BACKGROUND IMAGE: iSTOCK/GETTY IMAGES

Modern Infrastructure

Data center water use grows

In This Issue

ashumskiy - Fotolia

Manage

Shared responsibility necessary to secure AWS resources

Whether deploying third-party tools or simply managing permissions, the responsibility of securing cloud resources belongs to the entire IT staff.

Michelle Boisvert, Executive Editor

Published: 17 Sep 2015

AWS introduced its public cloud nearly 10 years ago. And since then, the number of associated products and services has exploded at breakneck pace. Still, despite all its developments and evolution, many enterprises continue to list security among their major concerns with public clouds like that from AWS.

Amazon Web Services (AWS) maintains a "shared responsibility" stance to public cloud security. The cloud provider secures the infrastructure, while enterprise IT teams are responsible for securing workloads, data and applications that run on the infrastructure -- this is no easy task.

"Shared security is really incumbent upon the tenets in infrastructure as a service (IaaS) offerings like AWS -- that they continue to carry a fair amount of the responsibility," said Jim Reavis, co-founder and CEO of the Cloud Security Alliance. "That also gives [public cloud providers] the flexibility to have a fairly vanilla offering that you can do a lot with."

Enterprises need an independent viewpoint and layered defense in their cloud strategies and architectures. Relying on a single cloud-specific vulnerability assessment from your IaaS provider isn't a sound decision, as that provider may not be objective. Thus, third-party security tools are the way to go.

Entire segments of the market, such as security as a service tools and cloud access security brokers, have developed to help enterprises secure AWS workloads. Within the AWS Partner Network alone, there are approximately 176 Technology Partners aimed specifically at security and compliance within AWS public cloud. While certain companies are comfortable building in-house tools to secure AWS, most turn to third-party tools from vendors such as SumoLogic, AlertLogic, Pertino, CloudPassage and evident.io.

Eliminating the appliance and using service delivery for security is attractive to enterprises. While the security appliance approach forced companies to make architectural decisions and often route traffic inefficiently, security as a service tools are "faster, cheaper and more agile," Reavis said.

The best way to handle security in the public cloud is to "let large IaaS vendors handle the virtual private cloud and virtual machine management, then layer third-party tools on top of that," Reavis said.

Article 7 of 12Next Article

Dig Deeper on AWS security

Single-tenant cloud services help alleviate security concerns What happens when an enterprise wants the benefits of cloud but without the multi-tenancy? Isolated services are available for those willing to pay.

AWS is still the go-to cloud for SMBs, despite viable alternatives AWS opened the door for the cloud among SMBs with its initial IaaS offering, while competition from Microsoft and Google continues to play catch-up in the marketplace.

AWS' market share growth depends on enterprise focus While AWS remains the clear leader in the public IaaS market, the vendor's future success depends on how it addresses the more foundational needs of its enterprise customers.

Top IaaS providers slowly warm up to multi-cloud While major IaaS vendors all offer some flavor of multi-cloud support, they still have work to do to help customers achieve the dream of seamless portability.

Public cloud security concerns wane as IaaS ramps, IAC rises Fewer enterprises question whether the public cloud is secure enough for critical data, as IT teams continue to thwart cloud risks using increased automation and IAC.

shared responsibility model A shared responsibility model is a cloud security framework that dictates the security obligations of a cloud computing provider and its users to ensure accountability.

SearchAppArchitecture

5 ways to get complex event processing right

How should software teams make the best use of complex event processing, and how can they implement it successfully? This article...

5 essential tips for logging microservices

Creating a log system for distributed microservices is a task much easier said than done. Joydip Kanjilal offers five quick tips ...

An introduction to combining CQRS and event sourcing

Combining CQRS and event sourcing is a powerful way to maintain data speed and consistency for web-scale applications. Learn ...

SearchCloudComputing

Review these Azure Service Bus best practices

When applications talk, you need to listen. Learn about Microsoft's cloud messaging service, its main features, best practices to...

Instill cloud change management best practices

Automation is essential to change management in the cloud. Discover the best practices that ensure your IT team is in sync and ...

How much cloud does an IT disaster recovery plan need?

It's not easy to get the right mix of traditional and cloud-based DR resources. Here's how to strike a balance between what's ...

SearchSoftwareQuality

5 vital QA skills for software testers

As testing extends throughout the SDLC, QA engineers do much more than execute a quick functionality check. Pick up these skills ...

Is RPA the future of test automation?

IT organizations will use test automation, RPA and low-code development tools to create, assess and automate complex processes in...

What to look for in code review tools

Code review gums up the Agile, iterative works. Assisted and automated code review tools improve quality, and there's a mix of ...

SearchITOperations

Rising use of Kubernetes in production brings new IT demands

Kubernetes as an enterprise IT service is still in its infancy, but the market has reached a turning point from ...

How a rules engine can drive -- or derail -- an IT automation strategy

To benefit fully from a rules engine -- and minimize the risk of chaos -- IT organizations need to carefully define system ...

Decipher real-world AIOps use cases from the hype

There are many AIOps use cases that apply to enterprise IT, but make sure you are familiar with what exactly the technology can -...

Join the conversation

2 comments

Send me notifications when other members comment.

Oldest

[-]

Brian Gracely - 18 Apr 2016 10:01 PM

This "shared responsibility" model isn't exclusive to AWS. It needs to be considered regardless of the cloud provider, and regardless of IaaS | PaaS | SaaS services. Ultimately, customers own their availability.

mcorum - 19 Apr 2016 8:38 AM

I have to agree with Brian that shared responsibility is a must pretty much any time you’re working with Anything as a service. Cloud services are a good example because it’s easy to show the importance of shared responsibility when you’re sharing a server with another entity of which you are not aware.

Related Resources

Dig Deeper on AWS security

Join the conversation

2 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.

Get More Modern Infrastructure

E-Zine | Oct 2012

E-Zine | Dec 2013

E-Zine | Nov 2013

E-Zine | Oct 2013

E-Zine | Oct 2013

E-Zine | Dec 2014

E-Zine | Oct 2014

E-Zine | Oct 2014

E-Zine | Sep 2014

E-Zine | Nov 2015

E-Zine | Oct 2015

E-Zine | Sep 2015

E-Zine | Jul 2015

E-Zine | Nov 2016

E-Zine | Sep 2016

E-Zine | Jul 2016

E-Zine | Jun 2016

E-Zine | Nov 2017

E-Zine | Oct 2017

E-Zine | Sep 2017

E-Zine | Jul 2017

E-Zine | Feb 2018