Information security comes with an implicit trick: it is never perfect and never 100% effective. No matter what strategies are applied, what tools are used, and the level of commitment with which the topic is approached, there can always be a loophole that virtual attackers can use to find our vulnerabilities.
The computer model in the cloud creates a grey area in terms of responsibility. Who is to blame when there is an incident? Is it the cloud provider who is supposed to look after the infrastructure? Is it the user company that mounted the infrastructure on weak systems? The “shared responsibility model for cloud security” –to which most big players in the market subscribe– avoids those conflicts.
Who is in charge of what
This model clearly determines who takes care of the different strata. Broadly speaking, the cloud provider is in charge of the base software, the operating-system upgrades, hardware, storage, databases, and internal networks. Meanwhile, the user company must make sure that the data stored are encrypted, that applications have been developed with the required precautions, that final user settings are the correct ones, and of upgrading the operating systems, for instance, of virtual machines – something that does not happen in serverless configurations, where the operating-system security is 100% the provider’s responsibility, to mention just a few examples.
There are also shared schemas. If the provider commits to releasing the latest patches available for a given operating system, the client must be equally committed to applying it immediately. The network is another sensitive issue. The secure configuration of the virtual private networks in the cloud is the user’s responsibility, but an updated web app firewall managed by the cloud provider must run underneath. Companies must be aware that if an app that runs in a container with an out-of-date operating system is exposed, it might run a risk that cannot be transferred to the provider in the event it becomes an incident.
If the client does not manage the cloud solution properly, then it will not be able to handle the specific security issues it should control.
Another issue that might generate some form of controversy is compliance with specific regulations, such as those included in HIPAA (Health Insurance Portability and Accountability Act), that mainly affect the healthcare industry. They require –among other things– the protection of data and the safekeeping of user information for a given number of years.
The main clouds are usually up-to-date with all the necessary certifications. However, that does not mean that a company that runs an application in that cloud also reaches compliance: it needs to complete the certification process for that application in particular, including data archiving and recovery strategies.
The importance of monitoring
Logs play a fundamental role for monitoring, not only for the shared-responsibility model but also for the cloud security strategy as a whole. Logs are records that make it possible to determine what happened or what actions users took that might have exposed sensitive information.
For instance, a cloud administrator creates a new user and grants it certain permits: every single step it takes to make it happen is carefully recorded. This is how logs detect any suspicious activity.
There are also auto-detection services that constantly monitor potentially malicious activity and metrics about the state of resources (use of the CPU or memory, latency, number of requests to a database, incoming and outgoing activity) and issue alerts when one of the parameters is out of its usual range. APM (Application Performance Management) services work in a similar way.
To sum up, the shared responsibility model was not created so that parties could blame each other for an incident. Rather, both parties can add the highest commitment possible to guarantee data security, reliability, and privacy.