In our part 2 of our 3-post series, we continue the conversation with Greg Jensen and discuss the Shared Responsibility Security Model and the importance of visibility in the cloud.
Can you touch upon some of the key points regarding the shared responsibility security model?
Yeah, it's interesting. I just had a conversation with a customer the other day who highlighted this for me and he is a customer in a large Fortune 100 company, and he's been a reader of the report since we introduced it and we've always included this conversation of shared responsibility. He and I just had a good conversation around this, and it just really was a reminder of how topical this has really been over the years. I never anticipated just how well received this path would become. When I've presented on this topic at conferences and events this generally is a topic where everybody pulls out their cell phone and snaps an image of what I'm presenting because it's something that a lot of individuals have studied. The image itself is the breakdown of responsibility and typically 54 percent of organizations don't understand their role in it or what am I responsible for as a customer versus my cloud service provider.
When you look at that typical breakdown between my role and my responsibility as a customer versus a cloud service provider, you see this line separating the customer and the cloud service provider where I think people really get confused sometimes even today is they look at that line as a very binary type of thing like it's black and white it's them or us like it's a clear distinction. They look at it as a line in the sand where they do that and we do this. This is really what I try to drive home is that there is actually no line in the sand. That's where the customers and their cloud services provider should sit down and have a conversation to determine where we are sharing the work because that's really what this model is describing, it's a shared responsibility. This is where we're both coming together and doing some work together and creating some examples because in that line there are things that the model doesn't even really show in many cases because the customer and the cloud service provider may be sharing audit responsibilities. For example, they may be sharing cloud penetration testing responsibilities, These are things that are sometimes agreed upon in conversation and then they are worked into the SLA contract, but that doesn't happen until there's a conversation. This is why I really do encourage them to have that conversation on a very regular basis with each of their cloud service providers. This way customer can understand it and then continue to go back and refine it over time. So, because I think that's one of the gray areas that a lot of people struggle with is that responsibility piece. What do I do? What do you do? What's my role? How do you know what you’re responsible for? Customers really do want binaries… they want zeros or ones or black and white, but it just doesn't work that way.
Please share a bit of what you think about the importance of the visibility for cloud security?
Yeah, so, you know visibility is kind of a broad term because when we say visibility it is a can mean a lot of things, it's a term that covers everything from cloud configurations to compliance scorecards. Are we meeting all of our privacy regulations? Are we meeting our internal scorecards? Does our corporate governance mandate its visibility and are there application users at risk? Is there visibility into our attacks and threats? What about event monitoring and response? Then you move into automation streams and analytics but all these are just as critical for cloud as what we would see in our own Enterprise data center, but I would say it's no more critical though because we now have this shared responsibility with the cloud providers and we've got to keep tabs on them because when we're bringing these cloud service providers in we're dealing with SLA's and tracking, but we also have SLAs and contracts with our customers and partners. So, we have to keep tabs when we're dealing with people that are providing services to us. So it is critical to have that visibility to do the due diligence to make sure that the cloud providers are working with us and if they are delivering a secure service to us. We need to maintain that lead and to make sure that we have the tools necessary.
Now, the other part of this visibility conversation that I do have concerns about is when organizations step into what I call that first gen cloud phase. All right, we all went through and agreed that we're jumping on board the cloud. We're going to let our users, leverage a bit of Dropbox or Evernote or Office 365, so there's some lower risk for our business data that we are going to put up there. Okay great. But with that there are some more basic, I call foundational security controls that should be used like identity controls. Also, you have some anti-malware controls. Probably from the cloud provider that they're using and this is what I have been seeing over the last 18 months. We saw that big spike and now, we see seven out of ten organizations over the last year starting to shift to business-critical data in the cloud. So, they are now done with these pilot projects and now they have started shifting over from business data to business-critical data. Now this is the data that can compromise your business and potentially cause you to lose customers. So, with all the risk factors much higher, what are they doing with all the additional controls? Have they layered up their security? Most organizations haven't put all those additional layers of security on top like we normally would see in an on-premise model. That's where I have some concerns because we haven't seen some of those same philosophies in the cloud that we've seen over the last 20 to 30 years in data centers. Oh, you have your data and your data center? Oh gosh we have to put twenty-five layers of security in there. We need our intrusion detection or firewalls. We need monitoring around it. We need layers around at the castle. It is a model that has not been widely duplicated in the cloud. I believe that a lot of this comes down to there's just an expectation that the cloud providers are to handle a lot of that for us. So, we don't need to fortify our data because the cloud providers got it. Yet, there is a high degree of responsibility still in the cloud if I have my infrastructure being used for a service, even if I'm using SaaS, there's still a lot of responsibility for the data I own in the cloud. Because, I now own my access in the cloud, so that's my responsibility. So, this is where I think there are some disconnects and where organizations could make some changes, but I don't see it in a lot of cases today.
When it comes to working with a cloud provider, many customers are not asking the right questions, and in some cases, they don’t even know the right questions to ask. Like, what happens to my data if I leave a service provider? What if I do a Proof of Concept (POC) with a cloud service provider and I put my data up there? What if we decide not to renew after two years, then what is the disposition of that data in the cloud and who will remove it? Does it get removed? This can become a big problem, especially around compliance and an issue around some of the visibility. Even if you build castles and moats around your critical data, the reality is your compliance and governance will likely not be met unless the end is planned for in the beginning. For our last post in this 3-post blog series, we discuss the future of cloud security and how businesses can best prepare against potential security incidents.
Interested in learning more? Join me at the RSA Conference at the Oracle booth 6059 in the North Hall to learn more about the Shared Responsibility Security Model and overall cloud security visibility. Follow us all week as we continue the conversation on Twitter and LinkedIn by following #OracleatRSA.