Cloud Security Confusion: Who Owns What?

February 5, 2015 | Russ Spitler

At BlackHat this past summer, we ran a survey in our booth asking a series of questions related to security in the cloud. We had more than 500 respondents and the signal was quite strong – everyone is confused about security in the cloud!

Let’s start with the simplest, most basic question – who is responsible for security? To illustrate this, let’s use a simple scenario - you have just decided to use some cloud provider to host some servers. In this case I am talking about infrastructure as a service (IaaS) - AWS, RackSpace, Google Compute Engine, etc. In ‘real’ terms it is pretty simple what we are doing - we are renting the right to run a VM hosted in a giant server farm somewhere. From a security perspective there is now quite a bit to consider, and it starts at a very low level. Let’s first lay out what needs to be addressed.

  1. Physical Security – ultimately no matter what we do, if someone can steal our physical machines (grab a hard-drive or flash our memory) we are in trouble.
  2. Hypervisor Security – in our virtualized world we rely on the hypervisor for segregation of resources, disk storage, RAM, CPU.
  3. Network Security – our world is not self-contained, so managing the communication and the connections that our systems can make is a critical piece of the equation.
  4. Operating System Security – all of our applications and services ultimately run on an operating system which is performing the basic tasks for us - running processes, networking, storing data, etc.
  5. Application Security – all of our actual value for running these systems resides at the application layer. The valuable processes and services provided by these applications are the whole reason for all of the other layers.

Now given our scenario above who is responsible for what? What should you be responsible for versus what your IaaS provider “owns.”

Well, according to our survey results, there isn’t a whole lot of thought behind most of the answers. For example, only 43% of people expect their IaaS provider to supply physical security – if the provider is not supplying this exactly how is this being done? Are we deploying magical virtual machines capable of fending off intruders tampering with the servers they run in? Probably not, but if you have one of those leave me a comment at the end of this post.

In the same vein, only 36% expect their provider to manage the security of the Hypervisor – none of the providers mentioned above will let you even get close to the hypervisor much less do anything related to monitoring the hypervisor. The last confusion was that 37% of the respondents were planning on deploying network-IDS into these environments – again most providers make this next to impossible.

With the nature of understanding demonstrated by the answers to these questions I am left wondering, what exactly is going on up there? Are customers of these providers educating themselves on what they are responsible for? Are they taking advantage of the security features offered them?

The only conclusion I can reach is that there is nothing but confusion surrounding security in the cloud. This is an entirely unacceptable situation, given the momentum of organizations increasingly moving their applications to the cloud.

This is the first in a series of blogs about cloud security. In future blogs, I will share insights about cloud security and provide suggested courses of action.

Russ Spitler

About the Author: Russ Spitler

Russell Spitler brings over a decade of experience building products and startup companies that secure companies across the globe. Russ currently serves as the AVP of Products at AT&T Cybersecurity where he is responsible for cybersecurity product strategy and the execution of the cybersecurity product roadmap that has resulted in the acquisition of over 7,000 commercial customers and over 20,000 open source users during his tenure. Russ was also one of the founders and a driving force behind AlienVault's Open Threat Exchange- a crowd-sourced threat intelligence community with over 100,000 active users from more than 140 countries. His leadership and focus on practical and effective threat detection has helped establish AlienVault's open-source and commercial products as an undisputed industry leader. Prior to AT&T, Russell served in engineering and product management roles at Fortify Software. Russ was instrumental in developing and maturing the Fortify product suite that dominated the application security testing market earning the leadership position in the Gartner MQ for 11 straight years. Fortify's 750+ customers included all 10 of the world's 10 largest banks and all the major branches and agencies within the US DoD. Russell frequently contributes articles and quotes for major news outlets and regularly presents at industry conferences such as RSA, and BlackHat.

Read more posts from Russ Spitler ›


Get price Free trial