January 25, 2023

Last Updated on January 12, 2024

Public cloud security starts with a shared responsibility model, which defines what resources/“layers” of the service stack the cloud service provider (CSP) will protect and what the user must protect. But responsibilities shift as users consume services higher up the stack.

How do security responsibilities in the cloud change with usage patterns? Can consuming more cloud services actually simplify your team’s security responsibilities?

To share Amazon’s expertise on how Amazon Web Services (AWS) users and other public cloud consumers can improve security, a recent episode of The Virtual CISO Podcast features Temi Adebambo, Head of Security Solutions Architecture at AWS. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

Who’s doing the patching, securing the endpoints, and…?
As Temi explains, the CSP will gladly take on more security responsibility as users consume more services.


“Think about [consuming] just infrastructure as a service and us handling a hypervisor layer for you,” says Temi. “Then you would take ownership of the operating system. That means you have to deal with the patching. That means you have to deal with making sure the OS is hardened and all of the things that happen at that layer. Also, you have to have XDRs like CrowdStrike or another one of those solutions as protection on your endpoints.”

But as you move up the stack to a “serverless” mode and start leveraging AWS Lambda and/or different container services, for example, the operating system layer gets “abstracted away” from your environment. And all that patching and security hardening becomes the CSP’s responsibility.


“Vulnerabilities in the operating system and unpatched systems are still one of the biggest areas of risk,” Temi cautions. “Moving up that stack and selecting services at that layer that allow us to manage services below for you… There’s a lot of good security that you can benefit from there.”


Ultimately you can leave everything but your application layer to AWS, which includes all security controls not related to managing your identity and your data.


What’s next?

To hear this podcast episode with AWS security leader Temi Adebambo all the way through, click here.


If you’re a SaaS provider, are your customers a bigger risk to you than you are to them? This blog post frames that debate: Are SaaS Customers a Bigger Business Risk to their Vendors than Vice Versa?