Cloud security

Frank Kim, SANS Institute Fellow and Cloud Security Curriculum Lead.

Johannesburg, 24 May 2024
Securing the cloud.
Securing the cloud.

1. How does the concept of "shared responsibility" apply to cloud security?

The concept of "shared responsibility" in cloud security is foundational, emphasising that both cloud service providers (CSPs) and customers have roles in securing cloud environments. This model delineates who is responsible for securing what aspects of the cloud infrastructure and operations. CSPs typically manage the security of the cloud, including the physical infrastructure, network and hardware. In contrast, customers are responsible for security in the cloud, which means they must protect their data, applications and access controls. Training in understanding and implementing this model is crucial for organisations to safeguard their assets in the cloud effectively.

2. What responsibilities typically fall under the cloud service provider's domain?

Cloud service providers are generally responsible for the security and integrity of the cloud infrastructure itself. This includes the physical security of data centres, the security of the hardware and software that powers the cloud services, and the networking infrastructure. CSPs also ensure the availability and resilience of their services, employing robust measures against DDOS attacks, hardware failures and ensuring data integrity. Regular audits and compliance certifications are part of their domain, offering customers transparency and assurance regarding the security posture of their services.

3. How does the division of responsibilities vary across different cloud service models (IaaS, PaaS, SaaS)?

The division of responsibilities in cloud security varies significantly across the IaaS, PaaS and SaaS models:

  • IaaS (infrastructure as a service): Customers have more control and thus more responsibility. They manage the OS, applications and network configurations, while the CSP maintains the physical servers, storage and networking hardware.
  • PaaS (platform as a service): The CSP takes on more responsibility, including managing the OS, middleware and runtime environment. Customers focus on deploying and managing their applications.
  • SaaS (software as a service): The CSP has the most responsibility, overseeing the infrastructure, platforms and software. Customers are mainly responsible for managing their user accounts and data security.

Understanding these distinctions is crucial for organisations to know their security obligations, emphasising the need for targeted training in each cloud model.

4. What are some common security risks or threats associated with cloud computing?

Common security risks in cloud computing include data breaches, insufficient identity, credential and access management, insecure interfaces and APIs, and system vulnerabilities. Misconfigurations and inadequate change control processes can expose systems to attacks. Moreover, shared technology vulnerabilities mean that one tenant's actions could potentially affect the security of another in a multi-tenant architecture.

5. How can organisations ensure they fulfil their part of the shared responsibility model for cloud security?

Organisations must conduct regular security assessments and audits to identify and remediate vulnerabilities and ensure only authorised personnel have access to cloud resources. It’s always important to encrypt data, at rest and in transit, to protect sensitive information. Regular training for an informed workforce is vital – on the latest cloud security best practices and potential threats. And lastly, organisations should continuously collaborate with their CSPS, engaging in transparent communication with providers to understand specific security measures and responsibilities.

For more information about SANS Institute and courses offered, please visit our website here.