When I was walking halls of the massive Boston Convention Center this week for AWS re:Inforcesecurity division’s annual event, I spoke to several vendors and one theme was clear: cloud security is truly a shared responsibility.
This idea has been in the air for a while now, but it especially touched me this week as I listened to various AWS security leaders talk about it at the main event and in subsequent conversations I had throughout the week.
At a very high level, the cloud service provider has the first level of responsibility for security. He must ensure that the data centers he manages are secure to the extent that he is under his control. However, at some point there is a gray area between the company and the client. Sure, the provider can secure the data center, but they can’t prevent the customer from leaving the S3 bucket unsecured for whatever reason.
Security is such a complex task that no single organization can be held responsible for keeping a system secure, especially when user error at any level can leave the system vulnerable to clever hackers. Communication channels should be at all levels of the organization, with customers and interested third parties.
The idea is that everyone should report issues, share best practices, and join the community as much as possible to prevent or mitigate security events.
Credit: techcrunch.com /