IaaS and the Shared Responsibility Model
A note to vendors: Infrastructure as a Service (IaaS) != secure/compliant applications, it can, but doesn’t by default.
Why are people putting their servers and applications in IaaS providers like AWS and Azure?
They can get a cheap, fast and secured data center to host their servers/applications. But that doesn’t mean they get the same thing they would in a locally managed data center within their company. Amazon lists Easy To Use, Flexible, Cost Effective, Reliable and Secure. I think this is where the confusion starts. On other pages they say things like: Compliance made User Friendly, Keep Your Data Safe, Meet Compliance Requirements, Cloud Security is the Highest priority, and the list goes on. I had to dig to find this page on their shared responsibility model: https://aws.amazon.com/compliance/shared-responsibility-model/ Notice that most of the security falls on the customer.
I also had to dig to find this whitepaper by Microsoft on the shared responsibility model in the cloud (https://gallery.technet.microsoft.com/Azure-Security-Response-in-dd18c678):
What you get?
A quick way to spin up new servers without a huge up front cost. There is no need to deal with resellers for OS licensing, imaging tools to deploy new servers, licenses for virtual platforms or expensive network infrastructure.
What you don’t get…
A security program. Patch management, vulnerability management, access control, change control, network security. These things aren’t just there, you still have to pay for them, implement them and manage them. I get vendor after vendor that tells me that their application is HIPAA, PCI, etc compliant because it is hosted in Amazon. Yet they don’t even have a firewall between them and the internet, or an SSL certificate on their application, or any idea if they are patching their devices.
I can’t fully blame business leaders for reading the marketing material that Amazon makes available and thinking they can put their application in AWS and its secure and compliant. It’s misleading and just not the case. IaaS vendors like AWS and Azure provide cost savings and deployment benefits on the deployment of hardware, but they do not provide the systems and processes that are already in place in existing data centers. Don’t tell me that your application is secure because it is in AWS. It can be, but be prepared to explain how that is the case.