while I was walking the halls of the huge Boston Convention Center this week for AWS re:InforceAt the division’s annual security event, I spoke to a number of vendors, and one theme was clear: cloud security really is a shared responsibility.
That idea has been around for a while, but it really caught on this week as I listened to several AWS security executives talk about it during the event keynote and through subsequent conversations I had during the week.
At a very high level, the cloud provider has the first level of responsibility for security. It must ensure that the data centers it manages are secure to the extent that it is within its control. But at some point, a gray area arises between the company and the customer. Sure, the vendor can secure the data center, but they can’t stop the customer from leaving an S3 bucket unprotected, whatever the reason.
Security is such a complex undertaking that no single entity can be responsible for keeping a system safe, especially when user errors at any level can leave a system vulnerable to smart hackers. There must be communication channels at every level of the organization, with customers and with involved third parties.
When an external event such as the Log4J vulnerability or the Solarwinds exploit affects the entire community, it is not the problem of a single supplier. It’s everyone’s problem.
The idea is that everyone should communicate when issues arise, share best practices, and work together as a community as much as possible to prevent or mitigate security incidents.