RSA Conference 2016: Security of Public Cloud Services—It Takes a Village


Posted on by Ben Rothke

At the RSA conference last month, I lead a Peer2Peer session on the topic of Security of Public Cloud Services: It Takes a Village.

Cloud SecurityI and 25 others discussed the notion that cloud services are inherently a shared responsibility model. Far too many corporate users of cloud services often don’t realize that while the cloud provider may have every attestation from PCI to SSAE-16, that means nothing if your team doesn’t know what their responsibilities are around cloud security, and what they specifically have to do.

We spoke about the fact that when you move your applications and data to the cloud, there is a lot of control you surrender. But even with that, there is still a lot that needs to be done to ensure that the applications and data are available—and secure.

At the end of the 50 minutes, which went by quickly, we had brainstormed about 20 security, privacy and risk items that you have to deal with in advance of a move to the cloud. Some of the crucial areas are: exit plans, cloud access security brokers (CASB), disaster recovery, incident management, and more.

Three of the main challenges we identified included:

  • What do we need to do?  Often the demarcation of responsibilities is not so clear between the cloud provider and the customer. Customers know they are moving to the cloud, but are not always clear of just what they need to do. The goal is to know that while it’s a shared model, make certain there is a clear demarcation of what roles you as customer need to do. Once your cloud service goes live, there should be zero ambiguity as to who is responsible for any task.
  • What security tools can we use?  When things go off-premises, customers often don’t know what security tools are at their disposal. What tools will the cloud provider supply is often not clear.
  • What if there are no corporate-wide cloud transition directions?  How does one transition to the cloud when there’s no enterprise-wide cloud transition strategy. Those firms that don’t take the time to develop a structured cloud transition and migration strategy are in effect deploying their cloud services in the blind. Firms also don’t know when it is the right decision to move to the cloud. Since they have not done any sort of assessment if the move to the cloud makes business, strategic and operational sense, there’s a chance the move to the cloud is not warranted in the first place.

When we concluded, the realization that cloud providers ultimately are only responsible for securing the basic infrastructure, which they do quite well. As a cloud client, you still are responsible (and liable) for all of the applications and the governance around those applications and data. And that’s still a lot of work.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

cloud security security awareness

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community