Shared responsibility necessary to secure AWS resources

AWS introduced its public cloud nearly 10 years ago. And since then, the number of associated products and services has exploded at breakneck pace. Still, despite all its developments and evolution, many enterprises continue to list security among their major concerns with public clouds like that from AWS.

Amazon Web Services (AWS) maintains a "shared responsibility" stance to public cloud security. The cloud provider secures the infrastructure, while enterprise IT teams are responsible for securing workloads, data and applications that run on the infrastructure -- this is no easy task.

"Shared security is really incumbent upon the tenets in infrastructure as a service (IaaS) offerings like AWS -- that they continue to carry a fair amount of the responsibility," said Jim Reavis, co-founder and CEO of the Cloud Security Alliance. "That also gives [public cloud providers] the flexibility to have a fairly vanilla offering that you can do a lot with."

Enterprises need an independent viewpoint and layered defense in their cloud strategies and architectures. Relying on a single cloud-specific vulnerability assessment from your IaaS provider isn't a sound decision, as that provider may not be objective. Thus, third-party security tools are the way to go.

Entire segments of the market, such as security as a service tools and cloud access security brokers, have developed to help enterprises secure AWS workloads. Within the AWS Partner Network alone, there are approximately 176 Technology Partners aimed specifically at security and compliance within AWS public cloud. While certain companies are comfortable building in-house tools to secure AWS, most turn to third-party tools from vendors such as SumoLogic, AlertLogic, Pertino, CloudPassage and evident.io.

Eliminating the appliance and using service delivery for security is attractive to enterprises. While the security appliance approach forced companies to make architectural decisions and often route traffic inefficiently, security as a service tools are "faster, cheaper and more agile," Reavis said.

The best way to handle security in the public cloud is to "let large IaaS vendors handle the virtual private cloud and virtual machine management, then layer third-party tools on top of that," Reavis said.