It really takes a whole village to ensure your security in the cloud
As I walked the halls of the massive Boston Convention Center this week for AWS re:Inforce, the division's annual security event, I spoke to a number of vendors, and one theme was clear: cloud security is truly a shared responsibility.
This idea has been around for a while, but it particularly resonated with me this week when I listened to various AWS security leaders talk about it during the event's keynote and in the conversations that I had during the week.
At a very high level, the cloud provider has the first level of responsibility for security. He must ensure that the data centers he manages are secure to the extent that he is under his control. Yet, at some point, there is a gray area between the business and the customer. Of course, the vendor can secure the data center, but that can't prevent the customer from leaving an S3 bucket exposed for any reason.
Security is such a complex business that no single entity can be responsible for the security of a system, especially when user error at any level can make a system vulnerable to clever hackers . There must be communication channels at all levels of the organization, with customers and relevant third parties.
When an external event like the Log4J vulnerability or the Solarwinds exploit affects the entire community, it's not just one vendor's problem. It's everybody's problem.
The idea is that everyone should communicate when issues arise, share best practices, and come together as a community wherever possible to prevent or mitigate security events.
As I walked the halls of the massive Boston Convention Center this week for AWS re:Inforce, the division's annual security event, I spoke to a number of vendors, and one theme was clear: cloud security is truly a shared responsibility.
This idea has been around for a while, but it particularly resonated with me this week when I listened to various AWS security leaders talk about it during the event's keynote and in the conversations that I had during the week.
At a very high level, the cloud provider has the first level of responsibility for security. He must ensure that the data centers he manages are secure to the extent that he is under his control. Yet, at some point, there is a gray area between the business and the customer. Of course, the vendor can secure the data center, but that can't prevent the customer from leaving an S3 bucket exposed for any reason.
Security is such a complex business that no single entity can be responsible for the security of a system, especially when user error at any level can make a system vulnerable to clever hackers . There must be communication channels at all levels of the organization, with customers and relevant third parties.
When an external event like the Log4J vulnerability or the Solarwinds exploit affects the entire community, it's not just one vendor's problem. It's everybody's problem.
The idea is that everyone should communicate when issues arise, share best practices, and come together as a community wherever possible to prevent or mitigate security events.
What's Your Reaction?
