In the cloud, an organization’s cloud service provider (CSP) is not wholly responsible for security. Instead, the cloud provider and the cloud customer share responsibility for the security of the cloud-based deployment, and the cloud provider’s shared responsibility model outlines the responsibilities of each party.
The AWS Shared Responsibility Model describes the security responsibilities of the cloud provider and the cloud customer. In general, the cloud provider is responsible for the security of the underlying infrastructure that they lease to their customers, while the customer is responsible for the security of the areas of the cloud infrastructure over which they have control.
The exact breakdown of cloud security responsibilities depends on the details of the cloud service that a customer is using. For example, a cloud customer has greater responsibility for security in an Infrastructure as a Service (IaaS) model than they do under a Software as a Service (SaaS) model.
Amazon’s infrastructure services include compute, storage, networking and related functionality. As an example, for Amazon EC2, the customer is able to install their own operating system, configure it, and run any applications that they want on top of it.
Because EC2 provides the customer with a high level of access and control (i.e. down to the OS level), they also place a great deal of security responsibility on the customer. In these deployment scenarios, the customer is responsible for properly securing their operating system and any related services under their control, such as the Elastic Block Store (EBS), auto-scaling, and networking infrastructure within their virtual private cloud (VPC).
AWS, on the other hand, is responsible for securing their physical infrastructure. This includes the physical servers and networking and their virtualization technology.
Containerized services use EC2 but add an additional layer of abstraction. In this case, the customer doesn’t manage their operating system or platform.
With this model, a cloud customer has a lower level of security responsibility than with the previous model. They no longer have visibility or control over their operating system, so responsibility for that passes to AWS. Under this model, the customer is primarily responsible for firewall configuration and properly protecting their data (i.e. using encryption and access management).
For abstracted services, e.g. Amazon S3 and Amazon DynamoDB,the customer is primarily responsible for properly configuring the security of the provided service. For example, if a customer configures DynamoDB to have easily guessable user credentials, then they would be responsible for any resulting data breach.
Cloud service providers offer their customers a number of tools to help manage their cloud security. However, these tools are only designed to provide a foundation for an organization’s cloud security deployment.
Securing cloud-based infrastructure requires deploying many of the same types of security solutions as an organization would use in an on-premises datacenter. These required solutions and capabilities include:
Cloud providers like AWS reduce many of an organization’s security responsibilities with regard to its infrastructure. A cloud provider abstracts away multiple levels of an organization’s infrastructure stack and is responsible for securing the levels under its control. However, cloud customers do retain some responsibility for their cloud security. While cloud providers offer a number of tools to help their customers to manage this, they are not enough to effectively secure an enterprise cloud environment.
Check Point provides organizations with the tools required to meet their security responsibilities in the cloud. This includes securing the data, applications, and workloads and minimizing misconfigurations, unauthorized access, threats, and anomalies in the cloud. In addition, these cloud security solutions provide full automation to allow organizations to take full advantage of the cloud’s scalability, agility and dynamic nature.
Effectively securing a cloud environment requires an understanding of an organization’s security responsibilities and best practices for meeting them. For help in understanding best practices for improving your cloud security (not just for AWS), read Check Point’s cloud security blueprint and the solutions that Check Point offers to implement it.
To learn more about securing your AWS deployment, read this introduction to the shared responsibility model. You’re also welcome to visit Check Point’s AWS solution page to see how Check Point can simplify and improve your AWS security posture.