Nearly ten years ago, Amazon officially announced that they would be selling computing time and storage capacity, and over a decade since Simple Queue Service (SQS) was launched in 2004. Since then, Amazon Web Services (AWS) has developed hundreds of new services comprising Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) solutions, and became the go-to Cloud Service Provider (CSP) for early adopters such as startups, small and medium-sized businesses and nimble organizations. Organizations that took to the cloud soon after its inception have had time to mature cloud operation methodologies and form business culture around agile and continuous delivery solutions.
Despite the explosive growth of AWS’ market share, the enterprise market has only recently begun considering public CSPs as a viable infrastructure hosting option. Extending the enterprise data center to a public CSP is not only an architectural challenge; it also requires risk and compliance considerations that must be evaluated in order to avoid weakening the security posture of the organization. Moreover, security architects must understand how to translate existing controls, maintain visibility and adapt to a new technology while ensuring that speed of delivery and agility are not compromised.
Cloud Security Considerations for Early Adopters and New Customers
Despite continued cloud usage, many early adopters are asking the same questions as enterprise customers who are just beginning their journey into the public cloud. Organizations with a great deal of experience with AWS are asking “What do we secure?” while enterprises new to public cloud services are asking “How do we secure?” Below are a few prevalent challenges and considerations of both groups seeking to secure public cloud environments:
Common Challenges and Considerations
While there isn’t a complete out-of-the-box cloud security solution that serves everyone equally, AWS has made significant progress in making resources available to assist with implementing a cloud security strategy. Less-regulated cloud service customers who have designed products for the cloud may find native AWS tools convenient and easily integrative with current cloud infrastructure. However, building an adequate security strategy can be complicated and challenging for an enterprise customer, given that AWS tools may not be sufficient for a mature security program. However, as enterprise applications and infrastructure are being architected and engineered for AWS, the enterprise cloud service customer will be able to use cloud-native solutions within their security strategies.
Cloud Security is a Shared Responsibility
Both the early adopters and enterprise organizations must have a strong understanding of the Shared Responsibility Model. The Shared Responsibility Model helps identify the boundaries between cloud service provider and customer security responsibilities. As organizations begin to develop cloud security strategies, identifying obligations is a critical success factor.
Responsibility boundaries shift when moving between IaaS, PaaS and SaaS. While a CSP may be responsible for certain layers of the cloud platform, cloud service customers must remain knowledgeable of where their own responsibility lies. Before moving to AWS, early adopters may not have had to consider infrastructure requirements below the application and data layers; however, they are now responsible for the security of additional layers. Conversely, the enterprise organization is accustomed to owning security at all layers, but can be relieved of managing layers such as physical security and the core network.
Cloud security is a similar challenge to traditional on-premise security when data centers were first being built; proper security practices were often an afterthought. An additional complication to cloud security is the elasticity of the cloud. A cloud environment can become difficult to manage very quickly, and success will also depend on an organization’s ability to maintain visibility within such a dynamic environment.
Designing a comprehensive cloud security strategy within AWS will require adapting controls and risk management methodologies to an agile operations model, as well as understanding of how to utilize the resources available for maintaining visibility. Lastly, it is imperative for those new to the public cloud to understand that boundaries may shift as organizations leverage IaaS, PaaS or SaaS solutions.
Stay tuned for an upcoming post where we’ll review and discuss 7 Core Requirements for a Solid Cloud Security Strategy.
About GuidePoint Security
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.