One key area of confusion in public cloud security is defining the boundaries between customer and cloud provider responsibilities. In response, most cloud providers adopted the “shared responsibility model”, first introduced by AWS, outlining respective obligations. Analyzing this model reveals that customers shoulder a substantial responsibility for their cloud resource security.
Shared Responsibility Model
“Through 2024, the majority of enterprises will continue to struggle with appropriately measuring cloud security risks.”
Accepting the weight of responsibility for cloud security is one thing, implementing robust measures is another. Cloud provider security settings, aimed at facilitating ease of use, often fall short in offering optimal security. Navigating through convoluted interfaces and diverse methods to tweak settings and policies can be a daunting task.
When turning to the marketplace for help, users may find it overflowing with tools primarily focusing on IaaS, a known attack surface. However, equal attention must be given to SaaS applications such as Microsoft 365 or Google Workspace. The increasing reliance on these cloud-based tools has led to a significant rise in damages from account takeover (ATO) and business email compromise (BEC) attacks.
Moreover, many market-available tools that merely echo provider-created data fall short in today’s dynamic cloud environment. When employing such tools, or relying on provider data (like Microsoft Office 365 Security Center data), users can be lulled into a false sense of security. Our seasoned security professionals have observed that, across sectors, cloud security measures are often inadequately deployed, leaving the cloud environments vulnerable.