This is a quick “let’s think about it together” post focused on the future of cloud security.
Our logical starting point is: “Through 2025, 99% of cloud security failures will be the customer’s fault.” (source: Gartner) My experience in my analyst days and perhaps today mostly confirms it. I’d say that “it feels right.” So, let’s agree that it describes today’s reality correctly.
Next point: now that we agree that this model describes reality in a useful manner, may I suggest that it indicates a problem. In other words, this means something needs to be changed or fixed. Why? Because who is better resourced (in terms of money, knowledge, people) to deal with tricky cloud security challenges, those who built it or those who use it?
Next naive point: if it feels like “99% is too high”, then there is an easy (and very wrong) solution: use a security-incompetent cloud provider who would then make more mistakes and can be blamed for them. Thus, customers will be less at fault, but will perhaps lose more. So, let’s not go there.
Next, still naive, point: if you do the opposite, and choose a more security-focused cloud provider, we may end up “99.99% of cloud security failures are customer’s fault” which is not what we want as per item above.
Now, can you solve this puzzle? How to keep the customers secure without cloud security failures mostly being their fault?
Well? Got ideas?!
This seems impossible to fix in the above context, but as with many puzzles and mysteries, the solution is lateral, not direct.
To arrive at it, let’s now ask “what is the context for this conundrum?” The shared responsibility model, of course. I will say that to crack this nut, we need to transcend the shared responsibility model somehow. Note my word choice: transcend, not discard.
And, drumroll, I think that we figured out how to do just that!
For this, I must explain the concept of “SHARED FATE” first introduced in this post about operations (2016). Share fate happens when “they [a cloud provider and a client] work together as a team for a common goal and share a fate greater than the dollars that pass between them.”
Security shared fate may be about preparing a secure landing zone for a client, guiding them while there, being clear and transparent about the security controls, perhaps sometimes offering guardrails for what they can do and then if something still happens, helping them out via insurance!
This will transcend the shared responsibility and get us some of the way to SHARED FATE, where “whose fault is it” may not have the same meaning … or any meaning. Thus, we will have a more secure, more trusted cloud for everybody.
Read the details here.
Cross - posted from Anton on Security