trusted thought leaders.
Recently the global market intelligence firm, IDC, released a new workbook. In this new IDC Workbook, you’ll find a Cloud Security Roadmap that covers the limitations and best practices of the Shared Responsibility Model in cloud security, as well as a checklist to help you understand your technology needs and evaluate potential cloud security vendors.
By Dr. Kai Chen, Chief Security Technology Officer, Consumer BG, Huawei Technologies Co. Ltd.
The behemoths of cloud service providers (CSPs) have released shared security responsibility related papers and articles, explaining their roles and responsibilities in cloud provisioning. Although they share similar concepts, in reality, there are different interpretations and implementations among CSPs.
While there are many cloud security standards to help guide CSPs in fulfilling their security responsibilities, the cloud customers still find it challenging to design, deploy, and operate a secure cloud service. “Guideline on Effectively Managing Security Service in the Cloud” (referred to as the ‘Guideline’) developed by CSA’s Cloud Security Services Management (CSSM) Working Group provides an easy-to-understand guidance for cloud customers. It covers how to design, deploy, and operate a secure cloud service for different cloud service models, namely IaaS, PaaS, and SaaS. Cloud customers can use it to help ensure the secure running of service systems.
In the Guideline, the shared security responsibility figure was developed with reference to Gartner’s shared security responsibility model. It illustrates the security handoff points for IaaS, PaaS, and SaaS cloud models. The handoff point moves up the stack across the models.
Security responsibility division between CSPs and cloud customers in different cloud service models.
While there are differences in the security responsibility across the models, some responsibilities are common to all cloud service models:
CSPs’ Common Security Responsibilities
Physical security of the infrastructure, including but not limited to: equipment room location selection; power supply assurance; cooling facilities; protection against fire, water, shock, and theft; and surveillance (for details about the security requirements, see related standards)
Security of computing, storage, and network hardware
Security of basic networks, such as anti-distributed denial of service and firewalls
Cloud storage security, such as backup and recovery
Security of cloud infrastructure virtualization, such as tenant resource isolation and virtualization resource management
Tenant identity management and access control
Secure access to cloud resources by tenant
Security management, operating monitoring, and emergency response of infrastructure
Formulating and rehearsing service continuity assurance plans and disaster recovery plans for infrastructure
Cloud Customers’ Common Security Responsibilities
User identity management and access control of service systems
Data security (in the European General Data Protection Regulation (GDPR) mode, cloud customers control the data and should be responsible for data security while CSPs only process the data and should take security responsibilities granted by data controllers.)
Security management and control of terminals that access cloud services, including hardware, software, application systems, and device rights
Besides that, the Guideline contains chapters that describe the technical requirements for the security assurance of cloud service systems and provides an implementation guide based on the existing security technologies, products, and services. It also illustrates security assurance technologies, products, and services that CSPs and customers should provide in different cloud service models as mentioned previously.
Security responsibilities between CSPs and cloud customers
Mapping of the Guideline with CCM
To help provide an overview to end users about the similarities and differences between the security recommendations listed in the Guideline and the Cloud Controls Matrix (CCM) controls, the CSSM working group conducted a mapping of CCM version 3.0.1 to the Guideline.
The mapping document is supplemented with a detailed gap analysis report that breaks down the gaps in each CCM domain and provides recommendations to readers.
“This mapping work brings users of the Guideline a step closer to being CCM compliant, beneficial to organizations looking to extrapolate existing security controls to match another framework, standard or best practice,” said Dr. Chen Kai, Chief Security Technology Officer, Consumer BG, Huawei Technologies Co. Ltd., and chair of the CSSM Working Group.
Users of the Guideline will be able to bridge lacking areas with ease based on the gap analysis. By understanding what it takes to go from the Guideline to CCM, the mapping work complements the Guideline to help users achieve holistic security controls.
Download the gap analysis report on mapping to the CSA’s Cloud Controls Matrix(CCM) now.
Learn more about the Cloud Services Management Working Group here.
I recently sat down with the CEO and founder of CSA, Jim Reavis, to gain a deeper understanding on what leaders and practitioners can learn from this year’s report that covers the top 11 threats to cloud computing – The Egregious 11.
(Greg) Jim, for those who have never seen this, what is the CSA Top Threats to Cloud report and who is your target reader?
(Jim) The CSA Top Threats to Cloud Computing is a research report that is periodically updated by our research team and working group of volunteers to identify high priority cloud security risks, threats and vulnerabilities to enable organizations to optimize risk management decisions related to securing their cloud usage. The Top Threats report is intended to be a companion to CSA’s Security Guidance and Cloud Controls Matrix best practices documents by providing context around important threats in order to prioritize the deployment of security capabilities to the issues that really matter.
Our Top Threats research is compiled via industry surveys as well as through qualitative analysis from leading industry experts. This research is among CSA’s most popular downloads and has spawned several translations and companion research documents that investigate cloud penetration testing and real world cloud incidents. Top Threats research is applicable to the security practitioner seeking to protect assets, executives needing to validate broader security strategies and any others wanting to understand how cloud threats may impact their organization. We make every effort to relate the potential pitfalls of cloud to practical steps that can be taken to mitigate these risks.
(Greg) Were there any findings in the Top Threats report that really stood out for you?
(Jim) Virtually all of the security issues we have articulated impact all different types of cloud. This is important as we find a lot of practitioners who may narrow their cloud security focus on either Infrastructure as a Service (IaaS) or Software as a Service (SaaS), depending upon their own responsibilities or biases. The cloud framework is a layered model, starting with physical infrastructure with layers of abstraction built on top of it. SaaS is essentially the business application layer built upon some form of IaaS, so the threats are applicable no matter what type of cloud one uses. Poor identity management practices, such as a failure to implement strong authentication, sticks out to me as a critical and eminently solvable issue. I think the increased velocity of the “on demand” characteristic of cloud finds its way into the threat of insufficient due diligence and problems of insecure APIs. The fastest way to implement cloud is to implement it securely the first time.
(Greg) What do you think are some of the overarching trends you’ve noticed throughout the last 3 iterations of the report?
(Jim) What has been consistent is that the highest impact threats are primarily the responsibility of the cloud user. To put a bit of nuance around this as the definition of a “cloud user” can be tricky, I like to think of this in three categories: a commercial SaaS provider, an enterprise building its own “private SaaS” applications on top of IaaS or a customer integrating a large number of SaaS applications have the bulk of the technical security responsibilities. So much of the real world threats that these cloud users grapple with are improper configuration, poor secure software development practices and insufficient identity and access management strategies.
(Greg) Are you seeing any trends that show there is increasing trust in cloud services, as well as the CSP working more effectively around Shared Responsibility Security Model?
(Jim) The market growth in cloud is a highly quantifiable indicator that cloud is becoming more trusted. “Cloud first” is a common policy we see for organizations evaluating new IT solutions, and it hasn’t yet caused an explosion of cloud incidents, although I fear we must see an inevitable increase in breaches as it becomes the default platform.
We have been at this for over 10 years at CSA and have seen a lot of maturation in cloud during that time. One of the biggest contributions we have seen from the CSPs over that time is the amount of telemetry they make available to their customers. The amount and diversity of logfile information customers have today does not compare to the relative “blackbox” that existed when we started this journey more than a decade ago.
Going back to the layered model of cloud yet again, CSPs understand that most of the interesting applications customers build are a mashup of technologies. Sophisticated CSPs understand this shared responsibility for security and have doubled down on educational programs for customers. Also, I have to say that one of the most rewarding aspects of being in the security industry is observing the collegial nature among competing CSPs to share threat intelligence and best practices to improve the security of the entire cloud ecosystem.
One of the initiatives CSA developed that helps promulgate shared responsibility is the CSA Security, Trust, Assurance & Risk (STAR) Registry. We publish the answers CSPs provide to our assessment questionnaire so consumers can objectively evaluate a CSP’s best practices and understand the line of demarcation and where their responsibility begins.
(Greg) How does the perception of threats, risks and vulnerabilities help to guide an organization’s decision making & strategy?
(Jim) This is an example of why it is so important to have a comprehensive body of knowledge of cloud security best practices and to be able to relate it to Top Threats. A practitioner must be able to evaluate using any risk management strategy for a given threat, e.g. risk avoidance, risk mitigation, risk acceptance, etc. If one understand the threats but not the best practices, one will almost always choose to avoid the risk, which may end up being a poor business decision. Although the security industry has gotten much better over the years, we still fight the reputation of being overly conservative and obstructing new business opportunities over concerns about security threats. While being paranoid has sometimes served us well, threat research should be one of a portfolio of tools that helps us embrace innovation.
(Greg) What are some of the security issues that are currently brewing/underrated that you think might become more relevant in the near future?
(Jim) I think it is important to understand that malicious attackers will take the easy route and if they can phish your cloud credentials, they won’t need to leverage more sophisticated attacks. I don’t spend a lot of time worrying about sophisticated CSP infrastructure attacks like the Rowhammer direct random access memory (DRAM) leaks, although a good security practitioner worries a little bit about everything. I try to think about fast moving technology areas that are manipulated by the customer, because there are far more customers than CSPs. For example, I get concerned about the billions of IoT devices that get hooked into the cloud and what kinds of security hardening they have. I also don’t think we have done enough research into how blackhats can attack machine learning systems to avoid next generation security systems.
Our Israeli chapter recently published a fantastic research document on the 12 Most Critical Risks for Serverless Applications. Containerization and Serverless computing are very exciting developments and ultimately will improve security as they reduce the amount of resource management considerations for the developer and shrink the attack surface. However, these technologies may seem foreign to security practitioners used to a virtualized operating system and it is an open question how well our tools and legacy best practices address these areas.
The future will be a combination of old threats made new and exploiting fast moving new technology. CSA will continue to call them as we see them and try to educate the industry before these threats are fully realized.
(Greg) Jim, it’s been great hearing from you today on this new Top Threats to Cloud report. Hats off to the team and the contributors for this year’s report. Has been great working with them all!
Many cloud apps – including Office 365 – operate under a shared responsibility model. Here’s what that means for your company
By Beth Stackpole, Feature Writer, Symantec
Security concerns, once a long-standing hurdle to cloud deployment, may be on the wane, but the issue is still very much alive when it comes to cloud-based applications such as Microsoft Office 365.
It’s not that Office 365 is inherently less secure than other SaaS offering; it’s that companies still harbor misperceptions related to the shared responsibility model now commonplace for many cloud applications, including Microsoft Office 365. The issue is particularly acute given the rising popularity of the Microsoft cloud platform. Global cloud adoption has topped 81 percent, while Office 365 usage has surged from 34.3 percent to 56.3 percent this last year, eclipsing Google’s G suite, which held steady at 25 percent.
Under the shared responsibility model, security of physical assets, host infrastructure, network controls, and application-level controls are squarely in the hands of cloud service providers (CSPs) like Microsoft, but that hardly covers all the bases. Identity and access management and client and end point protection remain a split responsibility between the CSP and the customer; more importantly, the enterprise needs to take the reins when it comes to data security and classification—a delineation that is often lost on customers expecting that a SaaS solution means security requirements are taken care of.
“One of the most common misperceptions is that Microsoft, by default, is protecting all the data and that’s simply not the case,” says Swapnil Deshmukh, senior director of information security at Visa. “Organizations need to figure out how to protect the application stack and any code that resides there as well as how to protect data stored on the cloud itself.”
Not surprisingly, there have already been some well-publicized breaches. A wave of phishing attacks aimed at stealing passwords used Microsoft 365 Office files posing as tax forms, affecting millions of users. And then there was last year’s mishap when the Office 365 Admin Center itself inadvertently revealed usage data belonging to other tenants, which highlighted the risks in the context of regulations like the European GDPR (General Data Protection Regulations).
A holistic security approach
Symantec’s 2018 Shadow Data Report, which covers the key challenges encountered when trying to secure data and maintain compliance in cloud apps and services, reveals just how high the stakes have become. The report found that 32 percent of emails and attachments in the cloud are broadly shared and 1 percent of those contain compliance-related data, including Personally Identifiable Information (PII), Payment Card Information (PCI), and Protected Health Information (PHI), revealing a much higher risk than anticipated.
Moreover, 68 percent of organizations have some employees who exhibit high-risk behavior in cloud accounts, encompassing everything from data destruction to data exfiltration and accounts takeovers. It gets worse: The 2017 Symantec Internet Security Threat Report (ISTR) found that in 2016 one out of every 131 emails contained a malware attack, and 61 percent of organizations were hit by ransomware incidents.
Microsoft Office 365 delivers an array of security controls, including encryption of data both at rest and via network transmission, threat management and security monitoring capabilities, and online protection to ward against spam and malware. Azure Active Directory is used for authentication, identity management, and access controls and there is support for multi-factor authentication. The platform also has a built-in feature for email encryption, but it isn’t part of the default settings.
This highlights a problem for many users who simply don’t know what’s available beyond Office 365’s default security controls, notes Payton Moyer, president and COO of MLS Technology Group, a managed IT services provider. “Office 365 offers baseline security features baked in and ready to go by default, but to get the maximum security, you have to make an effort to add capabilities and turn them on,” he says.
What’s really important, experts say, is for enterprises to layer on additional security capabilities, including digital rights management; Data Loss Prevention services; as well as threat analytics, blocking, and remediation.
Adds Symantec Senior Technical Sales Manager, Adrian Covich: “People are looking for the base functionality and don’t necessarily proceed with security in mind. They also misunderstand the point to which Microsoft will secure them out of the box versus what they still need to do. There are still fundamental questions you need to answer with SaaS when it comes to the delineation of responsibilities and who has access to data. Are your users who they say they are? What data are you storing and are your business processes sufficiently secure?”
These extra protections should work holistically across the entire enterprise domain, not just for the Microsoft Office 365 cloud silo. To this point, a Cloud Access Security Broker (CASB) can integrate Office 365 and other cloud apps into the broader enterprise security architecture, delivering visibility into shadow IT and cloud application usage, providing data governance and controls for data stored in cloud apps, and leveraging machine learning and user behavior analytics to deliver advanced security and data protection.
“A CASB sits between the enterprise end user and Microsoft Office 365, looks at all the data, and allocates the right controls to it,” says Visa’s Deshmukh. “It stops data exfiltration avenues from an internal perspective and identifies adversaries that may have compromised end users.”
By sharing responsibility and taking a holistic approach, enterprises can close security gaps, minimize potential risks, and ensure a stress-free path to the cloud.
This post was originally published on Sept. 24, 2018, on Symantec.com.