Cloud Security and Shared Responsibility Models

Posted October 3, 2023

Cloud service providers like AWS, Azure, and Google Cloud have robust security measures in place, but that doesn’t mean they don’t experience security breaches. In 2020, AWS experienced a data breach that affected Capital One, a financial services company. The breach was caused by a vulnerability in a firewall that allowed the attacker to access sensitive data, including credit card applications and Social Security numbers. In 2019, Microsoft disclosed a data breach that affected some of its customers who used a misconfigured Azure database. The breach exposed sensitive data, including email addresses, IP addresses, and support case details. In 2019, Google Cloud experienced a data breach that affected some of its customers who used a misconfigured Google Groups setting. The breach exposed sensitive data, including email addresses and other personal information. So when these breaches happen at cloud providers, who is responsible?

Shared Responsibility Models for Cloud Security

The shared responsibility model is a cloud security framework that clearly outlines the responsibilities of cloud service providers (CSPs) and users with respect to the security of the cloud environment. Shared responsibility is the most common model adopted. It helps guarantee that cloud security benefits from a collaborative effort between the customer and the cloud vendor. The CSP and the cloud user are accountable for different security aspects and must work in partnership to ensure foolproof data security. The exact dissection of the cloud security responsibilities depends on the type of cloud service model used (IaaS, PaaS, and SaaS) and the division of responsibility (user, service provider, and shared).

The shared responsibility model identifies which cybersecurity processes and responsibilities belong to customers and to cloud service providers. The sheer number of resources, permission levels, APIs, and potential attack vectors complicates managing security in the cloud environment. For each model, the cloud provider hands off different segments of the security responsibilities to the customer. Customers who fail to understand their obligations will likely leave security gaps exposed to attack. Although the concept of shared responsibility provides overall guidelines for what security cloud providers will include within their solutions, customers ultimately will bear the bulk of the risk for failure. Customers should trust but also find ways to test and verify that the cloud provider continues to hold up their end of the bargain.

Examples of Cloud Attack Vectors

Cloud attack vectors are the paths or means by which hackers can gain unauthorized access to cloud-based resources in order to deliver malicious outcomes. Some examples of cloud attack vectors that organizations should be aware of are:

Social engineering attacks: These attacks involve tricking users into divulging sensitive information or clicking on malicious links.
Account hijacking: This involves stealing user credentials to gain access to cloud accounts.
User account compromise: This involves exploiting vulnerabilities in user accounts to gain access to cloud resources.
Cloud malware injection attacks: These attacks involve injecting malicious software, such as viruses or ransomware, into cloud computing environments.
Side-channel attacks: These attacks involve extracting sensitive data from virtual machines that share the same physical server as other VMs and processes.
Cookie poisoning: This involves manipulating cookies to gain unauthorized access to cloud accounts.
Container breakouts: These attacks involve exploiting vulnerabilities in container technology to gain access to cloud resources.
Cloud service provider vulnerabilities: These attacks involve exploiting vulnerabilities in cloud service providers to gain access to cloud resources.

To protect against these vulnerabilities and risks, it is important to implement appropriate security measures and to regularly monitor and review the security of their cloud assets.

Common Vulnerabilities in Cloud Service Providers

While vastly more secure than the out-of-date on-prem server found within many organizations, cloud providers can still be vulnerable to attack. There are several common vulnerabilities in cloud service providers that users should be aware of. Some examples are:

Cloud misconfiguration: This is the most common vulnerability that organizations face, as reported in a recent NSA study. Misconfigurations can take many forms and shapes, such as weak passwords, unsecured APIs, and lack of peer review from DevOps/infra teams.
Identity and access management (IAM) issues: IAM issues can arise when users are granted excessive permissions or when credentials are compromised. This can lead to unauthorized access to cloud resources.
Insecure interfaces and APIs: Insecure interfaces and APIs can be exploited by attackers to gain access to cloud resources. This can occur when APIs are not properly secured or when they are not updated to the latest version.
Data breaches: Data breaches can occur when sensitive data is not properly secured or when it is accessed by unauthorized users. This can happen when data is stored in the cloud without proper encryption or when access controls are not properly implemented.
Insider threats: Insider threats can occur when employees or contractors with access to cloud resources intentionally or unintentionally cause harm to the organization. This can happen when employees are not properly trained on security best practices or when they are granted excessive permissions.
Denial-of-service (DoS) attacks: DoS attacks can occur when attackers overwhelm cloud resources with traffic to disrupt service. This can happen when cloud resources are not properly configured or when they are not properly monitored for suspicious activity.

By understanding responsibility models, attack vectors, and common vulnerabilities, organizations can take proactive measures to protect their cloud resources and ensure the security of their business and data. This may include implementing access controls, encrypting data, implementing backup and recovery processes, and regularly updating and patching systems and applications. Contact us to leverage the expertise of a trusted Cloud Solution Provider, and protect your data in an increasingly cloud-powered world.

Kevin Willette

Kevin Willette is Partner / CEO of Verus Corp. His focus is ensuring complete customer satisfaction and providing as much or as little support as is needed for the individual client. Kevin knows that plenty of places do IT services, but what sets Verus Corp apart is the local feeling and the commitment to doing things right the first time. He has always wanted to be a business owner because it affords him the opportunity to offer a service that was better than anything clients had seen before. His true goal is to help customers make their businesses better by removing potential IT barriers. Kevin served as chair for Habitat for Humanity during his time at Minnesota State University, Mankato. He has also served on the WatchGuard Advisory Council since 2016. Kevin’s work with Verus Corp has helped them achieve awards as the WatchGuard Partner of the Year and Cisco Select Partner. Kevin graduated from Minnesota State in 2000 with a major in Business Marketing and minors in Business Administration and Music.