Understanding your responsibility and security in the cloud

responsibility security cloud

In this podcast recorded at Black Hat USA 2017, Chris Drake, CEO at Armor, talks about the difference between security of the cloud and security in the cloud.

responsibility security cloud

Here’s a transcript of the podcast for your convenience.

I’m Chris Drake, founder and CEO of Armor. We are a cloud cybersecurity services company and I wanted to talk today about the things that I’m seeing in the industry and around public cloud, and some of the CEOs and CISOs intelligence levels are starting to raise around security in the public cloud.

So, last year we talked about the CSO’s frustration about how they continue to spend a lot of money and get breached, and no matter how much they spend they continue to get hacked and spend a lot of money on fines and whatnot. And so now that their organizations are starting to adopt the public cloud environments, their frustrations are exponentially increasing because their teams, their DevOps teams, or their software development teams are not really understanding what the true shared responsibilities are that sets them from the public cloud.

And truth be told, if you were to go to visit the major public cloud providers’ websites or talk to their sales staff, they’ll stand behind some compliance certifications like PCI or HITRUST or HIPAA or whatnot. And while they do have those certifications, the issue is that they’re certified for those environments, and so it can kind of come across to a person who doesn’t want to dig underneath the covers and understand that the true shared responsibility that you’re not certified if you adopt those clouds, and if you don’t get those security controls and capabilities, that those cloud providers used to get their certifications.

What CSOs and CIOs are starting to understand is what is that shared responsibility between the public cloud environments, between themselves. If you look deep enough inside the websites of the AWSs and the Azures or if you just Google AWS shared responsibility model or Azure shared responsibility model, within buried inside the site, you’ll see a very clear depiction of that shared responsibility which is what we are communicating with CISOs and CIOs and really opening their eyes.

Cause what you see – I’m talking about AWS specifically, cause they actually are very good in how they discuss it, but AWS says that they provide security of the cloud, and their customer is responsible for security in the cloud. And those are two really important distinctions.

Security of the cloud, the things of the plumbing of the cloud, is the hypervisor, is the storage layer, it’s the compute layer, it’s the network layer, it’s things like that on the AWS plumbing side. But once it gets to a customer-specific environment, that’s all in the cloud, and that’s the customer’s responsibility, and that’s a lot of layers. Once you see, once you Google AWS shared responsibility model you’ll see the blocks which they have and you’ll see the AWS is responsible for about 5 blocks of all that plumbing stuff, and the customer is responsible for about 15 blocks, which includes everything from operating system, network controls, user controls, application management, all those kinds of activities, the customer is responsible for.

And so now I see a lot of organizations scrambling, because they just opened their eyes and learned of this responsibility that they had assumed was a AWS or Azure responsibility previously. And so, that’s why Armor exists. That’s why we focus around cloud security, so we can assure customers are secure in the cloud. Our product offering is really about filling those boxes up and getting that risk off the customer’s hands so they can focus on their business.

responsibility security cloud

Our product roadmap, we believe the security of the cloud isn’t something that should be assumed. And so, yes, I believe in AWS as in Azure’s approach, but everybody makes mistakes, and so we’re working on some things to ensure that security of the cloud is double checked, if you want, by the organization. So they can sleep peacefully at night knowing security in the cloud is covered, and security of the cloud is covered by their public cloud provider, but it’s monitored and we ensure that the integrity of that continues to remain tamed.

That’s the story for this year, is really kind of educating the market on the distinction of the cloud, in the cloud and the shared responsibility of the public cloud.