Amazon Web Services (AWS) has raised the cloud security bar for managed service providers (MSPs).
At the AWS re:Inforce conference, the leading provider of cloud services added six AWS Level 1 MSSP Competency Specialization Categories spanning identity behavior monitoring; data privacy event management; modern compute security monitoring for containers and serverless technologies; managed application security testing; digital forensics and incident response support; and business continuity and ransomware readiness to recover from potentially disruptive events.
AWS is also relaunching its Security Competency for members of the AWS Partner Network, which now includes eight additional competency categories, including identity and access management, threat detection and response, infrastructure security, data protection, compliance and privacy, application security, perimeter protection, and core security.
Adding more security competencies is part of AWS’s ongoing efforts to help MSPs convince more customers to shift more workloads to the cloud. The primary reason organizations continue to make use of on-premises IT environments is a concern for security and compliance.
Limited expertise can result in mistakes
In general, cloud platforms are more secure than on-premises IT environments, however, the processes used to build and deploy cloud applications are often problematic. Developers routinely employ open-source tools like Terraform to provision cloud infrastructure as part of an effort to accelerate application development. Most of those developers have limited cybersecurity expertise so, inevitably, mistakes are made. The chronic shortage of cybersecurity expertise means most organizations are not able to keep pace with the rate at which workloads are being deployed in the cloud.
AWS contends its platform is more secure than rival platforms because of what it describes as automated reasoning technology that employs mathematical logic to, for example, detect entire classes of misconfigurations. As a result, AWS is able to empirically prove a cloud environment is secure.
An issue often encountered is that every cloud service provider assumes the organization using its service will take responsibility for both configuring the infrastructure correctly and then securing the applications deployed on it. The challenge is that no matter how much time and effort is made to educate developers there will always be a development team that for one reason or another makes a mistake that cybercriminals are becoming more adept than ever at finding ways to faster exploit. Developers, unfortunately, tend to assume cloud service providers are applying automation to secure workloads when in fact most of their efforts are on securing the infrastructure those workloads are deployed on.
Opportunity comes at a cost
Naturally, all this confusion creates an opportunity for MSPs to insert themselves into a relationship that is often fairly flawed from the onset. The issue, of course, is the level of investment that MSPs are being asked to make in cloud security by every cloud service provider keeps rising. Each cloud security competency requires investments in everything from training to the technologies and services required to achieve and maintain cloud security.
Like it or not, those competencies are becoming a cost of doing business for MSPs. Cloud service providers have made it clear they are committed to driving more customers toward MSPs that have those competencies. The challenge for all concerned, of course, is to make sure there is enough demand for that expertise to create a meaningful return on those investments.
Photo: krblokhin / iStock