Decoding the Shared-Security Responsibility Matrix for your business

Every business that I have interacted with agrees that, security is non-negotiable for organizations. Yet, no one can definitely agree on the degree of security measures that they have to adopt for their companies and how much can be entrusted to third-party vendors that they have engaged. Not just in terms of technologies, but also in the context of distribution of shared responsibilities.

There are several reasons why this is an interesting angle for me to explore, as a technology enthusiast.

Security today is almost a commodity, available in as many varieties as there are vendors. Each of them competes against others based only on what product they have, highlighting only what they can do and glossing over what they don’t.

In the current COVID-19 crisis situation, the rate of digital transformation and cloud adoption has been accelerated manifold. But the traditional doubts over security for the cloud too have also resurfaced strongly. It is imperative for us to understand security in this context deeper to ensure that organizations leverage relevant solutions effectively.

Hyperscaler platforms such as AWS, Microsoft, and Google come with their proprietary security mechanisms offered either in the form of web-services or as SaaS models from one of their technology partners in the Marketplace. Security here is designed as a shared-responsibility model in these cloud platforms, where the platform provider assumes responsibility of the cloud and the consumer is responsible for security in the cloud.

Though this is the accepted responsibility matrix for the industry, organizations are not always clear on the details of this distribution. Especially, when engaging with Managed Services Providers to offload their operations, getting this equation right is crucial to the overall success of the project. When both parties assume incorrectly about their individual security responsibilities, the risks are too scary to be imagined.

It is imperative that both the parties are aware about the distribution of responsibilities between the consumer and the managed services provider. Logically, this will help in establishing governance policies and practices so business is conducted smoothly for timely delivery of value-based outcomes that nurtures each client relationship.

Let’s consider the AWS platform to discuss my point. Businesses strengthen their security by leveraging AWS Trusted Advisor, AWS CloudTrail, Amazon GuardDuty, Amazon Inspector, and AWS Security Hub.

AWS Trusted Advisor performs core checks for any consumer who is at Basic Support plan. Amazon CloudTrail helps in logging each API call every service makes, which is crucial for auditing. Even more significantly, GuardDuty identifies anomalies proactively, by monitoring VPC flow logs and DNS logs constantly. Inspector is leveraged to perform agent-based security assessments.

This sounds like a comprehensive security plan, isn’t it? But not every EC2 instance comes with a host-based antivirus/ HIDS system. If organizations realize this, they would of course install the antivirus that their particular instance would require. It is when they are not informed of this by their MSP, who assumes that the client would be aware of it, that there is a serious problem.

However, the most important thing for security is consistency and continuity. Organizations have to perform security checks, and controls regularly, and without gaps. Defense is an always ongoing process, and the mechanisms have to be continually improving to ensure a complete security posture of the landscape.

Which brings me to my point about designing a comprehensive security for businesses. At Cloud4C, we help organizations achieve continuity, compliance, control, and customization on any platform of their choice. Our expertise has been honed by working with businesses across sectors and geographies. We have helped businesses clearly understand their responsibility matrix in the context of complete security, and complement them with our managed SOC offerings, as a true managed services provider.

It is not just about the technology, but the expertise in leveraging it for individual context. This is true for any solution, but when it comes to security, it becomes extremely crucial. Any miscommunication on this front from your MSPs can have disastrous consequences for your entire landscape, with immediate impact on your business, as well as the brand reputation you have built.

I would love to know if you agree with my views, or discuss how your organization security can be understood in this context. Let me know!

Speak to a Security Expert today for your comprehensive organizational security.

author
rama
Ramakrishna Rao Ramaraju

Presales Manager & Solutions Architect, Cloud4C

Ramakrishna Rao Ramaraju is an AWS, Azure, Oracle Cloud Infrastructure certified Cloud Solutions Architect with strong expertise in conceptualizing and designing well-architected solutions, performing cloud assessments, migrations, and delivering enterprise software hosting solutions. He creates detailed architectural designs and maintains solution blueprints, and performs periodic architecture reviews as businesses evolve.

You can reach him at ramakrishnarao.ramaraju@cloud4c.com

  • 1992