Public Cloud Security is a Shared Responsibility

As the Timehop breach illustrates, failure to apply enterprise security policies to public cloud services can have dire consequences.

By Paul Desmond

By Paul Desmond June 20, 2019

On the afternoon of July 4, 2018, as most Americans were deep into barbeques and other holiday festivities, an engineer at the social media application firm Timehop got wind of a network intrusion in its cloud computing environment that would ultimately result in the breach of personal data belonging to 21 million of its users.

The intrusion actually started months earlier, when a hacker exploited a Timehop administrator account that was not protected with multi-factor authentication, as it should have been. The hacker created a new administrator account and periodically used it to conduct reconnaissance on the site before launching the July 4 attack.

Timehop, to its credit, details the incident in a blog post, which highlights a simple fact that any user of cloud services needs to consider: use of cloud services does not absolve end users from security responsibilities.

Cloud Security Sows Confusion

Cloud security has been an issue for customers since the inception of cloud services, and it is still the subject of some confusion. Consider results from the 2018 Enterprise Cloud Index survey of 2300 IT decision makers around the globe, conducted for Nutanix by VansonBourne.

When asked what they consider to be the primary benefits of public cloud, 21% ranked data security and compliance number one and 59% had it in the top five – both more than any other benefit. But when asked whether various public cloud service providers offer robust security, none cracked 50%. Microsoft Azure was closest at 49.6% while Google came in at 41.1% and Amazon Web Services (AWS) at 36%.

When asked about the benefits of hybrid cloud computing, the situation gets even more murky, with just 5.4% selecting “I can choose the best security and compliance model for my data” as a benefit.

What is certainly not confusing is that cloud service providers expect customers to share in the responsibility of providing security. AWS spells out the responsibilities clearly on its site, under a page titled “Shared Responsibility Model.”

AWS is responsible for “security of the cloud,” the site states, meaning protecting the hardware, software, networking, and facilities that run AWS Cloud services. Customers, on the other hand, are responsible for “security in the cloud,” meaning all of their data, identity and access management, operating system and firewall configuration, and encryption of data on clients, servers and in transit.

Similarly, Microsoft defines “Responsibility Zones” that vary depending on the exact service. Customers, however, are always responsible for data, endpoints, account and access management, Microsoft says.

Shared Responsibility In Practice

In practice, as Microsoft spells out in its 10-page “Shared Responsibilities for Cloud Computing” document (PDF), “Physical security is the one responsibility that is wholly owned by cloud service providers when using cloud computing.” Everything else is shared, as shown in Figure 1, from that same Microsoft document.

That means providing security for cloud-based resources will likely add complexity to enterprises, as they will now have to determine how best to work cooperatively with their cloud service provider on security.

One solution is to use a cloud access security broker (CASB). Gartner defines CASBs as “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement,” including authentication, single sign-on, authorization, credential mapping, device profiling, encryption, malware detection/prevention and more, Gartner states.

More enterprises will use CASBs than not, according to a story at

As companies buy cloud services from multiple providers, a CASB can help them “bridge the security gaps between resources spread across AWS and Azure, for example,” CSO stated.

Another alternative is to use a comprehensive security suite that offers coverage for both premises- and cloud-based resources. Companies such as Veritas, for example, offer suites that can scan workloads and storage looking for malware and other threats across virtual machines and containers located in multiple cloud platforms – enabling enterprises to monitor them all from the proverbial “single pane of glass.”

Whatever path an enterprise chooses, it’s important to ensure security policies are applied across the gamut of cloud and premises-based resources. As the Timehop incident shows, it only takes one small slip-up to open the door to a potential disaster.

Paul Desmond is a contributing writer. He is co-founder and principal of Saratoga B2B group and formerly an editor at IDG’s Network World, Redmond magazine and Redmond Channel Partner magazine.

Feature photo by Rakicevic Nenad from Pexels.

© 2019 Nutanix, Inc. All rights reserved. For additional legal information, please go here.