The distributed nature of the cloud is both a security blessing and a challenge. In an organisation, many people and roles — some obvious, some less so — are responsible for protecting cloud resources and the sensitive data stored in the cloud. Multiple teams and individuals make up the organisation’s internal “shared responsibility” model for cloud security. A collaborative approach is essential for protecting cloud resources effectively and at scale.
Protecting cloud resources – Who’s minding the store?
The functions most obviously responsible for protecting cloud resources are those with “security” in the title: cloud security leader, cloud security architect, cloud security engineer, cloud architect or security analyst – to name a few.
These roles directly own cloud security KPIs. They measure security performance and are themselves measured on it. They care about implementing the right tools and getting on top of elusive cloud risk. Their pain is acute; as survey after survey reveals, they are the ones atop a cloudy mountain yelling: Visibility! More visibility!
This is a challenging pursuit, rife with obstacles such as increasing cloud complexity, new attack vectors, and inconsistent security and compliance posture as Dev and Apps teams apply their own security practices to new assets, if at all. To reduce cloud risk, cloud security folk need to pull in others, effectively.
Who else is sharing responsibility?
Some other organisational functions that play an important role in cloud security include:
- Cloud Identity and Access Management (IAM) – Authorise access to the cloud environment, and are increasingly aware of unique security risks, especially around identities and trying to trim roles and permissions, getting rid of inactive users, and adhering to least privilege.
- Information Security/Cybersecurity – Responsible for overall security posture including for cloud. They may provide guidance and policies to ensure cloud resources are secured and aligned with internal security standards.
- DevOps/DevSecOps and Apps Development –Embed security controls and best practices as part of cloud software development and deployment processes.
- Compliance and Governance – Ensure that cloud resources meet regulatory requirements and internal policies. They can also be involved in auditing, reporting and ensuring cloud activities align with industry standards.
- Risk Management – Assess and manage risks associated with cloud adoption and usage. They often collaborate with other functions to identify vulnerabilities and develop risk mitigation strategies.
Even more functions potentially share responsibility for protecting organisational cloud resources, including IT operations, network teams, data protection teams and even vendor management, which assess cloud service providers’ security offerings and practices prior to purchase to determine if they measure up.
The downside of so many security cooks
While all of them have a shared goal – protecting sensitive data, ensuring compliance and staying out of the headlines – every function approaches security from their own point of view, with their own goals, tools, expertise, and criteria. Could this disconnect be, ironically, causing risk? A recent study found coordination between IT and security teams to be difficult and time-consuming.
Development and DevOps should benefit from security findings that can be fed back into the CI/CD pipeline. And there is a need to overcome the legitimate fear that recommendations from security tools may break something and alerts are not real. Cloud IAM teams applying a traditional approach lack tools to limit access as they know they should. Others may be applying on-prem practices, missing toxic combinations because the cloud operates differently. Risk Management and Incident Response teams are missing out on advanced risk analysis that spots vulnerabilities and anomalies across layers of cloud.
Unifying internal shared responsibility
So what can be done? Shared responsibility spanning several functional areas is a strength. Cloud-Native Application Protection Platform (CNAPP) tools unify cloud security by providing a single pane of visibility, consolidating siloed tools, automating monitoring and risk prioritisation and integrating remediation into workflows.
The data and visibility provided by CNAPP empowers organisations with better insights and coordination around their part in security – crucial for a strong cloud security posture. DevOps gain confidence to adopt recommendations. Developers find Infrastructure-as-Code (IaC) scanning to be a time (and face) saver, so are more inclined toward security collaboration. Overall, unifying tools removes barriers to faster identification and containment.
Managing the modern attack surface takes a village. Bringing teams together with a shared goal to actively contribute to cloud security, understanding teams’ individual goals, and implementing a strategy that pulls as many artifacts as possible into the risk assessment goes a long way to ensure cloud resources don’t become cloud issues.
Discussion about this post