As I walked in the halls of the sprawling Boston Convention Center this week for AWS re:Inforce, the division’s annual security event, I spoke to a number of vendors, and one theme was clear: cloud security really is a shared responsibility.
This idea has been around for a while, but it particularly hit home this week as I listened to various AWS security leaders talk about it during the event’s keynote and through the conversations I have had during the week.
At a very high level, the cloud provider has the first level of security responsibility. He must ensure that the data centers he manages are secure to the extent that he is under his control. Yet, at some point, there is a gray area between the company and the customer. Sure, the vendor can secure the data center, but that can’t prevent the customer from leaving an S3 bucket exposed for any reason.
Security is such a complex business that no single entity can be responsible for the security of a system, especially when user error at any level can make a system vulnerable to clever hackers. There must be communication channels at all levels of the organization, with customers and with relevant third parties.
When an external event like the Log4J vulnerability or the Solarwinds exploit affects the entire community, it’s not just one vendor’s problem. It’s everyone’s problem.
The idea is that everyone should communicate when issues arise, share best practices, and come together as a community whenever possible to prevent or mitigate security events.