Could the Shared “Security” Model be the Root of Cloud Security Challenges?

When it comes to #cloudsecurity, most of the focus is on tools and the tactics, techniques, and procedures (TTPs) employed by the security analyst. However, an organization’s cloud security strategy is flawed at its core if the shared security model (SSM) is not correctly understood and fully implemented at the foundation. The cloud is a security challenge due to its next level of complexity and rapid pace of technology evolution. But the deeper one dives into a CSPs implementation, the more stable this dynamic environment becomes. This is why a solid understanding of the SSM becomes so crucial.  

The SSM, described by the CSPs as the Shared Responsibility Model (SRM) or even Fate (Google had to be unique), is still just that, a model, and its implementation is unique to the environment, IaaS, PaaS or SaaS. While there are nuances with each CSP's offering, the basics of the SRM are outlined by the Cloud Security Alliance and can be applied to all cloud deployments.  

The SRM does not assure that your environment and data are safe and secure. It is not a one-size-fits-all wrapper that fits all organizations or guarantees security. Most importantly, it’s not a replacement for tried-and-true security best practices. That responsibility ultimately still resides with the data owner, just like in the days of traditional on-premises IT and security operations.   

Understanding the explicit responsibilities outlined in a CSP SRM is critical to avoiding false assumptions. These false assumptions can lead to resource misconfigurations, a lack of visibility into the environment’s activity, and complete gaps in coverage. None of these bode well for any organization attempting to defend its assets and data in an ever-evolving threat landscape.    

When it comes down to it, having a solid foundational understanding of the SRM will allow an organization to define its cloud security strategy to ensure proper integration into the overarching cybersecurity strategy. These properly aligned strategies will ensure the organization is not blindly assuming the CSP is providing its statutory compliance requirements. Having defined responsibilities will allow the CISO/CSO to ensure the proper tooling is in place for analysts. This starts with gaining visibility into the CI/CD pipeline since the cloud starts and ends with code, which will either protect or expose your data. Organizations adopting the cloud are already challenged with managing an ever-changing and dynamic threat surface with API lifespans measured in hours and containerized applications in days.  Combine this with the dynamic flexibility of resources to scale based on the current demand, and it is easy to quickly lose a defensible architecture if the foundation is built on false assumptions.  

My number one recommendation for every organization considering, planning, or already operating workloads in the cloud is to fully understand the SRM of their CSP(s) and how that maps back to the roles and responsibilities within their security organization. They should also address any identified gaps immediately before being notified by a third party that a gap was discovered and exploited by a named adversary.