CISOs trying to determine which of the three major cloud service providers (CSPs) offers the best security need to break that question down into two parts: Which one does the best job securing its own infrastructure, and which one does the best job helping you to secure your data and applications?
Security in the public cloud is based on the shared responsibility model, the notion that it’s possible to create a hard line that separates the role of the cloud service provider (securing the platform) with the role of the customer (protecting its assets in the cloud). Sounds good in theory, but in practice the shared responsibility model can be tricky when CISOs are dealing with one cloud vendor, but exponentially more difficult in a multi-cloud world.
As veteran security expert Andy Ellis puts it, “It seems really clear and simple—and like all clear and simple analogies, it doesn’t hold up to inspection.” He points out that it’s difficult for organizations to parse out the interconnections between the cloud platform and the applications running on top of it. “The reality is that how a customer configures a cloud service is critical to the safety of the applications. The list of ways that a customer can end up shot in the foot is remarkably large.”
However, that solid wall separating the CSP’s responsibility and the customer’s role is beginning to crumble. To differentiate themselves, cloud service vendors are recognizing the shortcomings in the shared responsibility model and are trying to develop more of a partnership relationship with customers, says Melinda Marks, senior analyst at Enterprise Strategy Group (ESG).
So, how can a CISO determine how the Big 3 cloud service providers—Amazon AWS, Microsoft Azure, and Google Cloud— differ in the way that they address those issues and provide a secure and resilient cloud platform?