Shared responsibility - a model for good cloud security

Shared responsibility - a
model for good cloud security
Andy Powell, Jisc

Mohamed Hammady, CTO
Sky
3 Shared responsibility - a model for good cloud security
“We have decided to build our data lake on
Google Cloud Platform. This is a key component
of our internal data factory transformation
programme. One of the deliverables of this
programme, which is very ambitious, is to join up
all available data in a customer-centric way. This
will allow us to progressively personalise every
customer interaction to make it quicker and more
relevant to the individual customer need.”

David Rogers, Head of Architecture and Security
Ministry of Justice
“As we started to create more and more digital services AWS
became a platform for us. We started to automate the way
we were delivering these services into the cloud. We started
to consolidate the way we were working with the cloud, such
as thru our deployment pipeline and thru monitoring and
logging. What emerged was the use of that platform very
consistently across digital services for around 19 or 20
services.”

“We now have a unified API as a basis for designing, testing, and
deploying the next generation of machine learning and digital
services in the hospital for our young patients. This will also enable
rapid and easier collaboration with our international paediatric
hospital partners to share specialised tools to improve patient
outcomes and experience.”
“Partnering with Microsoft on the Azure API for Fast Healthcare
Interoperability Resources (FHIR) allows us to scale out and
accelerate our customers’ use of [data]. The managed service is a
great additional component […] bringing research and innovation
closer to clinical impact.”
Professor Neil Sebire, Chief Research Information Officer
Great Ormond Street Hospital
Rodrigo Barnes, CTO
Aridhia

Darryl West, Group CIO
HSBC
“HSBC is no different to most other global
enterprises. We tried for many years to build data
centres, to provision infrastructure, to buy products
and to run it all ourselves. But we decided about 18
months ago that we ought to focus on what we are
great at, which is customer experience and
focusing on our customers and partnering with
people like Google to do all the heavy lifting on
infrastructure.”

Scene setting
• Three big players in the market (yes, there are others as
well!)
• All with similar directions of travel
• Global presence (10s or 100s of data centres)
• Typically organised into Regions, Availability Zones and
Edge locations
• Service portfolio that extends well beyond traditional IaaS
• … including big data, container platforms, serverless,
database as a service, IoT, ML, AI, …
• All three talk about a shared responsibility model for
security

Threat, what threat?
1. Data breaches
2. Data loss
3. Account / service compromise
4. Insecure API
5. Denial of service
6. Insider threat
7. Abuse of cloud services
8. Insufficient due diligence
9. Shared tech vulnerabilities

Shared responsibility
Application design, identity & access management
Operating system, network & firewall configuration
Data at rest (on-prem) Data at rest (in cloud) Data in transit
Software
Hardware / global infrastructure
Regions Availability zones Edge locations
Compute Database NetworkingStorage
Security in the
cloud (your
responsibility)
Security of the
cloud (cloud
provider’s
responsibility)

Confidentiality, Integrity, Availability
• Is access to my data restricted to the people I want to see it?
• Can I tell if my data has been tampered with?
• Can the right people get access if they need to?
Confidentiality
• Access control
• Encryption
• Firewalling
Integrity
• Encryption
• Audit logs
Availability
• Global scale
• Account/subscription
config
• DDoS protection

Basic building blocks
• Regions and availability zones
• Virtual Private Clouds (VPCs) and subnets
• Security groups & Network Access Control Lists (firewalls)
• Identity and access management (cloud platform level and operating system)
• Logging of all API access
• Encryption of data at rest (option to bring your own keys and use HSM in the
cloud) including for database as a service options
• Encryption of data in transit
• DDoS protection at platform level (and WAF and DDoS available as extras,
usually bundled into edge-based CDN)

Connectivity
• Most of your cloud usage is going
to be hybrid
• Connectivity will be critical, as will
securing your data in transit
• All the cloud providers provide
dedicated private connectivity
options
• However, Janet has extremely good peering arrangements
• For connectivity requirements up to 1.5Gbps bandwidth, just use Janet
• For hybrid requirements, secure data in transit using a site-to-site VPN
irrespective of whether you use Janet or not

Infrastructure as Code
• All the major cloud suppliers support
infrastructure as code (IaC)
• CloudFormation, ARM Templates, Cloud
Deployment Manager
• And you can also use third-party tooling such
as Terraform
• Repeatable and re-usable deployments
• Manage your infrastructure in a code repository
• Helps to prevent accidental deployments of
insecure infrastructure

Security Information and Event Management (SIEM)
• Native SIEM tooling is emerging from the major cloud vendors (e.g. Sentinel on
Azure)
• However, your SIEM requirements are likely to be hybrid (and may be multi-
cloud)
• All the major SIEM vendors will
provide integration with cloud
platform logging
• Note that Jisc is partnered with
Splunk in order to provide a
hosted Splunk platform

Auto-remediation
• All cloud vendors now support serverless
• Small software ‘functions’ run on demand, typically
triggered by an API event or by a timer
• Use this approach to auto-run remediation code
• E.g. to automatically (and instantly) close down a
security group that allows world access to SSH or
RDP or to take a copy of a compromised VM, prior
to deletion, so that it can be spun up in an isolated
environment for later analysis
• Also look at Security Orchestration, Automation and
Response (SOAR) tools, e.g. CloudCustodian

Third-party tooling
• Our experience is that some native tooling can be limited, especially with early
releases
• Your existing security approaches can almost always be stretched into the cloud
• Either by buying them from the marketplace
• … or by layering them in-front of cloud services
• For example, we often use Imperva Cloud WAF as an alternative to the native
WAF solutions provided by the cloud vendors
• We also use CloudCheckr for billing recommendations, security posture analysis,
and compliance status

Compliance

Are you well architected?

Summary – 5 take-aways
1. Understand the shared responsibility model. Where does the cloud provider’s
responsibility end and yours start? How does this apply to IaaS, PaaS and
SaaS? How does this affect your compliance?
2. Use the basic building blocks to create highly resilient and secure solutions -
don’t forget the basics… firewalls, anti-malware and backups
3. It’s your data - secure it at rest (on-prem and in the cloud) and in transit -
encryption is your friend
4. If necessary, use existing security tooling to complement
what the cloud provider gives you
5. Defend in depth - follow best-practice guidance including
the NCSC 14 cloud security principles

Arguably, AWS, Microsoft and Google
are now the biggest security companies
in the world
Questions?
Andy Powell, Jisc
@andypowe11
andy.powell@jisc.ac.uk

Additional reading
• AWS Compliance Programs
• Azure Compliance
• Google Compliance Resource Center
• AWS Well-Architected
• Pillars of a great Azure architecture
• Google Infrastructure Security Design Overview
• Azure Security and Compliance UK OFFICIAL Blueprint
• Standardized Architecture for UK-OFFICIAL on AWS
• NCSC Cloud security guidance

Shared responsibility - a model for good cloud security

More Related Content

What's hot (20)

Similar to Shared responsibility - a model for good cloud security (20)

More from Jisc (20)

Recently uploaded (20)

Shared responsibility - a model for good cloud security