Source: securityboulevard.com – Author: bacohido
By Byron V. Acohido
The Amazon Web Services (AWS) Shared Responsibility Model has come a long way, indeed.
In 2013, Amazon planted a stake in the ground when it divided cloud security obligations between AWS and its patrons, guaranteeing the integrity of its infrastructure, but placing a huge burden on customers to secure things on their end.
For years, misconceptions abounded – especially among small and mid-sized organizations, but also among more than a few marquee enterprises. It was all too easy to assume that moving to AWS equated with outsourcing all security responsibilities.
Not so, of course. High-profile breaches, often stemming from misconfigured services like S3 buckets or exposed APIs, inevitably followed. The 2019 Capital One debacle comes to mind.
Emerging ecosystem
Fast forward to today, and the notion of shared responsibility, when it comes to securing AWS, appears to be steadily gaining meaningful traction. Several drivers have come into play.
For it’s part, Amazon has introduced and promoted a range of tools like AWS Config, GuardDuty, and Security Hub to simplify compliance and improve visibility into cloud environments.
What’s more, third-party cybersecurity vendors have been innovating like crazy to address the obvious gaps. A plethora of advanced tools and services are readily available today; they’re designed to automate best practices and reduce the complexity of managing cloud security tasks.
Meanwhile, the standards bodies and regulators have kept up the pressure for companies to do the right thing, when it comes to cloud security. Frameworks like SOC 2, SOX, and GDPR have forced organizations to take a more proactive approach to account for sensitive data increasing stored and accessed via the cloud.
Last Watchdog engaged Aiman Parvaiz, Director of DevSecOps, at Nimbus Stack, a DevOps consultancy specializing in AWS security, about how the steadily growing momentum of companies living up to their part of Amazon’s shared responsibility requirement. Here’s the gist of our exchange about all of this, edited for clarity and length.
LW: Grasping, much less embracing, ‘Shared Responsibility’ hasn’t been easy for many companies. So what’s changed over the past few years?
Parvaiz: It’s a combination of factors, really. Companies have learned through experience—especially high-profile breaches—that AWS, while robust, isn’t an out-of-the-box security provider. AWS has also made significant strides in raising awareness about this model, and the proliferation of third-party tools has reinforced this understanding by providing solutions that help businesses actively manage their security posture.
LW: What should companies come to understand about AWS security tools?
Parvaiz: The key takeaway is that securing their environment is ultimately the company’s responsibility. AWS does provide a rich set of security-focused tools to help with this. WAF and Shield help safeguard public endpoints, while SSM Patch Manager ensures your operating systems remain secure and up to date. Tools like Amazon GuardDuty continuously scan for malicious activity and notify you of anomalies in real time.
LW: Can you frame the state of third-party support?
Parvaiz: The ecosystem of third-party support has grown tremendously in recent years. AWS has built a robust network of partners and vendors, enabling businesses to leverage specialized solutions tailored to their unique needs.
The key to unlocking the full value of third-party tools lies in seamless integration with your existing workflows and infrastructure. When third-party solutions are deeply integrated into your setup—feeding into your monitoring systems, alerting pipelines, and operational processes—they enhance visibility and control, making them actionable and impactful.
LW: What does Nimbus Stack bring to the table?
Parvaiz: At our core, we are a team of seasoned system and cloud engineers dedicated to helping businesses using AWS to fortify their security posture.
We excel at identifying potential threats and mitigating them before they materialize. This expertise is particularly valuable in achieving compliance with standards like SOC 2, FedRAMP, or SOX. Our proactive approach allows us to anticipate auditor focus areas and address compliance hotspots during workload design.
LW: What should companies understand – and anticipate –when it comes to compliance pressures?
Parvaiz: Looking ahead, compliance will shift from being a competitive advantage to a baseline expectation. Integrating security practices and compliance requirements directly into infrastructure management and the software development lifecycle will become essential. Beyond checking boxes for audits, these measures demonstrate a commitment to protecting customer interests, making compliance a critical factor for businesses aiming to grow and remain credible in the market.
LW: Anything else?
Parvaiz: It’s understandable that competing priorities like product development or time-to-market can delay investments in security. That said, strengthening security isn’t a one-time task or a siloed effort—it needs to be embedded across operations and championed by management to be truly effective. Today, robust security isn’t a ‘nice-to-have,’ it’s a ‘must-have’ and the real question is how quickly can you get there?
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the ven
December 9th, 2024 | Q & A | Top Stories
Original Post URL: https://securityboulevard.com/2024/12/shared-intel-qa-a-thriving-ecosystem-now-supports-aws-shared-responsibility-security-model/
Category & Tags: SBN News,Security Bloggers Network,Q & A,Top Stories – SBN News,Security Bloggers Network,Q & A,Top Stories
Views: 2