Understanding Cloud Security: Shared Responsibilities, Zero Trust, and Shift-Left

Your journey to the cloud might feel like it brings more questions than answers. Cloud provider responsibilities to secure your workloads, the role of providers in supporting a Zero Trust strategy, and how to move cloud security into your development cycle are among the topics
our clients want to understand.

We’ve shared tips on where to start with cloud security, capturing highlights from a Sayers cloud security Q&A panel discussion. In this follow-up post, we tackle the concepts of shared responsibilities, Zero Trust, and cloud security in a developer-centric environment – all part of
better securing your organization’s clouds.

Who Is Responsible For Your Cloud Security?

Cloud providers handle a lot but don’t assume they take care of every aspect of security in the cloud.

“While you can expect cloud providers to be responsible for things like data center physical security and network uptime, you can’t rely on them to protect your data and your credentials. Privileged account management and credentials theft are among the most highly used attack techniques out there in the landscape today, and that directly applies to cloud environments.”

Ken Wisniewski, Senior Cybersecurity Solutions Architect at Sayers

Not sure what you’re responsible for versus your cloud provider? Each provider publishes its shared responsibility model, like these for AWS, Azure, and Google Cloud Platform (GPS). Customer responsibilities can vary by use case and other factors such as chosen services and regions, and applicable laws and regulations.

Generally, you’ll want to apply the same types of controls in the cloud that you would on-prem, such as multi-factor authentication, and apply them even more stringently in your cloud environments.

“There are probably more nuances at the microscopic level with cloud security than there are with physical data centers, just because there is a perimeter in a traditional data center. But there’s a huge disconnect between what it means to secure your data in a public space like this.”

Gerry Wollam, Senior Cybersecurity Solutions Architect at Sayers

While the cloud is secure to a certain level, Wollam cautions most of the responsibility, and most areas that get companies breached, are with the company buying space from the cloud provider.

Zero Trust As A Methodology, Not An Endpoint

The Zero Trust security model eliminates the idea that some users and devices are trusted by default just because they’re behind your firewall. Instead, every user and device must be authenticated at each digital interaction.

Once verified, each identity’s access is controlled based on security policies and tools such as ongoing risk analysis.

Cloud providers including AWS, Azure, and GCP have adopted Zero Trust security models for their customers. Those strategies can include “least privilege access,” which applies just-in-time and just-enough-access for each transaction, and micro-segmentation in the cloud, which limits application access to built-in security groups. Wisniewski says:

“With cloud providers, you have a lot of capabilities at your fingertips. They can do Zero Trust better than what you would typically get in a data center, where you’re unlikely to have host-by-host individual firewall-level controls outside of the operating system itself. The cloud providers do give you that.”

Just don’t claim Zero Trust too soon. “Zero trust isn’t an endpoint, it is a methodology,” Wisniewski says. “It’s an approach to how you apply your controls and keep that rigor around it, and that requires a concerted, strategic effort.”

Cloud providers offer tools to help, such as Microsoft Azure security services to enable Zero Trust. These include network firewalling to filter traffic between internal networks, hosts, and applications, and Azure network security groups that filter network traffic to and from Azure
resources.

AWS says moving to a Zero Trust security model starts with evaluating your workload portfolio and determining where Zero Trust would provide the greatest benefits. AWS offers core Zero trust building blocks as standard features for some of its identity and networking services, which can be applied to both new and existing workloads.

Cloud Security In A Developer-Centric Environment

A developer-centric cloud environment using DevOps requires a deeper security conversation, with a structured approach to adopting cloud platforms.

Wisniewski advises building those cloud environments in an infrastructures code with a templatized, repeatable format. This avoids point-click human error and creates an infrastructure you can revise as you move forward.

A shift-left approach applies security controls earlier in the application lifecycle. You can take the principle of shifting left from application security, apply it to infrastructure and cloud security, and start security sooner with your developers when moving to the cloud.

“By applying code scanning and security at the developer level, you’re trying to catch as much as you can before it goes into even a test environment,” Wisniewski says.

With AWS CloudFormation, Azure Resource Manager templates, or other cloud provider native languages, you can define the infrastructure – including your applications – as code, build it programmatically, and deploy it in your cloud environment. Wisniewski adds:

“Being able to instrument networking, storage, infrastructure, security, etc., all at once isn’t a place most private data centers are at. But the cloud providers give you that out of the box.”

Building in security at the developer level doesn’t mean you’re done. Ensure things stay in compliance by scanning with tools such as Cloud Security Posture Management (CSPM), a third-party toolset that identifies configuration problems and compliance risks in the cloud.

“Just because you’re building it with infrastructures code doesn’t mean you won’t have a rogue admin or somebody who makes changes that affect your security posture,” Wisniewski cautions. “You really need to be shifting left in terms of infrastructure, security, and deployment, but also follow that up with continuous compliance.”

For more on this topic, watch the 35-minute “Moving to a Secure Cloud” Q&A panel from the Sayers #Curio Virtual Tech Summit, now available free on-demand. Three of our industry-leading experts on architecting and securing the cloud answer your most pressing questions on cloud security as you move to the cloud.

Questions? Contact us at Sayers today. We offer extensive security solutions to cover all areas of your business.