Multicloud adoption is at an all-time high. Cybersecurity company Fortinet estimated that 76% of organizations will use at least two cloud service providers (CSPs) in 2021, while IT management provider Flexera estimates that in 2022, 89% of organizations will already have I discovered that I was adopting a multi-cloud strategy.
As a result, a company’s share of digital assets is now spread across multiple physical and virtual locations and operated by multiple service providers, rather than in one location, on-premises or in the cloud.
Therefore, traditional security strategies no longer work, says Katie Anton, vice president of security architecture at JPMorgan Chase, at the Cloud & Cyber Security Expo in London March 8-9, 2023. argued in the presentation.
“The traditional cybersecurity strategy that we are used to is putting everything in a castle. I’m thinking,” she explained.
“In modern architectures, this method is no longer appropriate as valuable data is spread across multiple third-party vendors. With API security, we were forced to adopt a Zero Trust approach that focuses on protecting identities, not assets.”
Many organizations have moved to a multi-cloud approach without adapting their security strategies, Anton said.
She said Gartner has found that 90% or organizations expose data inappropriately in the cloud.
One key reason, she argued, is that many organizations mistakenly assume that CSPs fully guarantee the security of the data they hand over.
“Gartner predicted that by 2025, 99% of cyber incidents will be caused by customer misconfigurations, which is largely due to a misunderstanding of the shared responsibility model,” said Anton.
3-layer framework
The Shared Responsibility Model, a cloud security framework commonly used by CSPs such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, describes where security responsibility ends and customer responsibility begins. I’m here.
The Cloud Standards Customer Council, an advocacy group for cloud users, states that software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS) – as users move from SaaS to PaaS to IaaS, Note that liability generally increases.
SaaS is a software delivery model in which a vendor centrally hosts applications in the cloud for use by subscribers. Dropbox, Zoom, Microsoft 365, or Google Workspace usually means SaaS agreements. In this model, the provider is responsible for application security and its maintenance and management.
PaaS consists of providing a platform, such as RedHat OpenShift or Google Kubernetes Engine, that you can buy and use to develop, run, and manage your applications. In this model, the vendor provides both hardware and software and is responsible for the security of the platform and its infrastructure.
IaaS is an infrastructure delivery model in which vendors provide a wide range of computing resources such as virtualized servers, storage, and network equipment over the Internet. AWS, Azure, and GCP are leaders in IaaS. In this model, the customer is typically responsible for maintaining the security of what they own or install on their cloud infrastructure (operating systems, applications, containers, workloads, data, code, etc.).
However, in all three models, some security responsibilities are always yours, such as asset identity and access management (IAM), user security and credentials, or endpoint security. Other security tasks typically fall under the CSP’s purview, such as physical layer safety and security, and all related hardware and infrastructure, including facilities running cloud resources.
Shared responsibility for security shortcomings
The National Cyber Security Center (NCSC) has set out a three-tier shared responsibility security model for cloud security, but this is just a framework, not a regulation.
Check Point EMEA Field CISO Deryck Mitchelson speaks at Cloud & Cyber Security Expo on how he helped the Scottish branch of the UK National Health Service (NHS) move to a native multi-cloud architecture Did.
He agreed with Anton that understanding frameworks is key to securely implementing a multi-cloud strategy.
Mitchelson said Information security“Many of our customers are starting their multi-cloud journey without fully understanding where their security responsibilities lie.”
He added: good. “
But the downside isn’t just for cloud users, Mitchelson says. “Cloud suppliers need to be more transparent about what they do and don’t do, and provide more security by default.”
