Cloud Security Is a Shared Responsibility
What Is the Shared Responsibility Model?
The shared responsibility model is a framework in cloud computing that divides security and compliance responsibilities between the cloud service provider (CSP) and the customer. The model ensures that organizations and CSPs actively contribute to securing the cloud infrastructure and maintaining compliance. Under the shared responsibility model:
- The CSP responsible for the security of the cloud
- The customer responsible for security in the cloud
The Shared Responsibility Model Explained
The shared responsibility model ensures that organizations and CSPs actively contribute to securing the cloud infrastructure and maintaining compliance. By understanding and adhering to the shared responsibility model, both the CSP and the customer can work together to create a secure cloud environment, effectively mitigating risks and ensuring compliance with industry regulations and best practices.
Under this model, the CSP is responsible for the security of the cloud, which includes securing the physical infrastructure, network, and hardware. They ensure the underlying cloud services, such as compute, storage, and databases, are protected from threats, and maintain a secure and reliable environment for their customers. The CSP also provides tools and features for customers to manage their security configurations.
On the other side of the relationship, the customer is responsible for the security in the cloud, which involves securing the data, applications, and workloads they deploy within the cloud environment. This includes tasks such as data encryption, access management, patching and updating software, and configuring security settings according to their specific needs and compliance requirements.
The shared responsibility model's specifics may vary depending on the cloud service model in use, such as infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS). In an IaaS model, the customer takes on more security responsibilities, such as managing the operating system and applications. In contrast, the CSP handles more responsibilities in a SaaS model, including application-level security.
Concerns over data exposure have made cloud security a priority. The challenge lies in balancing an organization’s need for agility with the need to improve the security of applications as well as that of data as it moves between various clouds. Gaining visibility and fighting attempts to exfiltrate data — whether from external locations or through lateral attacks — is imperative across all locations where applications and data reside.
Figure 1: 73% of organizations struggle to understand the shared responsibility of cloud security, which ultimately leads to blind spots.
A number of different teams within an organization could be responsible for cloud security: the network team, security team, apps team, compliance team or the infrastructure team. However, cloud security is also a shared responsibility between the broader organization and its cloud vendor. Exactly how this breaks down varies by the nature of the cloud offering:
- Private cloud: Organizations are responsible for all aspects of security for a private cloud because it is hosted in the organization’s own data center. This includes the physical network, infrastructure, hypervisor, virtual network, operating systems, firewalls, service configuration, identity and access management, etc. The organization also owns the data and its security.
- Public: In public clouds, such as Amazon Web Services (AWS®) or Microsoft Azure®, the cloud vendor owns the infrastructure, physical network and hypervisor. The customer still owns the workload OS, apps, virtual network, access to their tenant environment/account, and the data.
- SaaS: SaaS vendors are primarily responsible for the security of their platform, including physical, infrastructure and application security. These vendors do not own the customer data or assume responsibility for how customers use the applications. As such, the customer is responsible for preventing or minimizing the risk of data exfiltration, accidental exposure or malware insertion.
As organizations transition from private clouds to public clouds or SaaS applications, they may rely on their vendors to secure the data, apps and infrastructure. Regardless of whatever platform security measures are used, the organization still maintains responsibility for the security of its own data.
Cloud Security
To safely enable applications, IT security must be confident that their cloud vendors have implemented the appropriate security measures to keep the applications and data secure. To compensate for what cloud vendors lack in security, organizations must also have the right tools in place to manage and secure risks effectively. These tools must provide:
- Visibility into activity within SaaS applications
- Detailed analytics on usage to prevent data risk and compliance violations
- Context-aware policy controls to drive enforcement and quarantine if violations occur
- Real-time threat intelligence on known threats and detection of unknown threats to prevent new malware insertion points