As I walked the halls of the massive Boston Convention Center this week for AWS re:Inforce, the division’s annual security event, I spoke to a number of vendors, and one theme was clear: Cloud security really is a shared responsibility.
That idea has been around for some time, but it particularly hit home this week as I listened to various AWS security executives talk about it at the event keynote and through the ensuing conversations I had during the week.
At a very high level, the cloud vendor has the first level of responsibility for security. It has to make sure that the data centers it runs are secure to the extent that it is within its control. Yet at some point, there is a gray area between the company and the customer. Sure, the vendor can secure the data center, but it can’t save the customer from leaving an S3 bucket exposed, whatever the reason.
Security is such a complex undertaking that no one entity can be responsible for keeping a system safe, especially when user error at any level can leave a system vulnerable to clever hackers. There have to be communication channels across every level of the organization, with customers and with concerned third parties.
When an external event like the Log4J vulnerability or the Solarwinds exploit impacts the entire community, it’s not one single vendor’s problem. It’s everyone’s problem.
The idea is that everyone has to communicate when problems pop up, share the best practices and pull together as a community to the extent possible to prevent or mitigate security events.