In a previous post from late 2019, Oscar Prado,
cybersecurity analyst at Fluid Attacks, touched on the matter of most
companies migrating to the cloud. One year
later, we indicated a substantial
acceleration and growth in that phenomenon, primarily driven by the
pandemic and the security measures that emerged as necessary,
particularly remote work. It’s true that hosting a business in the cloud
offers significant benefits in terms of cost, speed, scalability,
maintenance, among others. Nevertheless, there are often issues
concerning the security of companies’ systems and assets in the cloud,
mostly due to a lack of knowledge and confusion about something known as
the security shared responsibility model (SRM). Let’s see what’s
happening.

What is cloud computing?

As Ranger said on
ZDNet,
“Cloud computing is the delivery of on-demand computing services —from
applications to storage and processing power— typically over the
internet and on a pay-as-you-go basis.” So now, for
example,
if you intend to develop and offer a new application, you don’t have to
do as before, gradually acquiring software and hardware resources and
maintaining your own computing infrastructure. You can save money, time,
and effort by paying for web-based services according to your needs. The
clouds of companies like Amazon, Microsoft, and Google have incredible
amounts of resources pooled in their infrastructures for your benefit
while your projects are hosted there. Thus, as its fame grows, for
instance, your application can quickly increase its use of cloud servers
to satisfy your customers with speed and effectiveness. Yet, it can also
easily reduce cloud usage if its popularity ever declines. You then pay
strictly for what you need at a specific time.

“Rarely do people mention how security is a benefit of moving to the
cloud,” said
Chaudhry
more than two years ago. But why? Indeed, leading cloud service
providers (CSPs; AWS is the top
cloud,
although Microsoft Azure and Google Cloud are growing fast) may possess
more experienced and skilled cybersecurity staff than many other
companies could ever hire. There’s no doubt that a business working
within a cloud has significant benefits in terms of security. However,
unknown to many, these are only partial benefits.

What is the SRM?

According to Violino on
CSO,
for example, “Contrary to what many might think, the main responsibility
for protecting corporate data in the cloud lies not with the service
provider but with the cloud customer.” Cloud security efforts don’t
depend on just one of the parties involved. In fact, CSPs subscribe to
the globally accepted security
SRM,
in which they are primarily concerned with the security of physical
aspects, infrastructure, network, and virtualization. On the other hand,
the customer must always guarantee the security of the user
access/identity and data. As shown in Figure 1, the party
responsible for protecting the application or the guest OS will vary
based on the type of cloud service (IaaS, PaaS, and SaaS; see Figure
2). Besides, some other differences in these delimitations may be the
product of the CSPs’ particular choices.

In research published in 2020, Oracle and
KPMG
surveyed cloud service subscribers’ understanding of SRM. Almost all of
their respondents revealed high levels of familiarity with the term SRM.
However, only 8% of them said they entirely understand the SRM for
every kind of cloud service. The confusion arising from this variable
distribution of responsibilities in security matters has led many
organizations to overlook several of their obligations inside the cloud
or fail to fulfill them adequately. One of the most prevalent
implications
of such confusion is the misconfiguration vulnerability (which may also
be related to a lack of training).

What are these cloud security issues?

A widely known case of misconfiguration was the Capital One data
breach
in 2019. According to the SRM, a client company’s employees are
responsible for the appropriate integration of cloud service platforms.
Following Graham’s
point,
“Engineers that have worked with cloud computing systems have frequently
noted that system integrations are not always
straightforward.”
Either because of confusion, incompetence, or both, Capital One
personnel left a firewall improperly configured in the process of
integrating AWS solutions, allowing the theft of information from more
than 100 million credit card customers. In conclusion, Capital One,
not AWS, “was held
accountable
for the monetary loss and time spent fixing the error.”

‘Data breaches’ along with ‘Misconfiguration and inadequate change
control’ are the first two cloud threats that the Cloud Security
Alliance (CSA) puts on its Top
Threats to Cloud Computing: Egregious
Eleven
report for the education of organizations. Companies should not only
worry about the risk of losing data or intellectual property but also
about the risk of their cloud resources being deleted or modified to
disrupt business operations. Confusion with cloud
responsibilities
can also lead to errors involving unauthorized access to data and
services. Plus, it can open the door to malware and facilitate the
stealing of cloud credentials.

As Nunnikhoven told
SecureWorld,
the vast majority of cloud service-related incidents have involved
problems on the customer side, not the CSP side. Apparently, from
Gartner,
it’s expected that by next year, “at least 95% of cloud security
failures will be the customer’s fault.” Still, it’s said
that
many companies refrain from migrating to the cloud because they perceive
considerable security risks. That’s silly. (Although we should never
rule out the possibility of
catastrophe
in the security of CSPs.) According to the above, they could recognize
that security is an issue that will be primarily affected by their
decisions and actions in both on-premise and cloud infrastructures. But
this is something that even multiple companies inside the cloud haven’t
figured out.

Recommendations to overcome confusion?

A solution to this problem around the SRM
for any company
could start with an education geared towards a cultural shift
in which all parties involved,
all teams,
discuss cybersecurity.
(Remember, everyone is responsible for ‘Sec’
if you are following the DevSecOps approach.)
Understanding what the cloud is
and which security requirements are under your responsibility
is of vital importance prior to business migration.
(If you are already in the cloud,
make sure you understand this).
Keep in mind that it’s never prudent
to let a desire for rapid migration to the cloud
take precedence over security.
Don’t let cybercriminals be the ones
to make you and your colleagues aware of your security obligations
with their misdeeds.

Of course, without hesitation, establish a conversation with your CSP
whenever necessary. Ask them for detailed guidelines on your security
responsibilities because they can certainly give them to you. Also, stay
informed of updates to those responsibilities since they may be
evolving. Bear in mind that it’s always crucial to have robust
authentication mechanisms and manage a definite restriction of access to
critical data and systems. Likewise, keep threat models up to date and
deploy continuous monitoring for configuration errors and
vulnerabilities. (Fluid Attacks' red
team can help you with that.)
Finally, don’t forget that if you don’t understand and address cloud
security in your company’s digital transformation, the next
cybersecurity breach could be your fault!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/shared-responsibility-model/