As frontline cyber defenders scramble to respond to the Azure Cosmos DB vulnerability disclosed in August, enterprise risk management (ERM) professionals are considering the implications for compliance in the cloud. It’s the latest example of an issue I’ll be exploring at the Forrester Security & Risk 2021 event November 9–10 in a session titled, Navigating Cloud Compliance? You’re On Your Own.
The latest cloud compliance conundrum emerged in early September, when security researchers discovered that Cosmos DB had a back door for the past two years that created the potential for any user to steal the access keys of any other user. The flaw was based in an auxiliary notebook designed for ease of use. Microsoft turned on that feature for all Cosmos DB users in early 2021 — whether they wanted it or not. The problem was that the tool made it easy to access other customers’ data, too. All of it.
From an ERM professional’s perspective — which, as my colleague Alla Valente explains, is distinct from cybersecurity — the Chaos DB debacle raises questions about how to assess and manage risk in cloud computing. There’s plenty of compliance documentation offered up by cloud service providers (CSPs), especially in highly regulated environments such as financial services. Microsoft documentation shows that Cosmos DB meets requirements for all but one of the most important compliance frameworks worldwide. Yet despite the popularity of Cosmos DB, a major vulnerability went undetected until now. Notably, the Cosmo DB mess was disclosed just a few weeks after Google Cloud’s Vice President for Financial Services Yolande Piazza advised bank IT bosses to go further with the public cloud — right now. “Don’t try and do this softly,” said Piazza, who formerly led Citi FinTech. “Now is the time to rip the Band-Aid off.” In the aftermath of Chaos DB, some bank execs may be inclined to leave their IT bandages in place a bit longer.
A number of notable financial services heavyweights, such as Fidelity Investments and Northwestern Mutual, have been major public cloud customers for years. Most big banks have at least some of their IT estate in the cloud. But data protection is a sticking point for banks and other organizations that must abide by strict regulatory regimes. Controls developed for data centers can’t simply be cut and pasted into the public cloud. Those concerns will — or should — give pause to such organizations before they sign up for managed services such as Cosmos DB, which is marketed as a highly available database with low latency in multiple geographic regions.
Of course, the big CSPs all provide a range of documentation of their compliance with a variety of risk and control frameworks, including those required for government entities and highly regulated industries. Along with this comes each vendor’s version of the shared responsibility model, which delineates boundaries on security implemented by the CSP and those taken on by customers.
But the shared responsibility models that look tidy in PowerPoint slides are often murky in practice. After all, the CSPs have — or at least should have — greater expertise in how to implement security controls than their customers. In the wake of the 2019 Capital One data breach based on a misconfigured Amazon Web Services (AWS) server, AWS walked away unscathed. Capital One got hit with an $80 million fine. Yet Capital One is likely to pay a lot more than that to AWS itself after shutting down its last data center in 2020 to move entirely to the public cloud. For Capital One, enterprise risk management for IT is now conjoined with its vendor management of AWS and the attendant complexity that comes with it. And sorting out the AWS shared responsibility model is unlikely to get easier for Capital One or any other AWS customer anytime soon. AWS begins its risk and compliance white paper with the statement, “A customer’s responsibility depends on which services they are using,” and concludes: “Customers are responsible for making their own independent assessment of the information in this document.”
Will other organizations follow Capital One’s example of going all in on the public cloud — misconfigurations and data breaches notwithstanding? How should security and ERM experts ensure compliance in an increasingly cloudified IT world? I hope you’ll attend Forrester’s Security & Risk 2021 on November 9–10 to discuss these questions — and much, much more.