Too many IT professionals believe that companies that provide cloud platforms and services, such as AWS or Google Cloud, handle all the cloud-related security. Considering how much business transpires in the cloud, this is a dangerous assumption to make.
Unfortunately, far too many are caught off guard when they learn that the security of these web services is limited. Yes, you are purchasing a service from them, but the truth is, IT security within a shared API is a shared responsibility.
Brad Geesaman sees it far too often. He’s been in IT security and infrastructure for over 15 years, working with Symantec, Blackfin, and others. He’s worked as an ethical hacker, teaching others how to root out security threats within their networks, and he’s currently providing private IT security consulting.
He spoke at the Black Hat USA conference in Las Vegas, and after I heard him speak, I knew I had to have Brad on our Defrag This podcast. He came on the show and shared his expertise on how IT professionals can better protect their assets running on shared cloud platforms.
Here are some of the highlights from his interview. You can also check out Brad's deck from his BlackHat session here.
This is a common misconception among companies who are using AWS (or other cloud platforms, such as Google Cloud Platform, Microsoft Azure, or other related services).
IT professionals tend to overlook these security areas because the assumption is that these services are ensuring the safety of the transferred data. Simply, this is false — It’s a shared responsibility, and the lines are often blurred.
AWS has created seemingly clear diagrams of what the customer is responsible for, versus what AWS is responsible for. In reality, however, the lines are often blurry.
To both parties, either the customer or the cloud service is simply an API endpoint. The customer has the keys to that API, while the web service is responsible for ensuring that the calls submitted are valid. This seems simple enough, but often, individuals within organizations forget the obvious: Whoever has the key, has access.
In his 15 years of experience, Brad’s seen keys jeopardized because of everything from sophisticated botnets to unaware people literally posting their account numbers on support tickets. All of these have large-scale implications on a company’s cloud data.
The threats to AWS (or any other cloud platform) are numerous. Brad laid out a few of the top security issues he currently sees threatening the cloud space:
Brad provided a thought process for IT professionals to follow when attempting to protect their organization:
In summary, the information Brad provided pointed to one overarching facet: As the IT professional, it is your job to protect your organization's data and assets. While the native service may provide many of the solutions, they will not provide security for the entire network.
Shared APIs are shared responsibility.
Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.Learn More
Subscribe to get all the news, info and tutorials you need to build better business apps and sites
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here.
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here.