Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
0
Are cloud providers responsible for monitoring for malware? Or are end users responsible?
Amazon Web Services is being used to steal financial data. Should cloud providers be held responsible for monitoring for malware? Or are end users ultimately responsible for making sure they don't succumb to these attacks?
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
5 Answers
Hi Brielle,
The short answer is that it depends on the nature of the cloud service and the relationship.
In some cases, for example, the end-users are responsible for setting up and maintaining appropriate security procedures. Our firm, for example, subscribes to a dedicated virtual server for website hosting purposes. We regulate our own access and are responsible for the security settings - some of which protect our virtual servers from malware.
In other cases, the vendors assume the responsibility of securing and monitoring the networks and databases (many cloud ERP and CRM vendors fall into this category, for example).
However, just because a vendor manages overall security doesn't mean that the end-users can wash their hands of responsibility. Most data breaches are triggered internally. The companies still need to implement and comply with appropriate internal procedures. For example, they should set up security roles that limit data access to those who require it. Another example is that companies should actively manage passwords and user access. You would be shocked at the number of companies that fire employees but fail to delete the corresponding user accounts. I certainly wouldn't trust a disgruntled former employee with system access.
In summary, the key for the end-users is to understand how security responsibilities are allocated between buyer and vendor (and, in many cases, a third-party provider). Then, the buyers need to do their due diligence on the vendor's security practices. In many cases, this might involve a site visit as well as interviews about vendor security policies, procedures and compliance. Finally, the buyers need to take measures to make sure that they take ownership over the areas in which their actions could impact security.
Service providers do have some obligation to ensure that their services are not being used for malicious purposes, if only because they could potentially be liable for attacks that they could have reasonably detected and prevented, but did not. Also, providers which gain a reputation for facilitating malware and SPAM will find that they are hurting their corporate brand.
That said, the bulk of the responsibility for a safe computing environment lies with the customer. It is one thing to suggest that weaknesses in Amazon Web Services should not make a customer's data easy to attack and obtain, but it is an entirely different thing to suggest that Amazon should be *forced* to monitor for all classes of attacks coming from their platform.
Businesses have the responsibility to ensure that *their* operations are managed securely, and that access to their data (and their customers' data) is obtaining in only the approved manner. This includes any cloud or hosting provider. No one should have the easy out of saying, "well it is so-and-so's fault that I was hacked" unless so-and-so is their specific provider, and the provider was negligent while the customer was not.
Hi!
I would say both! See, security is not a one party responsibility. Everyone must be security aware and responsible, as any element that interacts with a system is part of it, and the overall security is as strong as the weakest link.
Of course, security controls and enforcement is different based on what each element does. In cloud we have different flavors of services. Thus, we need to review the security the provider is offering, evaluate if that is enough, evaluate what would be our part and the part of the final client, and make a decision.
I just sat through Amazon's 1st cloud expo in NYC. AWS is responsible for the IaaS equipement and the associated security mechanisms for the hosting facilities like SAS ISO PCI and others. The user is responsible for the operating systems and its associated security requirements similar to on-premise. You have to maintain and use encryption appropriately. You have to make sure you use SSL as you enter and leave the Internet.
This is what I heard from Amazon. Other vendors requirements and guarantees may differ. Do you homework!
Do not take anything for granted. If you need help hire a good consultant to do the leg work for you.
The answer is "Yes!".
If an enterprise has a business risk -- security included -- it is up to them to evaluate that risk and apply effective mitigations. In the case of cloud computing, both the could provider and the end-users have business risk from malware and both should evaluate effective mitigation strategies.
One strategy for end-users is, of course, to contractually obligate the cloud vendors to reduce the risk of malware. Similarly, a cloud vendor could contractually obligate its users to do so. But the contractual relationship should explicitly cover those choices so that the business risk management plan and strategies for both parties are better informed.
Answer This Question