Understanding Shared Responsibility For a SaaS Environment

As a SaaS organization, you may be well-versed in the world of cloud computing and feel confident that the cloud is as secure as any on-prem or data center network — as you should. Cloud Service Providers (CSPs) have gone to great lengths to secure their infrastructure, employing in-house security teams with deep expertise and world-class security tools. Few SaaS companies alone can achieve the same level of collective cloud security prowess that an IaaS provider such as AWS or Azure can.

But security of the cloud is different from security in the cloud, which is to say that you — as a SaaS organization — are not off the hook completely. The shared responsibility model that cloud providers subscribe to means that, while they are responsible for the security of cloud infrastructure, you are responsible for the security of your own data, platform, applications systems, and networks.

The better you understand this division of labor, the better you can secure your SaaS environment. In this post, we’ll explore when you need to embrace your responsibility and when it’s okay to let your CSP drive — so you know exactly where to focus your cloud security efforts.

Trust in Your Provider

It may not always have been the case, but cloud providers are now exceedingly transparent in the way they handle security. AWS’s Shared Responsibility Model documentation may offer the best example, outlining Amazon’s commitment to security and offering detailed information about ongoing security issues through its Bulletins service. AWS also makes it simple to get in touch regarding any security or compliance concerns. Azure and Google similarly provide information about their approaches to security.

In addition to providing increased transparency, many CSPs have begun offering tools and features that your SaaS organization can use to protect data. These include encryption at rest and in transit, web app firewalls, and key management. AWS CloudTrail, for example, allows organizations to identify the users and accounts accessing AWS services, the source IP address of API calls, and the timing of those calls — information that can be used to detect and respond to potential security threats.

Moreover, the rigorous certification undertaken by cloud providers in HIPAA, PCI DSS, and other regulatory frameworks demonstrates a level of commitment that can offer peace of mind to SaaS companies, particularly those with customers in regulated industries.

Control Yourself

Despite rightfully trusting your cloud provider to secure infrastructure, it’s nevertheless necessary for you to have the proper controls in place. Access controls allow you to enact the rules and policies that make the most sense for your particular SaaS organization. While AWS adheres to industry best practices, there may be places where it makes sense to tweak the rules a bit to suit your unique business needs, and setting controls manually allows you to do so.

As an extension of this, it’s also important to make sure that your cloud configurations are up to par. While AWS and CIS may lay out best practices, it’s up to you as a SaaS company to make sure you adhere to them to secure your environment.

Even with AWS’ clear guidelines, one of our studies found that at least 73% of companies had at least one critical AWS misconfiguration as of last year. These sorts of configuration weaknesses potentially give attackers free access to private resources, services, or the AWS console, which could be used for criminal activity.

Threat Stack’s AWS Configuration Auditing feature allows your company to quickly and easily measure its configurations against CIS benchmarks and AWS security best practices. With a concise report in hand, you can then prioritize action items based on severity and follow recommendations toward remediation.

Look Deep Within

To fully embrace your share of the security responsibility, it’s also necessary to maintain complete visibility into your cloud environment. To do so, you’ll need to stay laser-focused on the workload. After all, you can’t know what’s happening to your files and who’s running what if you don’t have visibility into events on the host.

The right intrusion detection platform can protect your workloads and give you broad and deep visibility into your environment by collecting data straight from the kernel. This offers an entirely new level of monitoring, auditing, and alerting in the cloud that is impossible to achieve with traditional network- and log-driven security monitoring systems.

More Power to You

In using the cloud, SaaS companies inherently give up some ownership and control in order to reap its benefits — flexibility, scalability, and cost efficiency. The good news is that your CSP is doing its part to manage security of the cloud. In the cloud is where you regain both control and responsibility.

It’s easy to view the shared responsibility model as a burden, but with responsibility comes empowerment. Having control over your own security leaves you far better equipped to recognize threats and to remediate issues in the face of an attack. With the right tools in place, you can not only improve your security posture; you can ensure that you uphold your end of the bargain when it comes to the shared responsibility of cloud security.

*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Anthony Alves. Read the original post at: