How the Shared Responsibility Model Complicates Cloud Security

As I’ve said before, I believe we are in a generational time for security businesses, in great part driven by some seismic shifts in the market. The first, and one of the biggest in my opinion, is the promise and vulnerability of multi-cloud. While this may seem like a natural evolution of cloud, it is a nuance that is just starting to take off. It could be an even greater accelerator of technical and go-to-market innovation than the cloud itself. Cloud is now everywhere, whether it’s in a controlled data center or publically managed. But the data, analysis, apps and proactive security that runs on top of this environment is in the first inning.

It’s hard to believe, but the cloud infrastructure industry has only been around for about 15 years. It’s forecasted to go from $0 to $1T in 2026–21 years to hit a trillion with a “T”! Not surprisingly, a lot of people want a piece of the pie. Almost every massive global tech company — Amazon, Microsoft, Google, IBM, Alibaba, Tencent — has brought a cloud solution to market. If the oldest and most established players — AWS, Azure, and GCP — were humans, they would barely be hitting puberty. We all know too well that along with puberty comes the awkward growth stage…but more on that later.

Every company needs to have some cloud strategy, but not all strategies are created equal. Companies have to consider a number of factors including what model to use, how best to migrate, and when and what to migrate first. But for the vast majority of companies, multi-cloud will be the norm. According to Flexera’s 2020 State of the Cloud report, 93% of surveyed enterprises have a multi-cloud strategy.

For many of these enterprises, the strategy was not multi-cloud from the beginning but you end up there through acquiring companies that use different CSPs. As Dave Cole from Open Raven puts it “No one in their right mind, given the complexity of multi-cloud, goes out saying “You know what would be awesome? Multi-Cloud!” You just end up there…sort of like Denny’s.”

However, as you get sophisticated, multi-cloud is the preferred model because you can choose the best in class services from different vendors (e.g, AWS for offering everything, GCP if open source is critical to you) while avoiding an over dependence on one provider in terms of price and uptime.

Okay, now back to the awkward teenage phase. These cloud providers are growing. Really fast. AWS listed 175 products in 2020 including compute, storage, networking, databases, dev tools and more. Each product could have hundreds to thousands of users, both people and machines. To secure all of these products and users across CSPs, most companies rely on a “shared responsibility model.”

Shared Responsibility

The slide above shows an example of shared responsibility from Azure, which shows where the company’s role for security (as a user) ends and the CSP’s responsibility begins. Although each CSP has their own variation, the map looks more or less the same across providers.

Though in theory, shared responsibility covers all eventualities, in practice, just like a teenager in a growth spurt, there are some growing pains. Keeping track of cloud deployments across an entire enterprise is really complicated for a company when working with one CSP. It gets harder still when scaling up and down new cloud services in multiple CSPs, when the CSPs are updating and launching offerings, and when under-resourced security teams are trying to keep pace with all of this, ideally proactively.

Not surprisingly, even the biggest organizations have issues with keeping up with all the potential vulnerabilities. An analysis of cloud deployments by the security company Acuris found misconfigured cloud storage services in 93% cases. The danger with these misconconfigured services is — you guessed it — potential for major breaches. Consider these instances in just the last 12 months:

MGM: “Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts.” In this case, “certain previous guest” refers to [cough] 10.6M.

Prestige Software: Cloud Hospitality software had been storing guest data on an unsecured AWS cloud database for seven years and exposed 10M guests records. In a press release, the company said they “can’t guarantee that somebody hasn’t already accessed the S3 bucket.”

Microsoft itself: “Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days.”

The list goes on and on. So while multi-cloud strategies have huge upside for companies in terms of up time, the ability to cherry-pick best-in-class solutions, and so on, the shared responsibility realities are exposing security vulnerabilities in real time.

Despite this, orgs have been slow to ramp up security spend in the cloud to handle these issues. In fact, today just 1% of all cloud spend is dedicated to security where 6% of traditional IT spend is dedicated to security. Cloud-native cyber will grow 6x in market size at a minimum if it just catches up to on prem security spend. That’s a *HUGE* market opportunity even before the expansion of the market, which we’ll talk about in subsequent posts in more detail.

Security is no longer a question of “did the bad guy get in or did we keep him/her out?” It is no longer a firewall and VPN to protect all behind “the wall.” In a multi-cloud world, the market expands dramatically as security becomes a secondary value prop to everything we do in the cloud: the way we build apps, the way we store, test and analyze data. Security has become preventative medicine that enables developers, cloud architects and beyond to leverage the power of the cloud. If security used to ask “is the plane engine safe,” it now enables the plane to fly faster, and higher, not just safer. As cloud sec as an enabler spreads among appsec, IAM, datasec, and other adjacent markets, cloud sec with 10X again.

You can imagine the kinds of businesses being built around this problem. For example, one of the companies I invested in at Upfront is Britive. They are building a solution in privileged access management to help clients assign, monitor, and revoke privileged access across CSPS in real time. This is the foundation for “zero trust” dynamic provisioning to treat all employees with the same security posture as “untrusted” versus assume they are trusted because they are behind a firewall. Instead yes/no access as well as level and duration of access is determined real time based on historical data.

Other companies are targeting vulnerabilities after access by looking for anomalies in user behavior suggesting a possible data breach. This is just scratching the surface of security tools that need to be rebuilt for the multi-cloud environment.

With all these multi-cloud environments, the ability for companies to collect data is scaling exponentially, along with the locations that this data can live and be used. This explosion of data is another driver of change — stay tuned for my thoughts as we dive into this driver next.