• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Cloud Security   »   Cloud Security: Shared Responsibility in Action

Cloud Security: Shared Responsibility in Action

  • Posted on:October 22, 2014
  • Posted in:Cloud Security
  • Posted by:
    Mark Nunnikhoven (Vice President, Cloud Research)
0

Security in the cloud is a shared responsibility. I’ve written about this before, but with AWS re:Invent right around the corner, now is a good time to explore this idea further and see what the model looks like when applied in production.

The Model

Before we dive in, let’s make sure we’re all working with the same understanding on the model itself.

This is a very straightforward model in its presentation. We start with the view that security is required everywhere, and in order to manage the security aspects of a deployment, we’ll sort various responsibilities into the following areas:

  • Physical infrastructure
  • Network infrastructure
  • Virtualization layer
  • Operating system
  • Application(s)
  • Data

The next step is to then determine who is responsible for the security aspect of each of these areas: AWS (the cloud service provider) or the users (who consume the cloud services).

Depending on the service in question, the answer of “who is responsible for this area?” changes.

The security responsibilities for these areas change depending on the type of service you are consuming.

Using EC2 as an example, AWS is responsible for the physical infrastructure, network infrastructure, and the virtualization layer. Which means that you are responsible for the security of the operation system, applications, and data.

Being a conscientious (a.k.a., rightfully paranoid) security practitioner, you will want to verify that AWS is holding up their end of the bargain (spoiler alert: they are). You can do that by visiting http://aws.amazon.com/compliance and http://aws.amazon.com/security.

Sliding Scale

While EC2 is the most common example used, you have security responsibilities for every service on AWS. These responsibilities are directly related to the type of service. A common view of this sliding scale is:

Shared Security Responsibility : Across DIY, IaaS, PaaS, SaaS Shared Security Responsibility : Across DIY, IaaS, PaaS, SaaS

But I prefer Mark Ryland’s approach for service division. In lieu of IaaS > PaaS > SaaS, Mark takes the approach of infrastructure > container > abstract.

This makes it a lot easier to get an idea of the level of responsibility you have for the security of a service.

EC2, EBS, VPC, and others are infrastructure services. RDS, EMR, OpsWorks, etc., are container services; SQS, SNS, SES, Route53, etc., fall into the abstract category.

The general rule here is that the more abstract the service, the less direct security responsibilities you have.

Controls & Decisions

We use the term “direct security responsibilities” on purpose. With infrastructure services, in order to fulfill your responsibilities, you are going to need to implement, operate, and maintain more security controls.

This will most likely entail at least hardening the operating system and installing third-party controls (like IPS, anti-malware, process monitoring, etc.) in addition to taking full advantage of the options AWS provides like IAM, security groups, and network ACLs.

As you move towards container and abstract services, your need to deploy and maintain direct controls is reduced. Your responsibilities with these services focus more and more on the proper configuration of access management (usually through IAM) and deciding what type of data to process and store.

More to come

While the model is simple to present and understand at a high level, there is a lot of nuance in its application.

For the next couple of weeks leading up to re:Invent, I’m going to use user-specific examples of recent events to demonstrate how the model is applied to various AWS services. It’s through these examples that you’ll be able to see how the model changes with each service and how you can adjust your security practice to maximize your security posture and the benefits you get from AWS.

If you’d like a sneak peek, you can take a look at my slides from a talk I recently gave an a meetup at AWS HQ.

Related posts:

  1. Shared Responsibility Examples: Shellshock
  2. Security in the cloud is a shared responsibility
  3. Is the security responsibility in the cloud really shared?
  4. Protect Your Net: Shared Security Responsibility in the Cloud

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Digital Transformation is Growing but May Be Insecure for Many
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.