Today: Microsoft shores up its AI strategy heading into a pivotal year, Meta is getting into the AI SaaS business with the former leader of Salesforce's AI division, and the latest enterprise funding.
Today: OpenAI would rather ChatGPT users spend more time using its tool than other "copilots," HPE rolls out a new supercomputer design, and the quote of the week.
Today: Why enterprise open-source contributors might be the secret weapon against patent trolls, AI models are starting to run into scaling problems, and the latest enterprise moves.
The Snowflake breaches are exposing the limits of cloud security's shared-responsibility model
The shared-responsibility model is groaning under the weight of the modern security environment. Snowflake's ongoing nightmare should be a wake-up call for any infrastructure or SaaS provider that they need to do more to protect their customers, because the old model is no longer working.
Cloud computing's fundamental approach to security seemed like a great deal when it was first proposed to companies struggling to protect their self-managed infrastructure. The bargain was simple: we take care of the hard stuff, and all you have to do is control access to your account.
But the shared-responsibility model is groaning under the weight of the modern security environment, with its sophisticated threat actors, scarily good phishing scams, and automated attacks. Snowflake's ongoing nightmare should be a wake-up call for any infrastructure or SaaS provider that they need to do more to protect their customers, because the old model is no longer working.
A diagram on that page outlines a sliding scale of responsibilities, from the on-premises world where the customer must manage everything to the SaaS world, where the customer manages very little.
For example, if you're a Microsoft Azure customer, you're not responsible for the physical security of the servers you're renting, but you are responsible for the security of any operating systems or homegrown applications you run on that cloud instance. A classic example of this model in action was the 2018 response to the design flaws in Intel chips that could have allowed attackers to access secure areas of those processors; cloud providers patched those instances with little or no disruption to their customers.
But no matter what level of cloud service you're buying, under the shared responsibility model, "you're responsible for protecting the security of your data and identities," according to Microsoft, and all cloud providers use similar language to describe the partnership.
Security experts have been sounding the alarm about that last statement for some time. While Snowflake did nothing wrong under the shared responsibility model, which holds that customers are responsible for properly securing access to their accounts, a growing number of people believe that cloud providers need to do more to protect their customers.
Leading that charge is CISA and its Secure by Design initiative, which all three major cloud providers have pledged to support but has not been adopted by the engines of the generative AI boom, Snowflake and Databricks. "Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature," according to CISA.
For example, Snowflake customers who used multifactor authentication were protected against the attacks using stolen credentials, but Snowflake still doesn't require customers to use MFA and didn't even provide a way for customers to force their own users to adopt it until last week.
"If we give you the choice to do the right thing, and you can’t seem to choose to do the right thing, then maybe it just shouldn’t be a choice anymore,” Chester Wisniewski, director and global field CTO at Sophos, told CyberSecurity Dive.
But taking on more responsibility for account security will force enterprise tech vendors to accept more friction in the user experience of their products.
That could be a tough sell for vendors that have made onboarding and ease-of-use a big part of their product strategy. One reason why a lot of enterprise software companies haven't imposed stricter security policies on their users is because those policies can frustrate customers or break existing workflows.
And while every enterprise vendor promises that they take security very seriously, product teams tend to win arguments with security teams at companies that are desperate for revenue. At the very least, enterprise vendors need to provide easier ways for customers to detect anomalous login attempts or unusual activity, which is one reason why observability companies are thinking very hard about getting into the security market.
But it took legislation and a massive PR campaign to get car companies to provide seat belts, and even more effort to get people to use them. The path to a more secure cloud will likely be just as difficult.
(This post originally appeared in the Runtime newsletter on July 18th, sign up here to get more enterprise tech news three times a week.)
Tom Krazit has covered the technology industry for over 20 years, focused on enterprise technology during the rise of cloud computing over the last ten years at Gigaom, Structure and Protocol.
Nobody has any idea when a real quantum computer will actually impact enterprise tech, but NIST wants companies to upgrade their security sooner rather than later.
A software update with one more variable than expected crashed 8.5 million Windows computers. Should Windows security vendors continue to have access to the kernel?
Global teams across an enterprise are likely to speak different languages, of course, but also might be using different keyboard layouts with different characters. Those differences can lead to confusion about password requirements that could hinder collaboration and even compromise security.
"When you have way too many companies chasing way too few opportunities, you go through a cycle like this and only the best will survive." McKay thinks Snyk has found a path forward.