With the cost of security breaches hitting a record high in 2024, customers and providers can get caught up in the blame game of cloud security, ignoring the nuances of a shared responsibility model.
Addressing modern cybersecurity concerns is complex because of what Anton Chuvakin (pictured), senior staff consultant, Office of the CISO, at Google LLC, calls the cloud security paradox.
“It’s a paradox, but it’s also my obsession,” he said. “There was this line that every analyst knew, cloud is secure but clients are not using it securely and that most breach[es] [are] a customer fault. … But why is it the case? What can we do so that customers use cloud security? We build secure infrastructure, we get that, but cloud use is not always secure. I wanted to distill it down to a framework that people can use rather than just talk about this. We want to have something that improves the client side of the shared responsibility matrix, not just ours.”
Chuvakin spoke with theCUBE Research’s John Furrier and Savannah Peterson at mWISE 2024, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how the cloud and artificial intelligence has impacted cybersecurity and addressing risk acceptance. (* Disclosure below.)
Unpacking the shared responsibility model of cloud security
Following the recent Snowflake Inc. breach, the media was divided on whether the customer or the provider was at risk. This is a sign that we need to probe the shared responsibility model more deeply, Chuvakin believes.
“To me with cloud, the genuinely questionable part is whose risk is it to accept?,” he said. “How are you making it easy for the other side to manage the risk? So if I give you the product that’s very, very difficult to deploy securely and you decide to use it, did you accept the risk or not? Or did I push the risk to you and wash my hands off it? Now, if I made a product very easy to secure and I provided guidance and tools and a little AI chatbot that says you do this, don’t do that, yet you decide to go absolutely the opposite, clicked through five warnings, don’t ever do that, don’t ever do that and still did it, then you clearly accepted the risk.”
Another risk component is third party partners who may be connected to the customer’s application programming interface but lack the same security infrastructure as the cloud provider. This further complicates risk acceptance and responsibility when using the shared responsibility model.
“Before you apply any kind of framework, whether it’s supply chain or traditional kind of guidance for security, you should have at least all the parties and all the components should be on the table because it’s not enough to say this is the approach between you and me,” Chuvakin said. “I mean I don’t want to have an unknown third, fourth, fifth, whatever other parties. To me, visibility implies you actually see all the pieces first … Frameworks rely on robust asset management.”
Many companies are still attached to an outdated tech stack that does not lend itself to modern security solutions, according to Chuvakin, who emphasizes that businesses need to transform with the times. For example, no matter how advanced a company’s security infrastructure may be, EDR or endpoint detection and response time—an acronym Chuvakin coined—is equally important.
“Just because you do your stuff on the left … 10 times better than everybody else, it does not mean you have to, get to drop the runtime stuff,” he said. “It’s like you still have to have D and R, detection and response … Improvements on how you build, how you deploy, all help, all reduce risk. They’re all great, but none of them removes the need for observation, for detection.”
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE Research’s coverage of mWISE 2024:
(* Disclosure: Google Cloud Security sponsored this segment of theCUBE. Neither Google Cloud Security nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)