A few days ago, I blogged about some common Cloud Security specific misconceptions – focusing on how the Cloud (or Containers or Kubernetes) does not magically make insecure software or infrastructure configurations, secure. The axiom of this article is that the cloud providers themselves do keep their part of the deal – a public cloud is a distributed system inherently under attack and the axiom is that cloud providers do their best to ensure security, both on a proactive AND a reactive basis.
Tenable’s CEO Amit Yoran recently called out Microsoft on their Azure security practices and lack of transparency. I tend to agree. The “Just Trust Us” model definitely does not cut it. Security incidents CAN and WILL happen (remember: defenders should safeguard all possible avenues of attack, attackers only need to find one viable avenue of attack) as we are dealing with complex systems here – this is a given. What currently is not a given, is more transparency from the cloud providers – effectively trumping the shared responsibility model and hurting cloud adoption overall. The overall effect is creating a lose-lose situation – customers might be reluctant to adopt cloud based solutions and providers are losing business. So, let’s move it to “Win-Win”, shall we?
Athanasios Kostopoulos 