The use of the public cloud to house applications and data is gradually becoming a commodity for large companies. However, the question often arises as to who is actually responsible for the security of these cloud environments and -of course- the applications and data stored and accessible in them. Shared responsibility is actually the norm. AWS wants to give its customers even more insight and best practices for this, as the cloud giant recently told us.

It is no secret that security is a priority for companies when it comes to switching to the public cloud for the infrastructure and, above all, the provision of all data. End-users sometimes find good security of their infrastructure and data one of the most difficult things to actually switch to a public cloud. Important concerns include the fear of data leaks, unsafe APIs, increased risk of DDoS attacks and attacks by both internal and external hackers.

In addition, companies and organizations fear losing control of their data because they find it too complex to find, manage and secure their applications and data in the public cloud. They lack the right visibility to take adequate security measures within a public cloud. As a result, security is often a bottleneck for end users in cloud environments.

Security and compliance

A switch to a public cloud will bring about a major change for companies and organisations when it comes to security, says Senior Manager of AWS Specialist Solutions Architects in the EMEA region Julien Lepine. It’s not just about how they want to keep access to their data secure. Increasingly, it is also about how they can demonstrate that their applications and data are stored in a secure manner. According to Lepine, cloud security is not only about ‘security’, but increasingly also about compliance. Ultimately, according to him, cloud security is a combination of technology, risk and compliance that customers try to respond to.

However, one of the uncertainties with regard to the security of the public cloud is who bears final responsibility for the security. Is it the end customer himself, because it concerns his applications and data, or is it the provider of the public cloud who ‘delivers’ the environment where all this information is stored.

Shared responsibility

AWS refers to the sharing of responsibility, the so-called Shared Responsibility Model. This model is not something that only AWS uses, but just about every major public cloud provider. In concrete terms, this model means that security and compliance are the responsibility of both the public cloud provider and the customer. For AWS, it means that it is responsible for securing and ensuring compliance of the entire infrastructure on which all services chosen by the customer are available. This includes all hardware and software stacks, networking and the physical locations where the public cloud services run.

Source: AWS

Responsibility for your own data

Within the model, customers are responsible for everything that takes place on this infrastructure and software layer. This ranges from the guest OS used, other required platform-, application-, identity- & access management software, various forms of (data) encryption and network security to the configuration of the firewall provided by AWS for each instance.

Last but not least, customers are responsible for the security and compliance of their own data. The data of customers remains the data of customers and not of the public cloud provider.

The shared responsibility of the model used by AWS should, however, alert customers to which services they want to use. It depends on the extent to which they have to take care of the security and compliance themselves and how they have to set it up. This is different for each AWS service and requires more or less mandatory configuration work for security and compliance for the customer. According to the public cloud provider, this does mean that customers have more flexibility and control over exactly what they are rolling out.

Shared responsibility for IT Controls

Shared responsibility is not limited to the above elements, it also extends to the IT Controls. This includes the management, execution and verification of these control activities. AWS can take over a large part of the tasks from the customers, especially when it comes to tasks concerning the physical infrastructure in the AWS environment, which were previously carried out by the customers themselves. Customers can, therefore, switch to a distributed control environment. They then decide for themselves which activities they want the public cloud provider to carry out and which activities they want or have to carry out themselves.

Don’t let shared responsibility deter you

This shared responsibility for security and compliance can deter many customers from switching to the public cloud. According to Security Specialist and Solutions Architect Manager of Amazon Web Services Rob Lyle, however, this does not have to be the case. Customers need to know that all the security and compliance processes they currently perform in their own on-premise data centers are different from those in the public cloud. The number of rules, the policies, the different assets they have to keep an eye on change, of course, but it is a process they are going through.

Fortunately, the above actions are often automated and for -specific, security and compliance- matters, most decisions are already taken as standard. As a result, customers are relieved of their worries and often only have to make these decisions themselves in exceptional cases. According to Lyle, this makes a public cloud much safer.

Stream of alerts

In order to help customers to secure their part of the common model as well as possible and to make it compliant, AWS helps them with a range of their own products. Customers can also purchase these security and compliance tools from third parties.

However, this mix of different tools has the disadvantage that it makes the overview more difficult for administrators. All solutions give out notifications, but because of the large number of them, administrators are not always able to respond quickly and adequately. This, of course, has consequences for security and compliance in these environments.

One-stop-shop experience

AWS would not be AWS to come up with solutions to this problem. The public cloud provider would like to give its customers a one-stop-shop experience for all their security needs and in the above case also visibility, Lepine continues.

Recently, two solutions were launched to help with this. Security Hub must provide AWS customers with a complete visibility of all the security tools used within their AWS cloud environment for applications and data and the alerts issued by these tools. Not only those of AWS itself, but also those of other parties.

All used tools are accessible from a single dashboard and can be managed from there. All notifications issued by these tools are created, organized, and the priority is determined. End-users pay for the use of Security Hub on a per-use basis and is available to all AWS customers.

Help through best practices

That’s not all, that’s how Rob Lyle goes on. For this one-stop-shop experience, the public cloud provider has launched AWS Control Tower. This solution enables customers to set up and manage the public cloud, and multiple AWS user accounts in a structured and secure manner in a simple and, above all, secure manner. Control Tower provides this by providing a pre-configured automated landing zone, based on best practices and defined policies for compliance and access. This provides these cloud environments with ‘guard rails’ as standard, which prevent end-users from installing or using certain tools that violate these policies. Customers can of course also add and modify policies as they see fit.

According to Lyle, Control Tower is actually a kind of software-defined data centre for customers that enables them to roll out the public cloud in a simple and fast manner. This is because all the important security and compliance policies are included as standard. This saves customers a lot of time. AWS Control Tower is free of charge. Current end users of AWS can also use this tool for all the services they are currently paying for.

A lot of possibilities

AWS is clearly more than just a major provider of public cloud services. The security and compliance with which customers have to deal is very much on the company’s mind. The desire to take away the customers’ worries in this area, for example with specialised tools such as Security Hub and Control Tower, makes this clear as well.