In July 2019, Capital One made news headlines not for achieving another milestone but because it had been breached. Capital One was using AWS cloud services, as many businesses are doing nowadays. The problem stemmed (in part) because Capital One had a misconfigured open-source Web Application Firewall (WAF) hosted in the cloud with Amazon Web Services (AWS).

Despite the inevitable criticism, Capital One’s breach “doesn’t prove the cloud is wrong,” says Glenn O’Donnell, a Forrester VP. “What it does prove is you have to have the right controls in place from a security and governance perspective.”

Before we dig into cloud security issues, let us refresh our memory.

Cloud Services

With traditional IT services, the owner is responsible for all services from networking equipment to the application itself. Cloud computing offers services such as SaaS, PaaS and IaaS to make deployment and management of computing resources more efficiently.

  • Infrastructure as a service (IaaS) is a “compute” platform that provides virtualized computing resources over the internet. Examples include the following: AWS AMI, Azure Virtual Machines and GCP Compute Engine.
  • Platform as a service (PaaS) are pre-build applications that enable the customer to upload their code or data and use it without building the underlying infrastructure. The hardware and software tools are delivered by a third-party provider. It is also known as Serverless Environment. Examples include AWS Lamda, GCP Code Function, AWS RDS, AWS s3, GCP BigQuery and Azure SQL Database.
  • Software as a service (SaaS) is a software distribution model in which a third-party provider hosts applications and makes them available to customers over the internet. Examples include Office365, Box, G Suite, Xero, Salesforce, Imperva WAF, Akamai CDN and Azure SQL Database.

The Shared Responsibility Model

Who’s responsible for the integrity and confidentiality of the aforementioned services and the data (Read more...)