How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
The Core Principle of Cloud Security
The shared responsibility model is the cornerstone of cloud security. It's a framework designed by cloud service providers (CSPs) like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) to clearly define the security obligations of the CSP and you, the customer.
The fundamental concept is this:
- The CSP is responsible for the security OF the cloud.
- The Customer is responsible for security IN the cloud.
Failing to understand your responsibilities within this model is one of the most common causes of cloud-related data breaches. Let's break down what this means across the different cloud service models.
The Cloud Service Models
The specific division of responsibility changes depending on the type of cloud service you are using.
(Image credit: Microsoft Azure)
1. Infrastructure as a Service (IaaS)
In the IaaS model, the CSP provides the fundamental computing infrastructure: virtual machines, networking, and storage. This model gives you the most control, but also the most security responsibility.
-
CSP's Responsibility (Security OF the Cloud):
- Physical Security: Securing the physical data centers.
- Hardware: Securing the servers, storage, and networking hardware.
- Hypervisor: Securing the virtualization layer that separates virtual machines from each other.
-
Your Responsibility (Security IN the Cloud):
- Operating System: You are responsible for patching and hardening the OS of your virtual machines (e.g., Windows Server, Linux).
- Network Controls: Configuring virtual firewalls (e.g., AWS Security Groups, Azure Network Security Groups), subnets, and routing.
- Applications: Securing the code and dependencies of the applications you install on your VMs.
- Identity and Access Management (IAM): Managing user access and permissions.
- Data: Classifying and protecting your data, including configuring encryption at rest and in transit.
Analogy: The CSP gives you a secure, empty plot of land and utility hookups. You are responsible for building a secure house, putting locks on the doors, and managing who has the keys.
2. Platform as a Service (PaaS)
In the PaaS model, the CSP manages the underlying infrastructure and the operating system, databases, and runtime environments. You just focus on your application code and data.
-
CSP's Responsibility:
- Everything in IaaS, PLUS:
- Operating System: The CSP manages the patching and security of the OS.
- Middleware and Runtimes: The CSP manages the security of the platform services (e.g., the database engine, the web server, the application runtime like Node.js or Java).
-
Your Responsibility:
- Applications: You are still responsible for writing secure application code.
- Identity and Access Management (IAM): You still need to configure who can access your application and the PaaS services.
- Network Controls: Configuring access to your PaaS services.
- Data: You are always responsible for the security of your data.
Analogy: The CSP gives you a house with the foundation, walls, and utilities already built. You are responsible for furnishing the house, locking the doors, and managing who comes and goes.
3. Software as a Service (SaaS)
In the SaaS model, the CSP manages almost everything. You are simply a user of the software. Think of services like Salesforce, Microsoft 365, or Shopify.
-
CSP's Responsibility:
- The entire technology stack: infrastructure, OS, middleware, and the application itself.
-
Your Responsibility:
- Data: You are responsible for the data you put into the SaaS application.
- User Access and Configuration: Managing user accounts, permissions, and configuring the security settings offered by the SaaS application (e.g., enabling multi-factor authentication, setting up sharing rules).
Analogy: You are renting a fully furnished apartment in a secure building. The landlord manages the building's security, the locks on the main door, and all the maintenance. You are responsible for your own belongings inside the apartment and for not leaving your apartment door unlocked.
Key Takeaways
- You are ALWAYS responsible for your data. Regardless of the service model, the security and classification of your data is your responsibility.
- You are ALWAYS responsible for identity and access management. Configuring users, groups, and permissions is your job.
- Read the documentation. Each cloud provider has detailed documentation outlining the shared responsibility model for each of their services. Understand it thoroughly.
The shared responsibility model is not about shifting blame; it's about creating a partnership where both the cloud provider and the customer work together to maintain a secure environment.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.