Debate on Who Bears the Responsibility for a Cloud Security Incident Continues

Sep 04, 2019

Hacking incident involving Capital One, which is one of the largest financial company in the U.S., has reignited a controversy surrounding a blame game on cloud security that had remained under the surface. Because personal information of 160 million customers was leaked, people are beginning to question who is to blame for cloud security.
As on-premises software centered on past data center, public cloud, private cloud, and on-premises software are converted into multi and hybrid cloud services, companies that are beginning to adopt new infrastructures are beginning to be more concerned.
Experts point out that companies need to take a different approach towards cloud security as cloud system is completely a new system that did not exist before.
◊Shared responsibility on cloud security
Capital One recently suffered a hacking incident where personal information of 160 million customers was leaked. Estimated damage from the incident is about $150 million.
Paige Thompson, who used to be an engineer for AWS (Amazon Web Service), is said to be the suspect. Paige did not create an elaborate hacking program or used spear phishing tactic. She instead misused an error on how AWS’ firewall is set up within Capital One. Although AWS explained that Capital One was hacked due to an erroneous setup of firewall, some say that AWS will not be able to be free from being responsible as Paige had had a history with AWS. Because it was discovered that Paige also hacked 30 other accounts besides Capital One, it is likely that blaming game on security issue involving a cloud system will continue for quite some time.
Dispute surrounding who holds the responsibility for security of customers’ data within a cloud system started when companies began to adopt public cloud systems. Biggest concern for companies that are adopting cloud systems is actually ‘security’.
According to a survey announced by Bespin Global, companies chose security (47%) as the most difficult issue when introducing a cloud system followed by lack of manpower (44%) and financial difficulty on management (40.3%).
Despite these concerns, CSPs (Cloud Service Provider) explain that responsibility of data protection and data security within a cloud system is ‘shared’.
AWS separates responsibilities of a customer from that of AWS while explaining a ‘shared responsibility model’. AWS clearly states that it has a responsibility of protecting infrastructures that perform every service provided by its cloud system. On the other hand, customers’ responsibility is more extensive and complicated as their responsibility differs based on the type of cloud systems such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service).
Microsoft (MS) and Azure also followed shared responsibility model. Azure states on its homepage that it is a shared responsibility for Azure and customers when it comes to protecting and managing customers’ resources from security threats. Google also explains that Google and customers both share a responsibility on security although Google is doing its best to maintain security.

Debate on Who Bears the Responsibility for a Cloud Security Incident Continues

◊Hybrid cloud increases uncertainty in security
This is not the first time for cloud system failure. In 2015, Netflix and Airbnb services were stopped temporarily due to a crash during an internal work by AWS. In March of 2017, Apple, Airbnb, and Pinterest saw their services come to a halt. In November of 2018, Nexon and Coupang experienced service failures due to an erroneous setup of a DNS server in Seoul region.
There were also incidents involving cloud security such as personal information theft of Honda Motor Company in India in May of 2018, deletion of data and backup files of Tencent’s customers in July of 2018, and a large-scale identity theft by a company in this past January.
However, all of these incidents share a common denominator of ‘a management error by an insider’ and they are quite distant from ‘hacking’ that is commonly heard about. As a result, companies could not look into who is to blame for cloud security incident.
“Although there were reports of few cloud security incidents in foreign countries, they cannot be seen as hacking incidents and there has yet to be any identity theft involving a cloud system in South Korea.” said a representative for Korea Internet & Security Agency (KISA). “It is difficult to put responsibility on a certain company as there has yet to be any example of a hacking incident involving a cloud system.”
Cloud systems becoming a multi and hybrid cloud system is also another factor for cloud security as companies’ security checklists have become more extensive. According to IBM’s survey, 85% of respondents are currently using multicloud systems. In three years, the percentage will become 98%. It is likely that most of companies will use multicloud systems in three years.
Multicloud system reduces costs and minimizes risks that can occur from a crash of single cloud system. Companies also recently started to use multicloud systems to use special functions such as AI (Artificial Intelligence) and Office.
There are differences even in identical security services of major CSPs. Although AWS, Google Cloud, and IBM Cloud provide similar type of services, their services have small differences resulting in difficult simultaneous management.
“When companies use security services under a hybrid or multicloud system, they need to distinguish characteristics of security service providers so that they can set up plans on what to add and which part to supplement.” said a representative for the cloud industry. “Because it is difficult for companies to understand fine details, many of them inquire CSPs about the characteristics of their security services.”
◊How to approach cloud security
Experts emphasize that companies need to take a different approach as cloud system is different from on-premises software.
Companies face a difficulty in coming up with a cloud security system due to various such as lack of knowledge on cloud system. “Many inquiries are about rather a solution that is used within a on-premises software is compatible with a cloud system.” said a representative for SK Infosec.
“Current server approach control solutions cannot properly control traffic that occurs from a virtual working environment.” said Branch Manager Kim Jin-kwang of Trend Micro. Fact that security system is same as ones from 20 years ago is problematic.”
He also added that there needs to be specialized strategies, knowledge, and technical knowhow that correspond to cloud environment.
“Roles and responsibility on cloud security can differ for companies based on the types of a cloud system.” said Director Yoon Young-hoon of IBM Korea’s Security Business Department’s solution sector. “Although companies need to go over cloud services with CSPs in detail when they sign a contract, these contracts are not systematized or internalized.”
Director Yoon also added that companies need to decide on converting their cloud systems after checking regulations by government agencies and understanding the nature of how cloud tasks are performed and that they need to set up plans for tightening up security beforehand.
Staff Reporter Jung, Youngil | jung01@etnews.com

Interpretation & Translation_Service Center

Refund Help Center