This article talks about the crucial details you need to understand about the cloud’s shared responsibility model, which differs based on cloud service provider.
Many people, including IT professionals, believe mistakenly that cloud services providers (CSPs) are all-knowing in managing all areas of their cloud, including security and compliance requirements.
The misunderstanding leads to significant gaps in cloud security and compliance coverage when those IT professionals don’t recognize their obligation to manage their end of the “shared responsibility model.” Fully embracing that responsibility means knowing which of the cloud computing continuum elements are your organization’s responsibility to manage and protect.
Sharing Responsibility Flows from Knowing Who Controls What
The “shared responsibility model” dictates that both cloud users and CSPs are responsible for maintaining appropriate and comprehensive security and compliance practices for services that flow through the cloud. It also considers that cloud services are offered in various architectures and are frequently reconfigured based on the cloud customer’s specific needs. Consequently, the value and scope of the “shared responsibility” obligation is based on the CSP/user agreement’s nature and the type of services furnished by the CSP.
Service Types Dictate the Nature of Shared Responsibility
The level of user responsibility is typically based on the configuration of cloud services chosen. Those usually are structured in one of three basic structures: Software as a service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS). The distinctions between them indicate the level of oversight and management of cloud assets the customer pays the CSP to maintain in the cloud services agreement. Clarifying who “owns” which responsibility for security/compliance purposes is critical to ensure those safety practices are correctly implemented and maintained.
Fundamentally, services that require “compliance responsibility” are those that potentially introduce breach risk to the organization if safety measures aren’t in place, including:
- Physical security – safety for machines, facilities, power supplies, etc.
- Host infrastructure – networks and connections between servers, etc.
- Network controls – entrance and access to systems
- Application controls – who can access which applications, and how they accomplish access
- Client and endpoint protection – often the most vulnerable site within a network since these are the portals most targeted by cybercriminals
- Data classification and accountability – the what, where, how, when, and by whom oversight of access to data, and Identity and Access management generally.
In an on-prem configuration, all of these functions live on the customer’s internal system, so the customer is solely responsible for each’s safety and security.
In a cloud services configuration, however, some or most of the responsibility for safety is shifted to the CSP for services that reside in the cloud. Note that the customer maintains 100% responsibility for all services retained on in-house, on-prem servers, and machines.
- In an IaaS configuration, the customer retains the responsibility for most of the security, safety, and compliance requirements of services that have transitioned to the cloud, except for maintaining control over the CSP’s physical site.
- In a PaaS configuration, the CSP assumes control for some but not all security and compliance efforts, including those relating to physical security, its host infrastructure, and the network controls that it provides to its customers. Both the customer and the CSP share responsibility for application controls and identity and access management protections. In contrast, the customer retains control over their client and endpoint protection and data safety.
- Withon a SaaS configuration, not only does the CSP retain or share the same controls as in a PaaS, but it also assumes shared responsibility for client and endpoint protection.
- In all cases, customers retain control over the security and safety practices protecting their data classification and accountability systems.
Compliance Responsibility and Vender Distinctions
Note, too, that the three major clouds CSPs – Microsoft, Amazon Web Services (AWS), and Google Cloud Platform (GCP) –structure their expectations of “shared responsibility” differently from each other.
Azure is explicit in its definition of the “shared responsibility model” and applying those standards to its customers. With Microsoft:
- The customer is always solely responsible for information and data, all devices, accounts, and identities.
- Microsoft shares responsibility for applications, network controls, operating systems, identity, and directory infrastructure with its SaaS and Paas customers.
- The company retains control over its physical site responsibilities, including hosting, networks, and data centers.
Amazon structures its cloud control responsibilities a little differently. It classifies its AWS shared responsibility model commitment as the “security OF the cloud” (emphasis added) while classifying its customer’s obligations as being “security IN the cloud.”
- ” Security OF the cloud” reflects the company’s control over all of the services it offers in the cloud, including software, hardware, networks, and facilities.
- “Security IN the cloud” reflects the customer’s responsibilities as they relate to the AWS services it is accessing, such as the IaaS services Amazon Elastic Compute Cloud, Amazon S3, and Amazon DynamoDB.
Google Cloud focuses its shared responsibility model on the amount of workload transferred to the cloud – the more workload the GCP absorbs, the more responsibility it assumes.
An important note for all cloud customers, regardless of the CSP they choose or the level of services they select: ALL cloud providers require users to maintain sole responsibility for their identity and access policies and procedures for security and compliance purposes.
Data Breaches Are Increasing
The reality is that the threats posed to the public cloud and the misconfiguration mistakes that can be made multiply as fast as cloud computing innovations. Every security threat can also be a compliance threat. Recent research indicates that the number of breach incidents in 2020 jumped as much as 20% due to remote workers’ explosions. Those breaches created ripples that continue to suggest further breach and compliance failure risks. Gartner estimates that three out of four security failures in the cloud will result from improper identity, access, and privilege management within two years. Fully understanding the Shared Responsibility Model is vital to protect data and identity access in your clouds.
Sonrai Security Can Help You Understand the Shared Responsibility Model
If your organization has yet to review whether its security practices are a threat to its compliance policies, then it appears that you’re not alone. Are you confused about where to start? It’s clear that beginning with your identity and access management processes is the best place. If you need help with getting started, reach out to the identity and data access experts at Sonrai Security, who will help you get your organization.