This content is part of the Conference Coverage: A complete guide to AWS re:Invent 2019

Conference Coverage

Browse Sections

Prepare for cloud security and shared responsibility

Organizations that move to the cloud must prepare to adapt their security playbooks. Learn how AWS' shared responsibility model complicates cloud security.

IT teams that move to AWS often struggle to establish clearly defined rules and policies to ensure workload protection -- and not always for the reasons you might think.

Take AWS' shared responsibility model, for example. It clearly defines who is accountable for the various aspects of cloud security: AWS handles the public cloud itself and customers are responsible for anything they run on the cloud. This model is well established, but it probably doesn't fit within your IT infrastructure and security playbook.

Traditional IT infrastructure responsibilities

IT infrastructure teams typically control the platform from the ground up and through the OS layer.  Admins work with security teams to ensure platforms are hardened and adhere to compliance needs. After the platform is built, infrastructure and security teams turn it over to the dev or application owners for final installations and deployments. Application owners still work with an infrastructure team to ensure security and compliance measures are maintained through the deployment process. Ideally, the platform gets a final verification from the security team. The same parties will still be involved and maintain that level of ownership and responsibility even if an organization uses automation.

But this process gets upended when a cloud provider gets involved. AWS manages the hypervisor, hardware and, in some cases, the OS. This means the deployment process starts in the middle of the traditional application lifecycle rather than at the beginning.

Admins have to find a way to contribute in an ecosystem where the infrastructure is run by another party. While it's not impossible for them to ramp up with new skills, it is not the norm, and with more elements being handled by AWS, the typical admin is wondering where exactly they fit in. This can create problems when it comes to cloud security and the shared responsibility model, which doesn't account for how traditional IT groups are equipped to tackle security.

AWS' model creates an internal alignment issue

Since an enterprise's infrastructure team has a scaled back role in the cloud, application owners and developers must do more to set controls and work with the security teams. However, developers typically focuses on application stability and performance rather than security.

This lack of admin oversight can lead to security vulnerabilities, such as exposed S3 buckets. So, the challenge with cloud security isn't simply technical in nature. Rather, it's an alignment issue caused by the shift to the shared responsibility model, and that can be difficult to overcome. 

Establish cloud security to work in the shared responsibility model

Organizations that migrate to AWS often try to institute new policies and procedures to go along with their new environments. This sounds simple, but it can be difficult in practice. An overworked IT staff doesn't want to be slowed down learning additional policies and procedures at the same time management piles on more work. Rather than death by paperwork, organizations should adapt existing policies and procedures to fit the new environment. 

For example, anyone in your company with access to an AWS account can, in theory, spin up an instance, but that doesn't mean they should. Restrict ownership of that capability to your infrastructure teams. It's not the same level of control they may be accustomed to on premises, but infrastructure admins need to be involved throughout the application installation process on the cloud.

Infrastructure engineers are often responsible for specific servers on premises. This shouldn't change when things move to the cloud, even if their duties have changed and they don't have access to the actual servers that support their VMs. It's not about where the application resides, it's about ownership of the entire stack, even if some of it technically isn't yours.

Don't look at cloud security as another task for your infrastructure team; approach it as an opportunity for them to expand what they can do. It will take time and effort to train, encourage and support infrastructure staff to work with these new AWS environments and make them their own. Throughout this process, organizations need to make sure everyone understands how they fit into the cloud security puzzle.

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality