Cloud Security: Whose Responsibility Is It Anyway?
Operating in a highly secured environment with shared responsibilities in the cloud is often a misunderstood concept. Amazon Web Services‘ considers security a shared responsibility but what does that mean when it comes to how you’re managing your workloads, tools you’re using, and the infrastructure on the bottom layer that AWS is responsible for? Managing cloud data breaches that often are a result of the customers is no easy feat for developers who are already faced with insurmountable responsibility and challenges.
In this special session, we asked the critical questions developers face when it comes to their responsibility for security in cloud services. For this video, we spoke with Jonathon Canada, solution architect at Teleport, John Morello, vice president of product from Palo Alto Networks and Avi Shua, CEO of Orca Security.
Watch our recap here and our lightly edited transcript of the video, which was recorded at Amazon Web Services‘ AWS re:Invent earlier this month:
Alex Williams, The New Stack (host): Simplified, the cloud services model can be broken into three layers: the infrastructure as a Service (IaaS) at the bottom layer, on top of that, is Platform as a Service (PaaS) where the service provider becomes responsible for things like patching and maintaining operating systems, and on top of that is the Software as Service (SaaS) — the workloads and software that run on AWS services. It’s also the layer where customers can change application configuration settings and are exposed to the internet. There are all kinds of issues that an engineer faces every day; there’s puzzles to solve, priorities that you need to really be considerate of and there’s issues that come when you don’t really think about the problem at all. That’s when the real trouble starts.
Jonathon Canada, Teleport: In the case of a server as an example, an organization still has to worry about patching that server and applying updates.
Williams: It’s quite complex when an organization uses a variety of tools that are managed by different teams. But in the cloud, these days, it’s getting easier to converge different data sources into one graph model.
John Morello, Palo Alto Networks: What you’re starting to see more now is convergence, where people realize it’s not good enough to have just different tools to cover those layers. But you need to have convergent data across those tools, the ability to make use of that information. And a good example of that is if you have a vulnerability, for example, within one of your container images. You’re going to have thousands of these in any environment. How do you know which ones are most important? Which ones might be exposed from the internet?
Williams: It also demonstrates the importance of identity and protocols in the shared responsibility model. What if an engineer leaves the team? How do you manage that so passwords and keys can’t be used, again by an intruder? How do you manage certificates, so they are only temporary and can’t be used again and again and again, by an attacker?
Canada: Not only that, somebody just SSH as the root user or Ubuntu user easy to use, or whatever it is. But here is the specific identity of that user. And on top of that in Teleport, you’ll get an entire session recording of what exactly they did throughout that session.
Williams: To protect users, vendors sell lots of tools, but it remains a question about their effectiveness. Orca’s security CEO and co-founder, Avi Shula said all these tools are like locks waiting to be picked.
Avi Shua: Orca Security: In my opinion, no organization should really have a database security tool, a Kubernetes security tool and identity tool, or a vulnerability tool, because when you take this approach, essentially, you have too many data points. That is the equivalent of getting a list of which are the easiest to pick locks. The only way that we can tackle the issue of security seriously is by taking a full-stack approach that essentially looks at the issue as a graphic.
Williams: Most attacks follow a pattern. An intruder may find a vulnerability that they access from the internet. That leads to a low balancer perhaps and they get access to keys. Perhaps those keys lead into a database where all that customer data is located. This is when the real trouble arises.
Shua: These are a few of them that you need to tackle versus trying to look at each problem separately and ending up with millions of discrete alerts. This is a common thing that attackers think of — a way in, and defenders are often thinking of lists. And, as long as it stays that way, attackers win.
Williams: Here’s one thing you can do — how about unifying all the data? Couldn’t do that in the old enterprise. But in the cloud, it’s a different story.
Shua: The on-premises world wasn’t really feasible because you had to take many data sources from many different areas and tools. It wasn’t practical to combine all this data into one place. Cloud changes that because essentially, what’s happening in the cloud is that all this data is usually sourced in one place.
Williams: But what about the top layer? How about containers that run on an EC2 instance — what’s their vulnerability posture and how are they configured? The container is in one layer, the instance is on another. Historically, these two layers have been looked at as individual items to secure. What you’re starting to see more of now is convergence, where people realize it’s not good enough to have different tools to cover those two distinct layers.
Morello: All those integrations allow us to be in the places where developers already are, and not force them to step out of tools and workflows that they’re already familiar with. And that’s really what I think is most crucial. You have to meet developers in the places that they already are, versus trying to get them to adopt or to change their practices security tools that assume the developers need to take extra work or go through extra steps, typically are the ones that are not well adopted and don’t ever really have the traction to help people over time.
Williams: In summary, the bottom layer may be the responsibility of Amazon Web Services, but you better have the protections in place to prevent from getting attacked. And the middle layer, what’s your posture management there? And on top? How are you exposed to the internet? Thanks for watching everyone.