Since its evolution over the last decade, cloud computing has become an essential component of information technology and business. Cloud computing power has driven agility, flexibility, performance and cost innovation for small businesses to large corporations. The COVID-19 pandemic acted as a further driver and shifted business practices globally, with the traditional work environment transformed into a virtual workplace with employees collaborating and communicating online via applications such as Microsoft Teams and Slack.
As the demand for cloud services and applications grows, the risks and concerns around cloud security become more pressing. Gartner’s recent forecast says that through 2025, 99% of cloud security problems will be the fault of the customer.
This is an alarming projection, however, the good news is that most cloud failures are preventable when customers know what they are responsible for. This leads us to the Shared Responsibility model for cloud security, which works to minimise the chance of introducing vulnerabilities into your public, hybrid, and multi-cloud environments.
What is the Shared Responsibility Model?
The Shared Responsibility Model is a cloud security framework that reflects the security obligations and responsibilities of both cloud provider and customer, regardless of the cloud delivery model. This includes every aspect of a cloud environment, from hardware and infrastructure to data, network controls, operating systems and access rights.
Many organisations don’t really understand the idea of shared responsibility and assume that cloud workloads, as well as data or applications, are covered by security measures implemented by the cloud provider. This can mean companies unwittingly run workloads in a public cloud that doesn’t have full protection and opens them up to attacks targeting applications or operating systems.
Shared responsibility – who does what?
Simply put, there are two parties that are responsible for cloud security: the cloud provider and the customer. The cloud provider is responsible for the security of the cloud infrastructure they provide. This includes ensuring that the data centre is secure, the network is secure, and the virtualisation platform is secure. Furthermore, the cloud supplier must monitor for security issues with their part of the system.
The customer must take care of securing their data and applications on the cloud. Data should be encrypted, access controls should be in place, and the applications should be built and deployed securely. The customer should monitor their portion of the system for security events as well.
It’s worth noting that the shared responsibility model will vary depending on whether you’re using Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
The different cloud delivery models are subject to the shared responsibility principle. However, the ownership of security tasks and functions varies depending on the delivery model used. There are three main cloud service models:
- Software as a service (SaaS): In the SaaS delivery model, the vendor hosts an application in the cloud, which customers can use. In this model, the provider is responsible for application security, maintenance, and management. The customer is responsible for endpoints, user and network security, misconfigurations, workloads and data.
- Platform as a service (PaaS): A PaaS platform is utilised to develop, run and manage applications via cloud technology. Cloud platform providers provide both the hardware and software required to develop applications and ensure the security of the platform and its infrastructure. The user is responsible for the security of applications developed on the platform, the endpoints, user and network security, and workloads
- Infrastructure as a service (IaaS): Vendors offering an IaaS infrastructure model provide a huge variety of computing resources, including virtualised servers, storage, and network equipment. The cloud provider is responsible for the security of all components of the infrastructure, while the business maintains security for anything it sets up on the cloud infrastructure, including operating systems, applications, middleware, containers, workloads, data, and code.
A SaaS setup gives the provider the greatest amount of responsibility, while an IaaS service gives the customer the least. PaaS and IaaS, on the other hand, give the customer more responsibility and less responsibility to the provider, respectively.
How the Shared Responsibility Model works in practice
As the cloud service provider has no visibility into data stored in the public cloud, the customer is responsible for data security, compliance, and access regardless of whether they follow a SaaS, PaaS, or IaaS model:
Areas that fall under the customer’s responsibility are:
- Identity Access and Management (IAM)
- User credentials
- Endpoint security
- Network security
- Security of workloads and containers
The cloud provider is responsible for areas they have direct control over, which typically include security of:
- The physical layer and all associated hardware and infrastructure
- The virtualisation layer
- Network controls and provider services
- Facilities that run cloud resources
Best practices for Shared Responsibility Model
There are a number of best practices that businesses should follow when adopting the Shared Responsibility Model:
- Define roles and responsibilities: It’s critical for parties in the Shared responsibility model to have clearly defined roles and responsibilities. Everyone should understand their part in keeping data and resources secure. Cloud providers typically have similar models with some differences.
- Implement, review, and test security controls: Ensure that all levels of security, including physical, logical, and administrative, are enforced to safeguard data and assets from unauthorised access. Include controls in your organisation’s change management process and test them regularly to ensure they are operating correctly.
- Educate employees: Make sure your employees are informed about the Shared Responsibility Model and how it relates to keeping data and resources safe. This will help guarantee that everyone appreciates how vital cloud security is.
- Monitor activity: Monitor cloud activity for any potential security threats to identify them early and address them appropriately.
Shared Responsibility Model benefits
A shared security model is complicated and requires careful consideration and coordination between the CSP and customer, but it provides several important benefits to users.
- Efficiency: Though the customer bears significant levels of responsibility under the Shared Responsibility Model, some key aspects of security – such as security of hardware, infrastructure and the virtualisation layer – are almost always managed by the CSP. In a traditional on-premises model, these aspects were managed by the customer. The shift to the cloud frees up IT staff to refocus efforts on other tasks and needs, as well as dedicate available resources and investments to those areas for which they bear responsibility.
- Enhanced protection: Cloud service providers are hyper focused on the security of their cloud environment and typically dedicate significant resources to ensuring their customers are fully protected. As part of the service agreement, CSPs conduct robust monitoring and testing, as well as timely patching and updating.
- Expertise: CSPs often have a higher level of knowledge and expertise when it comes to the emerging field of cloud security. When customers engage a cloud vendor, they benefit from the partner organisation’s experience, assets and resources.
Keep your organisation secure in the cloud with the experts
The biggest hurdle for organisations is understanding and applying the Shared Responsibility Model to their own environments, and this can be quite intimidating. However, there are a variety of solutions that can help organisations gain visibility, recapture control, and defend against risks proactively.
The first step to improving your security posture is to understand which cloud security elements are under your responsibility. After that, you must get a better picture of your environment and take proactive steps to maintain your security. The cloud security experts at INTELLIWORX can provide a cloud security assessment to help you to get a better grasp on your security baseline and establish security practices as you head towards digital transformation.