July 14, 2020
Good morning, everyone!
To Cloud, or Not to Cloud?
As businesses of all sizes contemplate moving more of their operations to the Cloud, it’s becoming increasingly important to understand the security implications. Verizon’s 2020 Data Breach Investigations Report reported that 43% of data breach victims are small businesses:
“While differences between small and medium-sized business (SMBs) and large organizations remain, the movement toward the cloud and its myriad web-based tools, along with the continued rise of social attacks has narrowed the dividing line between the two. As SMBs have adjusted their business models, the criminals have adapted their actions in order to keep in step and select the quickest and easiest path to their victims.”
A few weeks ago I was watching a webinar hosted by the U.S. Department of Defense, on the subject of cyber security for small contractors. The DoD official mentioned several times that they were working with Amazon Web Services (AWS) to develop simple, secure solutions for small businesses. Each time the official said this, the AWS rep on the webinar would reply something along the lines of yes, they were working on new products for SMBs and security would of course be a priority “within the context of the shared responsibility model.” As I watched, I wondered how many people truly understand the shared responsibility model? Let’s talk about that today!
First, let’s define “the Cloud.” For purposes of this discussion, the Cloud includes all of the three common flavors:
- Platform as a Service (Paas)
- Software as a Service (Saas)
- Infrastructure as a Service (Iaas)
(maybe I’ll discuss those in detail in a future newsletter? If you want it, ask for it!)
Second, I want to make this very important point: contrary to what the sales people say, the Cloud is inherently neither more nor less secure than a local network. Cloud security is what YOU make of it!
Wait, say what?
Back to the shared responsibility model. Cloud service providers (CSPs) like Amazon, Microsoft, Google, Oracle, etc. are responsible for the security "of" the cloud, while the customer is responsible for security "in" the cloud. What does this mean exactly?
The CSP is responsible for the physical security of the equipment (fire protection, cooling equipment, electricity), restricting access, and protecting the overall environment from threats, both internal and external. The CSP is also responsible for providing security tools to the customer, such as multi-factor authentication and data encryption.
The customer is responsible for the proper configuration and use of the security tools provided by the CSP. This is generally where things fall apart:
“Speaking at the RSA security conference [in February of this year], Microsoft engineers said that 99.9% of the compromised accounts they track every month don't use multi-factor authentication, a solution that stops most automated account attacks.”
How about confidential data exposed publicly online?
I could list literally HUNDREDS of examples like this, all with a common theme: the leak was caused by improper configuration of cloud storage by the customer.
So before moving everything to the Cloud, take the time to learn about the shared responsibility model and what your organization’s role will be in securing your data online. Tripwire published a good overview worth reading: The Cloud’s Shared Responsibility Model Explained:
"While it is true that CSPs like AWS or Microsoft Azure have their own security responsibilities, the truth is that data breaches will continue to occur unless organizations using cloud services collectively fulfill their end of the relationship."
The security implications in moving to the Cloud are many and complex. We'll probably circle back around to this topic again at some point in the future.
Meanwhile, don't forget to check out my upcoming Work(fromhome)Shops!
Midsummer Cyber Self Defense Series starts at 10:30 this morning!- Social engineering, phishing, ransomware defense, social media, password management techniques and more!
And hey, check out our new website!
You can always catch up on past editions of this newsletter at https://www.theneteffect.com/newsletters.
Talk to you again soon!