Is it your cloud or mine? It’s both – cloud security is a shared responsibility.
In recent years, the pendulum has swung from the customer owning 100% of their security on-premises to the ‘myth’ that 100% of cloud security is the responsibility of the cloud provider. But, the reality is actually somewhere in the middle.
In order to clear up some common misconceptions, we jumped at the chance to sponsor the AWS UK User Group in London last week (25th March). James Brown, Director of Cloud Computing & Solution Architecture, presented to the 140+ person audience about the types of attacks targeting on-premises versus cloud infrastructures, the evolution of cybercrime, and the different responsibilities for security in the cloud. He also executed a live hack demo on how an SQL attack can be monitored, tracked and remediated through continuous monitoring and security analyst support. There was a lot packed into 35 minutes!
The biggest takeaways of the evening were the results of a mini-poll asking the delegates who they believed was responsible for the security of applications hosted in the AWS Cloud.
Of the 100 people who filled in the poll, only 15 people said that their company (end-user) was solely responsible (correct). 1 person said it was 100% AWS (hopefully they changed their mind after James’ presentation!) and the rest, 84 people said they didn’t know.
This highlights the continued education that is needed across the industry – from cloud service providers and security vendors to employees within all departments within a business.
The persona of ‘buyers’ is changing the face of security. It isn’t just the security guys, or application developers or IT teams buying “the cloud.” Line-of-business owners, such as Head of eCommerce, Online Services, Marketing, Finance, are devising business strategies that require greater levels of customer experience, customer retention, mobile applications, etc. to maintain competitive advantage, and as such, are driving the demand for purchasing and consuming modern applications and “cloud services.” And these need to be secured, and compliant.
The Shared Security model is well documented by AWS (http://aws.amazon.com/compliance/shared-responsibility-model/) and referenced by Alert Logic.
For more information and an on-demand webinar that clearly articulates the areas around security and compliance that end-user companies are responsible for compared to AWS. To view, please visit https://www.alertlogic.com/resources/webinars/?commid=124235
Alert Logic is sponsoring a whole series of AWS Summits in EMEA and the US, starting in April 2015. https://www.alertlogic.com/road-to-aws-reinvent-2015/