There’s a Security Incident in the Cloud: Who’s Responsible?It's a valid question, and one many enterprises remain unsure of amid a mass migration that has transformed business over the past few years.
Who bears responsibility for a security incident in the cloud? It's a valid question, and one many enterprises remain unsure of amid a mass migration that has transformed business over the past few years.
Most cloud providers make the roles and responsibilities of both provider and customer for security monitoring very clear in their service-level agreements; it largely comes down to where the incident occurs. For example, Google Cloud's incident response plan clearly states, "While Google secures the underlying cloud infrastructure and services, the customer secures their applications, devices, and systems when building on top of Google’s Cloud infrastructure."
But it has become increasingly difficult to delineate where the infrastructure ends and the applications begin — hence enterprise users' confusion. Here, we try to clear up some of their questions.
Who Monitors for Potential Compromises — and Where?
Security in the cloud is largely guided by the principles of a shared responsibility model. Providers and the enterprise are both responsible for monitoring for compromises, but each one is responsible for monitoring different parts of the technology stack, according to Ali Golshan, CTO and co-founder at StackRox.
"Providers are monitoring for compromises that are specific to infrastructure and the platform layer, with some services around the network edge," Golshan says. That means the enterprise remains responsible for application, account, and data security.
But with accounts and credentials spanning across the infrastructure, the waters of responsibility can get a bit muddied. "These days, logging into your infrastructure is the same as logging into a SaaS app," Golshan says. "So it can feel like the line is blurry. But the shared responsibility model still holds, with enterprises responsible for their apps and data."
While the cloud provider should assume responsibility for the security of the cloud's physical assets and underlying software that powers the cloud platform, the customer is responsible for the data they own and transact within the cloud, according to James Condon, director of research at Lacework.
"This includes customer data, applications, identity and access management, network and firewall configurations, compliance, and other elements," he says. "With that in mind, it is most definitely up to the customer, who owns the data, to ensure continuous monitoring and visibility into their security status."
Who Is Most Likely to Detect an Incident First?
Experts agree that cloud providers are more likely to detect compromises in the infrastructure or platform, but enterprises will most likely detect incidents in their apps and data.
"A provider may not have full visibility into an enterprise's chain of custody, supply chain, and account permissions," Golshan says, "so any attack that originates in or leverages those systems would go undetected by the provider."
As such, customers ought to have the proper monitoring and incident detection tools in place as part of its framework. But that's not always the case.
"It is incumbent upon customers to have a tool for identifying issues, understanding them, alerting based on their severity, and engaging a rapid incident response plan," Condon says. "With that in place, they will have the tools and processes for detecting an incident and being able to respond quickly to it."
Assuming the enterprise has implemented all of these appropriate monitoring, visibility, and security tools in their cloud deployments, it can feel confident in its ability to detect abnormal behavior in their systems.
"For larger-scale DDoS attacks that impact multiple enterprises, the likelihood that the cloud provider detects abnormal traffic patterns is higher,” says John Maddison, Fortinet's EVP of products and solutions. "However, this is not certain, and the time it takes to detect attacks takes longer in this second scenario."
Can We Work Together on Incident Response?
Establishing clear lines of communication whereby information can easily be passed between providers and enterprises will make working together much easier when an incident occurs. One example, Golshan says, is that providers create standard application programming interfaces (APIs) and extract, transform, load (ETL) frameworks, enabling data flows into and out of the provider’s systems. This approach enables customers to standardize their workflows.
When enterprise users clearly understand and apply best practices for security to their configurations and settings within the cloud service provider's platform, they are able to minimize risk, Condon says. "However, they will also need to ensure they are taking the steps and using the right tools to manage the security of their data within the cloud," he adds.
Given that the responsibility for compromised data ultimately falls on the enterprise, users need to do more to implement best security practices.
"Organizations are realistically becoming more aware that failures will eventually happen and cybersecurity threats will hit their infrastructure," Maddison says. "Being less naïve about whether this will happen to them — and more realistic about asking when will this happen to them — leads to these organizations seeking natively integrated security solutions for the cloud to prevent and detect incidents."
(Image: Adobe Stock)
Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio