One of the biggest challenges in cloud security today is the question of responsibility. There are several players on the cloud security team. Who is responsible for what? Does one player think that someone else is taking care of a critical function – while the other thinks that’s someone else’s job? Just like the old Abbot & Costello sketch, you can be left wondering, “Who’s on first?” Let’s start with the players on the cloud security team. First there is the cloud provider, who provides the infrastructure and possibly even the platform and application. Second, there is the cloud security provider. They might be providing service to the cloud provider, directly to the end customer or even both. Next is the customer. This is the enterprise or organization that is utilizing the cloud provider to host or store data, applications or both. And there is another player on the team as well—the consumer of the cloud based service. This can be an employee or a customer of the organization using cloud hosting. Adding to the complication is that the customer might have multiple cloud security providers; rarely do you see one security vendor provide the full spectrum of cloud security needs. So now that we know who the players are, who is on first? More to the point, is the whole team playing together? There are shared responsibilities and success requires a team that plays well together. So let’s see what each player brings to the field.
- The Cloud Provider – They must have the secure platform/infrastructure to host a shared cloud environment. While providing traditional power, ping and pipe, the cloud provider must also ensure the integrity of the system, the ability to segregate customers’ data and applications from each other and the ability to monitor the entire system. The cloud provider must be able to react and mitigate any potential attacks or malicious activity before they can affect multiple customers. The cloud provider today is expected to have invested substantial resources in securing their own infrastructure and platforms. However, the fact is that most cloud providers still don’t have the in-house resources or solutions to do this by themselves. Generally they must work with a bevy of security solution providers. This brings us to our next player on the team.
- The Cloud Security Provider – On this team, the cloud security provider can come in many shapes and sizes. They could be a security provider that works exclusively with the cloud provider to help secure their infrastructure and platform. They could be a security provider that works with end customers to help secure their own application, data and IP. The cloud security provider could provide some software that is managed by the end customer or cloud provider. They could also be a managed security services provider. No matter what its shape or size, the cloud security service provider must understand the model in use . That means that if they work with the cloud provider, they must match or at least coordinate with their business model., with technology, terms, and billing processes that support the cloud: autoscalable deployments, usage-based billing, and integration with cloud provider systems.
- The end customer –In many ways, end customer bear the ultimate responsibility for security but lack the control or resources to perform the task. They must have trust in the cloud provider they have selected to secure their portion of the infrastructure. They must also have confidence that the cloud security providers they have chosen are also capable of providing the technology and services to do the job. But even in this model, the end customer needs to spend time on oversight, management and review. You can’t outsource responsibility.
- The consumer – The final player on our team, the consumer, is responsible for their own information and behavior. They must use common sense in choosing cloud services, what information is available in the cloud , and the security of their connection to cloud services.
If you find yourself asking “Who’s on first?” when you look at your cloud security posture, it’s time for a discussion with all of your “teammates.” Make sure that every position is covered and your cloud security team will be set up for success.