This article talks about the crucial details you need to understand about the cloud's shared responsibility model, which differs based on cloud service provider.
Many people, including IT professionals, believe mistakenly that cloud services providers (CSPs) are all-knowing in managing all areas of their cloud, including security and compliance requirements.
The misunderstanding leads to significant gaps in cloud security and compliance coverage when those IT professionals don't recognize their obligation to manage their end of the "shared responsibility model." Fully embracing that responsibility means knowing which of the cloud computing continuum elements are your organization's responsibility to manage and protect.
The "shared responsibility model" dictates that both cloud users and CSPs are responsible for maintaining appropriate and comprehensive security and compliance practices for services that flow through the cloud. It also considers that cloud services are offered in various architectures and are frequently reconfigured based on the cloud customer's specific needs. Consequently, the value and scope of the "shared responsibility" obligation is based on the CSP/user agreement's nature and the type of services furnished by the CSP.
The level of user responsibility is typically based on the configuration of cloud services chosen. Those usually are structured in one of three basic structures: Software as a service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS). The distinctions between them indicate the level of oversight and management of cloud assets the customer pays the CSP to maintain in the cloud services agreement. Clarifying who "owns" which responsibility for security/compliance purposes is critical to ensure those safety practices are correctly implemented and maintained.
Fundamentally, services that require "compliance responsibility" are those that potentially introduce breach risk to the organization if safety measures aren't in place, including:
In an on-prem configuration, all of these functions live on the customer's internal system, so the customer is solely responsible for each's safety and security.
In a cloud services configuration, however, some or most of the responsibility for safety is shifted to the CSP for services that reside in the cloud. Note that the customer maintains 100% responsibility for all services retained on in-house, on-prem servers, and machines.
Note, too, that the three major clouds CSPs – Microsoft, Amazon Web Services (AWS), and Google Cloud Platform (GCP) –structure their expectations of "shared responsibility" differently from each other.
Azure is explicit in its definition of the "shared responsibility model" and applying those standards to its customers. With Microsoft:
Amazon structures its cloud control responsibilities a little differently. It classifies its AWS shared responsibility model commitment as the "security OF the cloud" (emphasis added) while classifying its customer's obligations as being "security IN the cloud."
Google Cloud focuses its shared responsibility model on the amount of workload transferred to the cloud – the more workload the GCP absorbs, the more responsibility it assumes.
An important note for all cloud customers, regardless of the CSP they choose or the level of services they select: ALL cloud providers require users to maintain sole responsibility for their identity and access policies and procedures for security and compliance purposes.
The reality is that the threats posed to the public cloud and the misconfiguration mistakes that can be made multiply as fast as cloud computing innovations. Every security threat can also be a compliance threat. Recent research indicates that the number of breach incidents in 2020 jumped as much as 20% due to remote workers' explosions. Those breaches created ripples that continue to suggest further breach and compliance failure risks. Gartner estimates that three out of four security failures in the cloud will result from improper identity, access, and privilege management within two years. Fully understanding the Shared Responsibility Model is vital to protect data and identity access in your clouds.
If your organization has yet to review whether its security practices are a threat to its compliance policies, then it appears that you're not alone. Are you confused about where to start? It's clear that beginning with your identity and access management processes is the best place. If you need help with getting started, reach out to the identity and data access experts at Sonrai Security, who will help you get your organization.